Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
From: Tim (tim-security_at_sentinelchicken.org)
To: Micheal Espinola Jr <email@example.com> Date: Sat, 16 Oct 2004 20:25:04 -0400
Hello Mr Espinola,
> That much is obvious. Read the the full article, do a little
> background research and get back to us when you reach a more sensible
The reason for my post was to point out that Mr. Hensing doesn't appear
to be a reliable source of information on the topic of passwords and
hash security. If you haven't come to the same conclusion, perhaps you
should do more homework yourself.
> Reactionary conclusions based on obvious article 'skimming' make it
> apparent you didn't do your homework before posting.
Pardon me for my reactionary style. I am merely frustrated by M$'s
irresponsible business practices, and their unwillingness to correct the
problems that they make for every internet user (not just Windows users).
> FWIW I have used "rainbow" tables for dictionary-styled attacks for
> about 7 years now. There have been available CLI-based tools for
> generating dictionary lists using different character sets for the
> better part of the past 10 years. There are also many dictionary
> lists in multiple languages available on many university public FTP
> sites to build and extend your own from.
Your point? I agree that these have been around a while, but even if
they have been, it shouldn't change the fact that a hash is either
secure or it isn't, for the level of computation possible by today's
computers. Yes, good passwords are always a must, along with a good
hash, but what he defines as good, is a joke. I mean really, how many
bits of entropy are in an english sentence? Last I heard, about 1 to
1.5 bits per character.
Mr. Hensing comes across as (if I may paraphrase): "You foolish users,
why aren't you using secure passphrases??? 8-character passwords just
aren't good enough because of all of these big nasty hackers have great
cracking tools!!!" Which, of course, is horseshit.
You ever tried building a rainbow table for salted SHA? How much disk
you got? Let's see... for 8-character alphanumerics w/ 10 special
characters, on a 14bit salt, you'll need around
(46^8)*(7+20)*(2^14) ~= 8868422 TerraBytes
Do let me know if I fudged on any of those off-the-napkin calculations.
So, the moral of the story is, he doesn't know what he is talking about.
Feel free to defend him, but I am not posting any more on this topic.
Full-Disclosure - We believe in it.