Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Senior M$ member says stop using passwords completely!
From: Tim <tim-security () sentinelchicken org>
Date: Sat, 16 Oct 2004 20:25:04 -0400

Hello Mr Espinola,

That much is obvious.  Read the the full article, do a little
background research and get back to us when you reach a more sensible

The reason for my post was to point out that Mr. Hensing doesn't appear
to be a reliable source of information on the topic of passwords and
hash security.  If you haven't come to the same conclusion, perhaps you
should do more homework yourself.

Reactionary conclusions based on obvious article 'skimming' make it
apparent you didn't do your homework before posting.

Pardon me for my reactionary style.  I am merely frustrated by M$'s
irresponsible business practices, and their unwillingness to correct the
problems that they make for every internet user (not just Windows users).

FWIW I have used "rainbow" tables for dictionary-styled attacks for
about 7 years now.  There have been available CLI-based tools for
generating dictionary lists using different character sets for the
better part of the past 10 years.  There are also many dictionary
lists in multiple languages available on many university public FTP
sites to build and extend your own from.

Your point?  I agree that these have been around a while, but even if
they have been, it shouldn't change the fact that a hash is either
secure or it isn't, for the level of computation possible by today's
computers.  Yes, good passwords are always a must, along with a good
hash, but what he defines as good, is a joke.  I mean really, how many
bits of entropy are in an english sentence?  Last I heard, about 1 to
1.5 bits per character.  

Mr. Hensing comes across as (if I may paraphrase): "You foolish users,
why aren't you using secure passphrases???  8-character passwords just
aren't good enough because of all of these big nasty hackers have great
cracking tools!!!"  Which, of course, is horseshit.

You ever tried building a rainbow table for salted SHA?  How much disk
you got?  Let's see... for 8-character alphanumerics w/ 10 special
characters, on a 14bit salt, you'll need around 
(46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes
Do let me know if I fudged on any of those off-the-napkin calculations.

So, the moral of the story is, he doesn't know what he is talking about.
Feel free to defend him, but I am not posting any more on this topic.


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]