Results 1 to 10 of 10

Thread: Password Question

  1. #1
    Senior Member
    Join Date
    Oct 2003
    Posts
    707

    Password Question

    Question:

    How long is an acceptable length of time to run a password cracker before pronouncing that the uncracked password[s] is/are "reasonably strong and well-chosen"?

    Just wondering.
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  2. #2
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    Posts
    553
    Thats a really tough question to get a direct and definate answer on. What might take say a month on a 2.0 Ghz to crack running constantly day and night, would probably take considerably less time on a faster processor like the 3.x Ghz line, and amazingly less in a distributed cracking setup. The problem with making longer passwords is that after a certain point they become difficult to remember and type in without error, so they outweigh the usefulness of having them. It would be more reasonable to go with a moderate length password of mixed case with numbers, and even special characters if allowed of about 10 to 15 characters up to maybe 25 if your comfortable with it, and work on the general security of your machine to prevent the password files from being stolen for cracking. Of course this doesnt stop government cracking by siezing the machine and using sophisticated NSA cracking systems
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    67
    Hey all

    15 to 30 minutes Give or take.. with a 2.8 is good.. (in my humble opion)

    Cheers
    [gloworange]The Only Way to be Safe is To Never Be Secure. [/gloworange]
    Benjamin Franklin

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    I think it depends on what the reward for cracking the password is.

    If your mate tells you l0pthcrack wont get round his password, an hour or so may be reasonable.

    If however you found an oppertunity to brute force a bank network admin logon, and you were criminally intent on removing $M of funds to your Swiss Bank Account then would a year be too long?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I usually run them for a couple of hours. However, I have been using RainbowCrack as well which after you set up the hash file it needs only a couple of minutes to run and uncover the majority of passwords (in the case where passwords are just a mix of alphanumeric characters).

    If you base it on what the reward is then I guess the maximum time it may be worth doing it for is for the duration of the password, so if they are changed every 30 days run your cracker for 29.
    Quis custodiet ipsos custodes

  6. #6
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    Good point R0n1n.

    Out of curiosity though, how does RainbowCrack stand up to biometrics integrated with the logon credentials or encryption scheme?
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  7. #7
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    First its going to depend on how the password is encrypted. However far more important then this is that you would need a charset from which to extract all the possible passwords that may exist, no if biometric data has been encoded then you would need a way to make a charset that includes that date. Making the situation worse still are all the possible passwords that could exist so it probably would not be practical to compute all the hashes. This would also be affected by the type of biometric information being stored, so while I think its possible in theory, practically it would be very difficult.

    If the biometric data was encrypted seerately and stored alongside the password then perhaps you could bust the password using rainbowcrack and then cut of the persons finger, pullout their eye etc.... I suggest only doing this if you really really need someones password though.

    Any other ideas anyone???
    Quis custodiet ipsos custodes

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    1,499
    Judge this by how often the password is changed.

    e.g a password on a zip file should be max length and variation as the file can be copied.

    The logon password etc only need to be strong enough to stop intruders while the password remains constant.

  9. #9
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    Instead of :
    cut of the persons finger
    Biometrics finds its niche
    With fingerprints, you can use a "gummy finger" (a gelatin mold of a finger) and the lifted fingerprint. Or, if it's an optical reader, we've heard of people shining a flashlight on the reader, and it accepts the previous fingerprint--the oil residue still remaining on the reader. So, yes, there are shortcomings. But when used in conjunction with another authentication type, those shortcomings just plain go away because you already have to know a password and user ID.
    If you interested in reading how it works read the following section below:

    Fun with Fingerprint Readers
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  10. #10
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    there are ways of remembering really long passwords that are really easy;
    Take a phrase you know, a saying of some sort, put it all into one word, put capitals on the start of every word before you do so, then replace some letters with numbers or the words to/too/two with 2 and for/four with 4 and you can then easily remember passwords of 30-40 in length, you just have to get used to typeing them a little while.
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •