Penetration Testing mailing list archives

RE: john the ripper

From: Charles Clancy <clancy () www missl cs umd edu>
Date: Sun, 14 Dec 2003 14:03:17 -0500 (EST)

If you're introducing a smartcard, you might as well just use public-key
authentication.

[ t. charles clancy ]--[ tcc () umd edu ]--[ www.cs.umd.edu/~clancy ]

On Wed, 10 Dec 2003, Jason Watson wrote:

Hi people,

For a few years I have had this idea in my head about a secure(er)
authentication system to that of telling the user the password.  My system
is basically still a password system but it uses a key-card to access (there
are several of these systems out there).  the password is then stored by PGP
(GnuPGP) in a 1024 bit hash, everyday at a "random" time the password server
sends a new (encrypted of course) key to the card reader which stores the
new password on it's magnetic strip).  Everytime the password is read a new
password is sent.  This would easily allow for 1000 character passwords, in
turn increasing system security dramatically.  Passwords alone are never
going to secure systems but every little-bit helps.

Kind regards,

Jason Watson.

Okay, I hear what you're saying about the amount of time being used and
all... but..

If your users are like the ones I've seen, that "reasonably strong"
password (such as &Y6N8gg0 -- presumably strong) is just going to get
written down on a sticky tab and put on the users monitor or under their
keyboard.  The point is, while you've done a great job creating a strong
keyspace which is difficult to break, I may open up a bigger problem.
The goal is to get through the proverbial wall.  Whether I do that by
breaking through the bricks or scaling it or just going around, it
doesn't really matter to me.  If I make the wall thicker, that just
moves the problem -- I'm still interested in getting to the other side,
and I know I won't be able break through it, so off I go to find a
different solution...

Just my thoughts.


-----Original Message-----
From: Benjamin Tomhave [mailto:falcon () secureconsulting net]
Sent: Monday, December 08, 2003 10:58 AM
To: pen-test () securityfocus com
Subject: RE: john the ripper

Scary numbers...so, semi-drifting question: how long is an "acceptable"
length of time to run a cracker before pronouncing that uncracked
passwords
are "reasonably strong and well-chosen"?

-----Original Message-----
From: Mike [mailto:myname17 () bellsouth net]
Sent: Monday, December 08, 2003 3:45 AM
To: Giacomo; pen-test () securityfocus com
Subject: Re: john the ripper

I recently did a little research on this, and if the password was
well chosen
you will not find the password.

An 8 character password, based on a 72 character set (26 lower
case letters,
26 uppercase letters, 10 digits, and 10 special characters)
results in 72^8
or 7.2x10^14 possible passwords.  My reference PC was only able
to crack at
1500c/s.  Doing the math reveals that 150,000 years would be required

to

crack all combinations, or 75,000 years on average.  For a 12

character

password the result was 2,000,000,000,000 years.

If my math is wrong, please break it to me gently.

Mike

On Tuesday 02 December 2003 10:52 am, Giacomo wrote:

Hi all

I am tryning to crack cisco md5 password.
Currently I am using a Athlon XP2500barton at 2300mhz, after 17days

john

continue to crack at 3800c/s (it started at 4500c/s).
I am asking myself and all of you what is the best system (hardware)

to

crack md5 password.
I am thinking that the best way Is the powerfull (mhz) i386 in

commerce.

I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
without lucky results.
The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s

which is you reference system to use john on md5 password ?

Giacomo

------------------------------------------------------------------
---------

------------------------------------------------------------------
---------



------------------------------------------------------------------
---------
------------------------------------------------------------------
----------



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------


_________________________________________________________________
Download MSN Messenger @  http://messenger.xtramsn.co.nz   - talk to family
and friends overseas!


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: john the ripper, (continued)
- - - Re: john the ripper Martin Mačok (Dec 10)
  - RE: john the ripper Anish M (Dec 09)
    - RE: john the ripper Arthur Clune (Dec 09)
- RE: john the ripper Brass, Phil (ISS Atlanta) (Dec 04)
- Re: john the ripper Jason Watson (Dec 04)
  - Re: john the ripper bofn (Dec 06)
- Re: john the ripper Marco Ivaldi (Dec 06)
- RE: john the ripper Tony Kava (Dec 06)
- RE: john the ripper OBrien, Brennan (Dec 08)
- RE: john the ripper Jason Watson (Dec 10)
  - RE: john the ripper Charles Clancy (Dec 15)
- RE: john the ripper MJohnst5 (Dec 10)