Question:
How long is an acceptable length of time to run a password cracker before pronouncing that the uncracked password[s] is/are "reasonably strong and well-chosen"?
Just wondering.
Printable View
Question:
How long is an acceptable length of time to run a password cracker before pronouncing that the uncracked password[s] is/are "reasonably strong and well-chosen"?
Just wondering.
Thats a really tough question to get a direct and definate answer on. What might take say a month on a 2.0 Ghz to crack running constantly day and night, would probably take considerably less time on a faster processor like the 3.x Ghz line, and amazingly less in a distributed cracking setup. The problem with making longer passwords is that after a certain point they become difficult to remember and type in without error, so they outweigh the usefulness of having them. It would be more reasonable to go with a moderate length password of mixed case with numbers, and even special characters if allowed of about 10 to 15 characters up to maybe 25 if your comfortable with it, and work on the general security of your machine to prevent the password files from being stolen for cracking. Of course this doesnt stop government cracking by siezing the machine and using sophisticated NSA cracking systems ;)
Hey all
15 to 30 minutes Give or take.. with a 2.8 is good.. (in my humble opion)
Cheers
I think it depends on what the reward for cracking the password is.
If your mate tells you l0pthcrack wont get round his password, an hour or so may be reasonable.
If however you found an oppertunity to brute force a bank network admin logon, and you were criminally intent on removing $M of funds to your Swiss Bank Account then would a year be too long?
Steve
I usually run them for a couple of hours. However, I have been using RainbowCrack as well which after you set up the hash file it needs only a couple of minutes to run and uncover the majority of passwords (in the case where passwords are just a mix of alphanumeric characters).
If you base it on what the reward is then I guess the maximum time it may be worth doing it for is for the duration of the password, so if they are changed every 30 days run your cracker for 29.
Good point R0n1n.
Out of curiosity though, how does RainbowCrack stand up to biometrics integrated with the logon credentials or encryption scheme?
First its going to depend on how the password is encrypted. However far more important then this is that you would need a charset from which to extract all the possible passwords that may exist, no if biometric data has been encoded then you would need a way to make a charset that includes that date. Making the situation worse still are all the possible passwords that could exist so it probably would not be practical to compute all the hashes. This would also be affected by the type of biometric information being stored, so while I think its possible in theory, practically it would be very difficult.
If the biometric data was encrypted seerately and stored alongside the password then perhaps you could bust the password using rainbowcrack and then cut of the persons finger, pullout their eye etc.... I suggest only doing this if you really really need someones password though.
Any other ideas anyone???
Judge this by how often the password is changed.
e.g a password on a zip file should be max length and variation as the file can be copied.
The logon password etc only need to be strong enough to stop intruders while the password remains constant.
Instead of :
Biometrics finds its nicheQuote:
cut of the persons finger
If you interested in reading how it works read the following section below:Quote:
With fingerprints, you can use a "gummy finger" (a gelatin mold of a finger) and the lifted fingerprint. Or, if it's an optical reader, we've heard of people shining a flashlight on the reader, and it accepts the previous fingerprint--the oil residue still remaining on the reader. So, yes, there are shortcomings. But when used in conjunction with another authentication type, those shortcomings just plain go away because you already have to know a password and user ID.
Fun with Fingerprint Readers
there are ways of remembering really long passwords that are really easy;
Take a phrase you know, a saying of some sort, put it all into one word, put capitals on the start of every word before you do so, then replace some letters with numbers or the words to/too/two with 2 and for/four with 4 and you can then easily remember passwords of 30-40 in length, you just have to get used to typeing them a little while.