January 22nd, 2004, 04:10 AM
How long is an acceptable length of time to run a password cracker before pronouncing that the uncracked password[s] is/are "reasonably strong and well-chosen"?
January 22nd, 2004, 04:39 AM
Thats a really tough question to get a direct and definate answer on. What might take say a month on a 2.0 Ghz to crack running constantly day and night, would probably take considerably less time on a faster processor like the 3.x Ghz line, and amazingly less in a distributed cracking setup. The problem with making longer passwords is that after a certain point they become difficult to remember and type in without error, so they outweigh the usefulness of having them. It would be more reasonable to go with a moderate length password of mixed case with numbers, and even special characters if allowed of about 10 to 15 characters up to maybe 25 if your comfortable with it, and work on the general security of your machine to prevent the password files from being stolen for cracking. Of course this doesnt stop government cracking by siezing the machine and using sophisticated NSA cracking systems
You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
January 22nd, 2004, 06:15 AM
15 to 30 minutes Give or take.. with a 2.8 is good.. (in my humble opion)
[gloworange]The Only Way to be Safe is To Never Be Secure.
January 22nd, 2004, 12:38 PM
I think it depends on what the reward for cracking the password is.
If your mate tells you l0pthcrack wont get round his password, an hour or so may be reasonable.
If however you found an oppertunity to brute force a bank network admin logon, and you were criminally intent on removing $M of funds to your Swiss Bank Account then would a year be too long?
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
January 22nd, 2004, 12:48 PM
I usually run them for a couple of hours. However, I have been using RainbowCrack as well which after you set up the hash file it needs only a couple of minutes to run and uncover the majority of passwords (in the case where passwords are just a mix of alphanumeric characters).
If you base it on what the reward is then I guess the maximum time it may be worth doing it for is for the duration of the password, so if they are changed every 30 days run your cracker for 29.
Quis custodiet ipsos custodes
January 22nd, 2004, 01:01 PM
Good point R0n1n.
Out of curiosity though, how does RainbowCrack stand up to biometrics integrated with the logon credentials or encryption scheme?
The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!
January 22nd, 2004, 01:14 PM
First its going to depend on how the password is encrypted. However far more important then this is that you would need a charset from which to extract all the possible passwords that may exist, no if biometric data has been encoded then you would need a way to make a charset that includes that date. Making the situation worse still are all the possible passwords that could exist so it probably would not be practical to compute all the hashes. This would also be affected by the type of biometric information being stored, so while I think its possible in theory, practically it would be very difficult.
If the biometric data was encrypted seerately and stored alongside the password then perhaps you could bust the password using rainbowcrack and then cut of the persons finger, pullout their eye etc.... I suggest only doing this if you really really need someones password though.
Any other ideas anyone???
Quis custodiet ipsos custodes
January 22nd, 2004, 01:43 PM
Judge this by how often the password is changed.
e.g a password on a zip file should be max length and variation as the file can be copied.
The logon password etc only need to be strong enough to stop intruders while the password remains constant.
January 22nd, 2004, 07:48 PM
Instead of :
Biometrics finds its niche
cut of the persons finger
If you interested in reading how it works read the following section below:
With fingerprints, you can use a "gummy finger" (a gelatin mold of a finger) and the lifted fingerprint. Or, if it's an optical reader, we've heard of people shining a flashlight on the reader, and it accepts the previous fingerprint--the oil residue still remaining on the reader. So, yes, there are shortcomings. But when used in conjunction with another authentication type, those shortcomings just plain go away because you already have to know a password and user ID.
Fun with Fingerprint Readers
January 22nd, 2004, 09:53 PM
there are ways of remembering really long passwords that are really easy;
Take a phrase you know, a saying of some sort, put it all into one word, put capitals on the start of every word before you do so, then replace some letters with numbers or the words to/too/two with 2 and for/four with 4 and you can then easily remember passwords of 30-40 in length, you just have to get used to typeing them a little while.
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.