Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Cracking good times (UNCLASSIFIED)
From: robert.portvliet at gmail.com (Robert Portvliet)
Date: Tue, 30 Jun 2009 14:33:05 -0400

Assuming the attacker retrieves the hashes ...at what password
length\strength do rainbow tables become impractical due to size & time to
generate?

Also, at what length\strength do the online rainbow table cracking services
become ineffective?



On Tue, Jun 30, 2009 at 2:00 PM, Craig <reswob10 at gmail.com> wrote:

Classification:  UNCLASSIFIED
Caveats: NONE

Thanks!


Craig L. Bowser
CISSP           SANS GSEC (Gold)
-------------------------------
Hard work spotlights the character of people; some turn up their sleeves,
some turn up their noses, and some don't turn up at all!
-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Dan Stadelman
Sent: Tuesday, June 30, 2009 1:46 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Cracking good times

The equations should say:

20^72 * time to *try* one password == a lot of time

but I am sure you get the idea ;)

Dan



On Tue, Jun 30, 2009 at 11:44 AM, Dan Stadelman<bioradmeister at gmail.com>
wrote:
It is really hard to answer this one because it really "all depends"
on a lot of things - mainly how long it would take to test one
password.  This can vary with system set up - if the user has access
to the password hashes, etc.

If you are trying to make up some stats you could do something like
this (I assume you know this):

26 + 26 + 10 + 10 = 72 characters

arranged 20 ways

20^72 * time to crack one password == a lot of time

arranged 15 ways

15^72 * time to crack one password == a bit less time

This is assuming there isn't some short cut to figuring out the
password - like it is on a sticky note on someones monitor (which
probably will happen if you are having such long passwords that are
changing frequently).

Laters,

Dan




On Tue, Jun 30, 2009 at 9:39 AM, craig bowser<reswob10 at gmail.com> wrote:



Does anyone know a good reference for listing password cracking
times?  I'm trying to find some stats to determine if we should pick
a 20+ character password for service accounts and only change every 6
or 12 months or pick a shorter password length (10-12 characters) and
change every 90 days or so.
All passwords would be using all four character sets (Aa1!).



Thanks.





Craig L. Bowser

CISSP       SANS GSEC (Gold)

-------------------------------

Nothing makes a person more productive than the last minute. -
Contributed by Jeff Pappas

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Classification:  UNCLASSIFIED
Caveats: NONE


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090630/1af1c735/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault