You were thinking along my lines with parallel processing. I have a feeling it's not too difficult anymore to set up the killer cluster.. more then likely using virtual connections..
But then again, if someone wants in that badly.. I would worry more about "social engineering" which is always a one of the weakest links in any security program. MikeS Carroll Kong wrote: > > It has to do brute force strength. Against an MD5, it does > pretty > poorly, benching about 440 Cracks per second on a K6-200 with > 160 megs of > ram. (ram is irrelevant to be honest). I am guessing that say > a gigahertz > processor might do a linear increase to about ~2000 Cracks per > second. This is pretty slow and has almost no chance to stop a > good 8 > character password. > > With about 92 or so character choices for a password, > 8^92 == 121.416E81. Or, a heck of a lot for a simple 8 > character > password. Yes, with this number, it is impossible for one > machine to do > this in a life time. > > Note, few people put up good, strong passwords. If > there is any > level of efficiency, we can cut this number down a lot. > > On the side, Microsoft's Mighty NT Lan Man DES gets > hit by an > astounding 90K cracks per second on a K6-200. Forget that, I > believe > L0phtcrack lets you do 300-400K cracks per second on your > slightly below > average processor of today and can do them in parallel. Maybe > that is why > Microsoft is quickly dropping their Lanman Hash as they > introduce Win2k as > the "champion server OS?" > > However, I wonder if one can use programs like "john > the ripper" > in parallel with other machines. With a "cracking" Athlon box > running for > maybe $400 bucks, you can probably setup one nasty cluster to > cut this down > to size. Although this may seem like a lot of trouble a hacker > has to go > through, it is and it is not. If you give ANYONE an encrypted > hash > guarding something really important, you can assume it will be > cracked > within a life time and be used against you. (Another good > reason why you > should rotate your passwords over a certain amount of time, but > that of > course has other possible problems). Heck, it seems fairly > reasonable for > a hacker to have a small cluster of Athlon boxes. I have quite > a few PCs > at home. > > As for practicality, one could argue most "script > kiddies" are > unable to fathom even what I just wrote. However, a mere > amateur or > professional hacker could easily wreck do this. Be careful if > you have > sensitive information or enemies! > > At 02:59 PM 10/21/01 -0400, Maissen Sacha wrote: > >Anh, > >Sorry for my question about your test below. This program > "john the > >ripper", is > >it working with dictionaries or not? Because my question is, > if I use > >passwords > >like "12eldkvi", which are not in any dics, how long you need > then to > >crack a > >MD5-password? > > > >Regards > >Sacha > > > >-----Urspr|ngliche Nachricht----- > >Von: Anh Lam [mailto:[EMAIL PROTECTED]] > >Gesendet: Sonntag, 21. Oktober 2001 20:46 > >An: [EMAIL PROTECTED] > >Betreff: Re: OT: Enable secret hacking [7:23670] > > > > > >Gareth, > >I create an "enable secret" password on a Cisco router 2610 > with the > >password as you mentioned "kittens". Remember this is an MD5 > encrypted > >string ($1$Em47$DEsFfXv/Px6y/cEmjMwfE0). You know what, I > take this > >string > >and use the program called "john the ripper" running on my > linux box to > >crack it. This linux is a pentium 200MHz with 64MB of RAM. > It takes > >exactly 5 minutes to crack this password. I would imagine for > longer > >"enable secret" password, it takes longer but not as difficult > as it > >sounds. > > > >Regards, > -Carroll Kong > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23769&t=23670 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]