Penetration Testing mailing list archives
RE: john the ripper
From: "Jason Watson" <penscan () hotmail com>
Date: Wed, 10 Dec 2003 15:49:43 +1300
Hi people,For a few years I have had this idea in my head about a secure(er) authentication system to that of telling the user the password. My system is basically still a password system but it uses a key-card to access (there are several of these systems out there). the password is then stored by PGP (GnuPGP) in a 1024 bit hash, everyday at a "random" time the password server sends a new (encrypted of course) key to the card reader which stores the new password on it's magnetic strip). Everytime the password is read a new password is sent. This would easily allow for 1000 character passwords, in turn increasing system security dramatically. Passwords alone are never going to secure systems but every little-bit helps.
Kind regards, Jason Watson.
Okay, I hear what you're saying about the amount of time being used and all... but.. If your users are like the ones I've seen, that "reasonably strong" password (such as &Y6N8gg0 -- presumably strong) is just going to get written down on a sticky tab and put on the users monitor or under their keyboard. The point is, while you've done a great job creating a strong keyspace which is difficult to break, I may open up a bigger problem. The goal is to get through the proverbial wall. Whether I do that by breaking through the bricks or scaling it or just going around, it doesn't really matter to me. If I make the wall thicker, that just moves the problem -- I'm still interested in getting to the other side, and I know I won't be able break through it, so off I go to find a different solution... Just my thoughts. -----Original Message----- From: Benjamin Tomhave [mailto:falcon () secureconsulting net] Sent: Monday, December 08, 2003 10:58 AM To: pen-test () securityfocus com Subject: RE: john the ripper Scary numbers...so, semi-drifting question: how long is an "acceptable" length of time to run a cracker before pronouncing that uncracked passwords are "reasonably strong and well-chosen"? > -----Original Message----- > From: Mike [mailto:myname17 () bellsouth net] > Sent: Monday, December 08, 2003 3:45 AM > To: Giacomo; pen-test () securityfocus com > Subject: Re: john the ripper > > > I recently did a little research on this, and if the password was > well chosen > you will not find the password. > > An 8 character password, based on a 72 character set (26 lower > case letters, > 26 uppercase letters, 10 digits, and 10 special characters) > results in 72^8 > or 7.2x10^14 possible passwords. My reference PC was only able > to crack at > 1500c/s. Doing the math reveals that 150,000 years would be required to > crack all combinations, or 75,000 years on average. For a 12 character > password the result was 2,000,000,000,000 years. > > If my math is wrong, please break it to me gently. > > Mike > > On Tuesday 02 December 2003 10:52 am, Giacomo wrote: > > Hi all > > > > I am tryning to crack cisco md5 password. > > Currently I am using a Athlon XP2500barton at 2300mhz, after 17days john > > continue to crack at 3800c/s (it started at 4500c/s). > > I am asking myself and all of you what is the best system (hardware) to > > crack md5 password. > > I am thinking that the best way Is the powerfull (mhz) i386 in commerce. > > I've tried OpenMosix with 4 p500 nodes with john and cisilia, but > > without lucky results. > > The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s > > > > which is you reference system to use john on md5 password ? > > > > Giacomo > > > > > > > > > ------------------------------------------------------------------ > --------- > > > ------------------------------------------------------------------ > --------- > >- > > > ------------------------------------------------------------------ > --------- > ------------------------------------------------------------------ > ---------- > > ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
_________________________________________________________________Download MSN Messenger @ http://messenger.xtramsn.co.nz - talk to family and friends overseas!
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: john the ripper, (continued)
- RE: john the ripper Benjamin Tomhave (Dec 08)
- Re: john the ripper Martin Mačok (Dec 10)
- RE: john the ripper Anish M (Dec 09)
- RE: john the ripper Arthur Clune (Dec 09)
- RE: john the ripper Benjamin Tomhave (Dec 08)
- RE: john the ripper Brass, Phil (ISS Atlanta) (Dec 04)
- Re: john the ripper Jason Watson (Dec 04)
- Re: john the ripper bofn (Dec 06)
- Re: john the ripper Marco Ivaldi (Dec 06)
- RE: john the ripper Tony Kava (Dec 06)
- RE: john the ripper OBrien, Brennan (Dec 08)
- RE: john the ripper Jason Watson (Dec 10)
- RE: john the ripper Charles Clancy (Dec 15)
- RE: john the ripper MJohnst5 (Dec 10)