lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 10 Feb 2006 01:39:04 +0300
From: Solar Designer <solar@...nwall.com>
To: Amin Tora <atora@...US.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: John the Ripper 1.7; pam_passwdqc 1.0+; tcb 1.0; phpass 0.0


On Thu, Feb 09, 2006 at 03:44:25PM -0500, Amin Tora wrote:
> Can a tool as this be as useful when there are rainbow tables out there
> to utilize for this kind of cracking? 

For salted hashes (such as of Unix passwords), definitely yes.  In fact,
I am not aware of rainbow table implementations for salted hashes,
although this is (barely) feasible for the obsolete/traditional crypt(3)
(but not for the newer flavors).
 
For saltless hashes (such as Windows LM hashes), it depends.  Is the
goal to get everything cracked, or is it to detect and eliminate
passwords that would be too weak to withstand certain attacks (e.g.,
automated remote login attempts)?  All LM hashes are crackable anyway.
(John the Ripper 1.7 can exhaustively search the entire printable
US-ASCII keyspace against any number of LM hashes within a couple of
weeks on a single modern CPU.)

When cracking large numbers of hashes at once, John the Ripper may
actually be faster than rainbow tables based crackers, -- and it will
also get the weakest passwords cracked earlier because it tries
candidate passwords in an optimal order.

Finally, often it is preferable to not spend lots of disk space and lots
of time and/or bandwidth to generate or download rainbow tables, -- and
also to not reveal your password hashes to a third party (such as one of
the online rainbow tables based cracking services).

Perhaps other Bugtraqers can provide additional reasons in favor of
either approach.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ