PaulDotCom mailing list archives
Cracking good times (UNCLASSIFIED)
From: robert.portvliet at gmail.com (Robert Portvliet)
Date: Tue, 30 Jun 2009 14:33:05 -0400
Assuming the attacker retrieves the hashes ...at what password length\strength do rainbow tables become impractical due to size & time to generate? Also, at what length\strength do the online rainbow table cracking services become ineffective? On Tue, Jun 30, 2009 at 2:00 PM, Craig <reswob10 at gmail.com> wrote:
Classification: UNCLASSIFIED Caveats: NONE Thanks! Craig L. Bowser CISSP SANS GSEC (Gold) ------------------------------- Hard work spotlights the character of people; some turn up their sleeves, some turn up their noses, and some don't turn up at all! -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dan Stadelman Sent: Tuesday, June 30, 2009 1:46 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Cracking good times The equations should say:20^72 * time to *try* one password == a lot of timebut I am sure you get the idea ;) Dan On Tue, Jun 30, 2009 at 11:44 AM, Dan Stadelman<bioradmeister at gmail.com> wrote:It is really hard to answer this one because it really "all depends" on a lot of things - mainly how long it would take to test one password. This can vary with system set up - if the user has access to the password hashes, etc. If you are trying to make up some stats you could do something like this (I assume you know this): 26 + 26 + 10 + 10 = 72 characters arranged 20 ways 20^72 * time to crack one password == a lot of time arranged 15 ways 15^72 * time to crack one password == a bit less time This is assuming there isn't some short cut to figuring out the password - like it is on a sticky note on someones monitor (which probably will happen if you are having such long passwords that are changing frequently). Laters, Dan On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com> wrote:Does anyone know a good reference for listing password cracking times? I'm trying to find some stats to determine if we should pick a 20+ character password for service accounts and only change every 6 or 12 months or pick a shorter password length (10-12 characters) andchange every 90 days or so.All passwords would be using all four character sets (Aa1!). Thanks. Craig L. Bowser CISSP SANS GSEC (Gold) ------------------------------- Nothing makes a person more productive than the last minute. - Contributed by Jeff Pappas _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090630/1af1c735/attachment.htm
Current thread:
- Cracking good times craig bowser (Jun 30)
- Cracking good times Dan Stadelman (Jun 30)
- Cracking good times Dan Stadelman (Jun 30)
- Cracking good times (UNCLASSIFIED) Craig (Jun 30)
- Cracking good times (UNCLASSIFIED) Robert Portvliet (Jun 30)
- Cracking good times (UNCLASSIFIED) Dimitrios Kapsalis (Jun 30)
- Cracking good times Dan Stadelman (Jun 30)
- Cracking good times Jim Halfpenny (Jun 30)
- Cracking good times Dan Stadelman (Jun 30)