lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tim-security at sentinelchicken.org (Tim)
Subject: Senior M$ member says stop using passwords completely!

Hello Mr Espinola,

> That much is obvious.  Read the the full article, do a little
> background research and get back to us when you reach a more sensible
> conclusion.

The reason for my post was to point out that Mr. Hensing doesn't appear
to be a reliable source of information on the topic of passwords and
hash security.  If you haven't come to the same conclusion, perhaps you
should do more homework yourself.

> Reactionary conclusions based on obvious article 'skimming' make it
> apparent you didn't do your homework before posting.

Pardon me for my reactionary style.  I am merely frustrated by M$'s
irresponsible business practices, and their unwillingness to correct the
problems that they make for every internet user (not just Windows users).


> FWIW I have used "rainbow" tables for dictionary-styled attacks for
> about 7 years now.  There have been available CLI-based tools for
> generating dictionary lists using different character sets for the
> better part of the past 10 years.  There are also many dictionary
> lists in multiple languages available on many university public FTP
> sites to build and extend your own from.

Your point?  I agree that these have been around a while, but even if
they have been, it shouldn't change the fact that a hash is either
secure or it isn't, for the level of computation possible by today's
computers.  Yes, good passwords are always a must, along with a good
hash, but what he defines as good, is a joke.  I mean really, how many
bits of entropy are in an english sentence?  Last I heard, about 1 to
1.5 bits per character.  

Mr. Hensing comes across as (if I may paraphrase): "You foolish users,
why aren't you using secure passphrases???  8-character passwords just
aren't good enough because of all of these big nasty hackers have great
cracking tools!!!"  Which, of course, is horseshit.

You ever tried building a rainbow table for salted SHA?  How much disk
you got?  Let's see... for 8-character alphanumerics w/ 10 special
characters, on a 14bit salt, you'll need around 
(46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes
Do let me know if I fudged on any of those off-the-napkin calculations.

So, the moral of the story is, he doesn't know what he is talking about.
Feel free to defend him, but I am not posting any more on this topic.

tim

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ