Not to bicker, but the resources needed to use a database of all
possible
passwords even with alphanumerics and salted is very finite --
albeit large.
OpenBSD blowfish hashes have 16 bytes of salt, so a database of these
will not be feasible for a while.
I agree that for all but those with the most powerful computing
environments this is not something they are going to accomplish
My point really was to clarify that infinite and finite should be
used appropriately, and that intractable and uncomputable also are
not the same. Sometimes these conversations get long and the words NP-
complete, suffering the halting problem and an infinite search space
should be used carefully. It makes our communications between
ourselves that much more effective and accurate.
You are right on that the feasibility of all but the most well funded
adversaries can accomplish this, but it is not NP-complete,
uncomputable, or subject to the halting problem. It is just very very
difficult. I like the world feasible, the only improvement I would
say is to state feasible for who. For any major corporation it is
feasible, for drug cartels it is feasible, for foreign governments,
the NSA, and few others it is feasible, but expensive. For any normal
person, small company, hacker, cracker, activist, hoodlum, or
deranged person it is not feasible or likely.
I know that we are not going to attempt this in the next 3-5 years.
We study hash collisions, but your problem above is above our
financial capacity or need. We mainly deal with the issues related to
login() and the use of MD5.
If your adversary is the NSA I would not rest assured that it can't
already happen.
CU
Chet Uber
President and Principal Scientist
SecurityPosture, Inc.
3718 N 113th Plaza, Omaha, NE 68164
vox +1 (402) 505-9684 | fax +1 (402) 932-2130 | cell (402) 813-3211
[EMAIL PROTECTED] | www.securityposture.com
--------------------------------------------------------
'It is vain to do with more what can be done with fewer'
--------------------------------------------------------
-- This communication is confidential to the parties it was intended
to serve --
