[dba-Tech] [dba-OT] Cross post - Password security

Jim Lawrence accessd at shaw.ca
Thu Aug 11 09:32:14 CDT 2011


Here is some info on Rainbow tables which are used in the algorithms in
crack password hashes:

http://en.wikipedia.org/wiki/Rainbow_table

This method can crack a 12 character Access password in about 3 seconds
using a standard desktop. After that resources and processing requirements
starts going up exponentially. A 20 character password is supposed to be
virtually uncrackable.

If you are managing your own passwords or login:

"Defense against rainbow tables

A rainbow table is ineffective against one-way hashes that include salts.
For example, consider a password hash that is generated using the following
function (where "." is the concatenation operator):

saltedhash(password) = hash(password.salt)

Or

saltedhash(password) = hash(hash(password).salt)

The salt value is not secret and may be generated at random and stored with
the password hash. A large salt value prevents precomputation attacks,
including rainbow tables, by ensuring that each user's password is hashed
uniquely. This means that two users with the same password will have
different password hashes (assuming different salts are used). "

If you want to play with Rainbow tables check the following out:

http://www.freerainbowtables.com/

...and here is the best 'free' demo for hacking against your old XP and
Vista/Windows7 box:

http://ophcrack.sourceforge.net/tables.php

Jim


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Stuart McLachlan
Sent: Wednesday, August 10, 2011 3:27 PM
To: 'Off Topic'; 'Discussion of Hardware and Software issues'
Subject: Re: [dba-Tech] [dba-OT] Cross post - Password security

An interesting difference of opinion between the two.  I go along with xkcd

"aA4!aaaa" is no more secure that "aaaaaaaa"  as long as there is the
*potential* for the 
password to contain uppercase,digits and special characters.

   
-- 
Stuart


On 10 Aug 2011 at 22:37, Jon Tydda wrote:

> That's what I posted on my wall that the GRC one was a reply to :-)
> 
> 
> Jon 
> 
> -----Original Message-----
> From: dba-ot-bounces at databaseadvisors.com
> [mailto:dba-ot-bounces at databaseadvisors.com] On Behalf Of Stuart
> McLachlan Sent: 10 August 2011 22:24 To: 'Off Topic'; 'Discussion of
> Hardware and Software issues' Subject: Re: [dba-OT] [dba-Tech] Cross
> post - Password security
> 
> Talk about co-incidence.  Today's xkcd: 
> 
> http://xkcd.com/936/
> 
> 
> 
> --
> Stuart
> 
> On 10 Aug 2011 at 20:57, Jon Tydda wrote:
> 
> > Hi all
> > 
> > Someon'e just posted this on my wall on facebook, and it looks
> > really interesting, thought I'd share it.
> > 
> > https://www.grc.com/haystack.htm
> > 
> > 
> > Jon
> > _______________________________________________
> > dba-Tech mailing list
> > dba-Tech at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/dba-tech
> > Website: http://www.databaseadvisors.com
> > 
> 
> 
> 
> _______________________________________________
> dba-OT mailing list
> dba-OT at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-ot
> Website: http://www.databaseadvisors.com
> 
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
> 



_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com




More information about the dba-Tech mailing list