On 19/03/2014 9:30, Anne & Lynn Wheeler wrote:
also
http://en.wikipedia.org/wiki/Password_cracking
things were speeded up some when repositories of tens of thousand
of the most common passwords were published.
some countermeasure
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
The GPU based tools have supposedly made rainbow tables obsolete. It's
easier to just brute force the hash. Salts are no protection against a
brute force attack. Another article linked from the original one I posted:
http://codahale.com/how-to-safely-store-a-password/
From that article:
"Rainbow tables, despite their recent popularity as a subject of blog
posts, have not aged gracefully. CUDA/OpenCL implementations of password
crackers can leverage the massive amount of parallelism available in
GPUs, peaking at billions of candidate passwords a second. You can
literally test all lowercase, alphabetic passwords which are ≤7
characters in less than 2 seconds. And you can now rent the hardware
which makes this possible to the tune of less than $3/hour. For about
$300/hour, you could crack around 500,000,000,000 candidate passwords a
second.
Given this massive shift in the economics of cryptographic attacks, it
simply doesn’t make sense for anyone to waste terabytes of disk space in
the hope that their victim didn’t use a salt. It’s a lot easier to just
crack the passwords. Even a “good” hashing scheme of SHA2256(salt ∥
password) is still completely vulnerable to these cheap and effective
attacks"
Andrew Rowley
--
and...@blackhillsoftware.com
+61 413 302 386
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
