Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passwords (was: Stanford break in)

From: Adam Shostack <adam () homeport org>
Date: Fri, 23 Apr 2004 16:54:54 -0400
On Fri, Apr 23, 2004 at 03:16:56PM -0400, Dana Nowell wrote:
| Disk space is cheap, I can get a 250 GB IDE drive at Best Buy for $180.00
| today.  So 4 drives comes to ~1 TB for $800.  Assuming a 'salt' of two
| printable characters (old Unix password if I remember correctly) that's
| realistically about 10,000 salts in the 'set'.  Assuming a dictionary of
| 12,000,000 'common passwords' of 8 chars or less (100MB) I can precompute
| with the 10,000 'salts' in about 1 TB.  Yeah, 4 250GB drives isn't 1TB
| after formatting and there are probably more than 10K 'salts', so maybe
| it's a 10M 'password' dictionary.  Now what was that you said about
| precompute ;-).
| 
| Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving
| your A**.  The best defense is to not be in anyone's dictionary in the
| first place.  Pick a password carefully and change it regularly.

Which is not to say that a system shouldn't have salts; they do make
these attacks more expensive, by a factor of about 2^11.  (For a salt
space of A-Za-z0-9, there are 62^2=3844 salts.)

Also, its worth recalling Tom Perrine and Devin Kowatch's Teracrack work:
http://security.sdsc.edu/publications/teracrack.pdf

Adam
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: