Full Disclosure mailing list archives
Re: Senior M$ member says stop using passwords completely!
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 16 Oct 2004 20:25:04 -0400
Hello Mr Espinola,
That much is obvious. Read the the full article, do a little background research and get back to us when you reach a more sensible conclusion.
The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself.
Reactionary conclusions based on obvious article 'skimming' make it apparent you didn't do your homework before posting.
Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct the problems that they make for every internet user (not just Windows users).
FWIW I have used "rainbow" tables for dictionary-styled attacks for about 7 years now. There have been available CLI-based tools for generating dictionary lists using different character sets for the better part of the past 10 years. There are also many dictionary lists in multiple languages available on many university public FTP sites to build and extend your own from.
Your point? I agree that these have been around a while, but even if they have been, it shouldn't change the fact that a hash is either secure or it isn't, for the level of computation possible by today's computers. Yes, good passwords are always a must, along with a good hash, but what he defines as good, is a joke. I mean really, how many bits of entropy are in an english sentence? Last I heard, about 1 to 1.5 bits per character. Mr. Hensing comes across as (if I may paraphrase): "You foolish users, why aren't you using secure passphrases??? 8-character passwords just aren't good enough because of all of these big nasty hackers have great cracking tools!!!" Which, of course, is horseshit. You ever tried building a rainbow table for salted SHA? How much disk you got? Let's see... for 8-character alphanumerics w/ 10 special characters, on a 14bit salt, you'll need around (46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes Do let me know if I fudged on any of those off-the-napkin calculations. So, the moral of the story is, he doesn't know what he is talking about. Feel free to defend him, but I am not posting any more on this topic. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Senior M$ member says stop using passwords completely! RandallM (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 18)
- Re: Senior M$ member says stop using passwords completely! Eric Paynter (Oct 18)
- RE: Senior M$ member says stop using passwords completely! joe (Oct 21)
- Websphere 3.5 Alerta Redsegura (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Exibar (Oct 21)
- Re: Senior M$ member says stop using passwords completely! Micheal Espinola Jr (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Tim (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Frank Knobbe (Oct 16)
- Re: Senior M$ member says stop using passwords completely! Pavel Kankovsky (Oct 19)