| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20041017002504.GE2626@sentinelchicken.org> From: tim-security at sentinelchicken.org (Tim) Subject: Senior M$ member says stop using passwords completely! Hello Mr Espinola, > That much is obvious. Read the the full article, do a little > background research and get back to us when you reach a more sensible > conclusion. The reason for my post was to point out that Mr. Hensing doesn't appear to be a reliable source of information on the topic of passwords and hash security. If you haven't come to the same conclusion, perhaps you should do more homework yourself. > Reactionary conclusions based on obvious article 'skimming' make it > apparent you didn't do your homework before posting. Pardon me for my reactionary style. I am merely frustrated by M$'s irresponsible business practices, and their unwillingness to correct the problems that they make for every internet user (not just Windows users). > FWIW I have used "rainbow" tables for dictionary-styled attacks for > about 7 years now. There have been available CLI-based tools for > generating dictionary lists using different character sets for the > better part of the past 10 years. There are also many dictionary > lists in multiple languages available on many university public FTP > sites to build and extend your own from. Your point? I agree that these have been around a while, but even if they have been, it shouldn't change the fact that a hash is either secure or it isn't, for the level of computation possible by today's computers. Yes, good passwords are always a must, along with a good hash, but what he defines as good, is a joke. I mean really, how many bits of entropy are in an english sentence? Last I heard, about 1 to 1.5 bits per character. Mr. Hensing comes across as (if I may paraphrase): "You foolish users, why aren't you using secure passphrases??? 8-character passwords just aren't good enough because of all of these big nasty hackers have great cracking tools!!!" Which, of course, is horseshit. You ever tried building a rainbow table for salted SHA? How much disk you got? Let's see... for 8-character alphanumerics w/ 10 special characters, on a 14bit salt, you'll need around (46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes Do let me know if I fudged on any of those off-the-napkin calculations. So, the moral of the story is, he doesn't know what he is talking about. Feel free to defend him, but I am not posting any more on this topic. tim
Powered by blists - more mailing lists