RE: john the ripper

From: Jason Watson (penscan_at_hotmail.com)
Date: 12/10/03

  • Next message: Byron Sonne: "Re: Education End Users about Passwords - Was - RE: john the ripper" 
    To: pen-test@securityfocus.com
Date: Wed, 10 Dec 2003 15:49:43 +1300

    Hi people,

    For a few years I have had this idea in my head about a secure(er)
    authentication system to that of telling the user the password. My system
    is basically still a password system but it uses a key-card to access (there
    are several of these systems out there). the password is then stored by PGP
    (GnuPGP) in a 1024 bit hash, everyday at a "random" time the password server
    sends a new (encrypted of course) key to the card reader which stores the
    new password on it's magnetic strip). Everytime the password is read a new
    password is sent. This would easily allow for 1000 character passwords, in
    turn increasing system security dramatically. Passwords alone are never
    going to secure systems but every little-bit helps.

    Kind regards,

    Jason Watson.

    >Okay, I hear what you're saying about the amount of time being used and
    >all... but..
    >
    >If your users are like the ones I've seen, that "reasonably strong"
    >password (such as &Y6N8gg0 -- presumably strong) is just going to get
    >written down on a sticky tab and put on the users monitor or under their
    >keyboard. The point is, while you've done a great job creating a strong
    >keyspace which is difficult to break, I may open up a bigger problem.
    >The goal is to get through the proverbial wall. Whether I do that by
    >breaking through the bricks or scaling it or just going around, it
    >doesn't really matter to me. If I make the wall thicker, that just
    >moves the problem -- I'm still interested in getting to the other side,
    >and I know I won't be able break through it, so off I go to find a
    >different solution...
    >
    >Just my thoughts.
    >
    >
    >-----Original Message-----
    >From: Benjamin Tomhave [mailto:falcon@secureconsulting.net]
    >Sent: Monday, December 08, 2003 10:58 AM
    >To: pen-test@securityfocus.com
    >Subject: RE: john the ripper
    >
    >Scary numbers...so, semi-drifting question: how long is an "acceptable"
    >length of time to run a cracker before pronouncing that uncracked
    >passwords
    >are "reasonably strong and well-chosen"?
    >
    > > -----Original Message-----
    > > From: Mike [mailto:myname17@bellsouth.net]
    > > Sent: Monday, December 08, 2003 3:45 AM
    > > To: Giacomo; pen-test@securityfocus.com
    > > Subject: Re: john the ripper
    > >
    > >
    > > I recently did a little research on this, and if the password was
    > > well chosen
    > > you will not find the password.
    > >
    > > An 8 character password, based on a 72 character set (26 lower
    > > case letters,
    > > 26 uppercase letters, 10 digits, and 10 special characters)
    > > results in 72^8
    > > or 7.2x10^14 possible passwords. My reference PC was only able
    > > to crack at
    > > 1500c/s. Doing the math reveals that 150,000 years would be required
    >to
    > > crack all combinations, or 75,000 years on average. For a 12
    >character
    > > password the result was 2,000,000,000,000 years.
    > >
    > > If my math is wrong, please break it to me gently.
    > >
    > > Mike
    > >
    > > On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
    > > > Hi all
    > > >
    > > > I am tryning to crack cisco md5 password.
    > > > Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
    >john
    > > > continue to crack at 3800c/s (it started at 4500c/s).
    > > > I am asking myself and all of you what is the best system (hardware)
    >to
    > > > crack md5 password.
    > > > I am thinking that the best way Is the powerfull (mhz) i386 in
    >commerce.
    > > > I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
    > > > without lucky results.
    > > > The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s
    > > >
    > > > which is you reference system to use john on md5 password ?
    > > >
    > > > Giacomo
    > > >
    > > >
    > > >
    > > >
    > > ------------------------------------------------------------------
    > > ---------
    > > >
    > > ------------------------------------------------------------------
    > > ---------
    > > >-
    > >
    > >
    > > ------------------------------------------------------------------
    > > ---------
    > > ------------------------------------------------------------------
    > > ----------
    > >
    > >
    >
    >
    >------------------------------------------------------------------------
    >---
    >------------------------------------------------------------------------
    >----
    >
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------
    >

    _________________________________________________________________
    Download MSN Messenger @ http://messenger.xtramsn.co.nz - talk to family
    and friends overseas!

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Byron Sonne: "Re: Education End Users about Passwords - Was - RE: john the ripper"