PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Cracking good times (UNCLASSIFIED)

From: dimitrios at gmail.com (Dimitrios Kapsalis)
Date: Tue, 30 Jun 2009 14:37:03 -0500
My experience with the online ones is that I haven't really seen any that
implement salts. I haven't looked in some time thought so maybe now they
exist.


On Tue, Jun 30, 2009 at 1:33 PM, Robert Portvliet <
robert.portvliet at gmail.com> wrote:



Assuming the attacker retrieves the hashes ...at what password
length\strength do rainbow tables become impractical due to size & time to
generate?

Also, at what length\strength do the online rainbow table cracking services
become ineffective?




On Tue, Jun 30, 2009 at 2:00 PM, Craig <reswob10 at gmail.com> wrote:


Classification:  UNCLASSIFIED
Caveats: NONE

Thanks!


Craig L. Bowser
CISSP           SANS GSEC (Gold)
-------------------------------
Hard work spotlights the character of people; some turn up their sleeves,
some turn up their noses, and some don't turn up at all!
-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dan
Stadelman
Sent: Tuesday, June 30, 2009 1:46 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Cracking good times

The equations should say:


20^72 * time to *try* one password == a lot of time


but I am sure you get the idea ;)

Dan



On Tue, Jun 30, 2009 at 11:44 AM, Dan Stadelman<bioradmeister at gmail.com>
wrote:

It is really hard to answer this one because it really "all depends"
on a lot of things - mainly how long it would take to test one
password.  This can vary with system set up - if the user has access
to the password hashes, etc.

If you are trying to make up some stats you could do something like
this (I assume you know this):

26 + 26 + 10 + 10 = 72 characters

arranged 20 ways

20^72 * time to crack one password == a lot of time

arranged 15 ways

15^72 * time to crack one password == a bit less time

This is assuming there isn't some short cut to figuring out the
password - like it is on a sticky note on someones monitor (which
probably will happen if you are having such long passwords that are
changing frequently).

Laters,

Dan




On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com>

wrote:




Does anyone know a good reference for listing password cracking
times?  I'm trying to find some stats to determine if we should pick
a 20+ character password for service accounts and only change every 6
or 12 months or pick a shorter password length (10-12 characters) and

change every 90 days or so.

All passwords would be using all four character sets (Aa1!).



Thanks.





Craig L. Bowser

CISSP       SANS GSEC (Gold)

-------------------------------

Nothing makes a person more productive than the last minute. -
Contributed by Jeff Pappas

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Classification:  UNCLASSIFIED
Caveats: NONE


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090630/0d8497c3/attachment.htm
Previous By Date Next
Previous By Thread Next

Current thread: