Re: Time-to-crack MD5 passwords
From: Mike Bell (mbell.removethisbit_at_albionresearch.com)
Date: 04/21/04
- Next message: phn_at_icke-reklam.ipsec.nu: "Re: Cracking decrypted file when knowing partial contents"
- Previous message: Alan Connor: "Re: incoming mail without information in the from, to, subject fields"
- In reply to: Sigbjørn Lund Olsen: "Time-to-crack MD5 passwords"
- Next in thread: Sigbjørn Lund Olsen: "Re: Time-to-crack MD5 passwords"
- Reply: Sigbjørn Lund Olsen: "Re: Time-to-crack MD5 passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Apr 2004 11:37:29 -0400
I suspect that I, like most people replying, won't exactly answer the
original question of how long brute-forcing md5-hashed passwords will
take...
"Sigbjørn Lund Olsen" <sigbjorn@lundolsen.net> wrote in message
news:kybhc.7791$px6.110683@news2.e.nsc.no...
> I'm currently in a bit of a debate with a web hosting company I am a
> customer of, regarding the length of passwords. They limit the length of
> passwords to under 8 letters on grounds of some client applications not
> being capable of handling more. They claim, furthermore, that cracking
> an 8-letter md5 hashed password would take much too long to be relevant.
They are probably right, in the sense that allowing more letters may not
significantly increase security. Brute forcing passwords probably isn't
the weakest link:
Are the encrypted passwords available to crack offline? If so, a
dictionary attack can be launched to find any weak passwords (rather than
a brute force attack against a single account).
Are there any measures taken to prevent the use of weak passwords? Are
users encouraged to use word/number/punctuation combinations? Is there
a minimum password length?
Is that limit really *under* 8 letters, or is it 8 letters, or 8 printable
characters? A few orders of magnitude are involved here.
Can an unlimited number of attempts be made to guess a single password?
If an account is locked after 10 or 100 guesses, or guesses are limited
to 3 in 5 minutes, then even poorly chosen passwords may prove adequate.
-- Mike --
-- Michael Z. Bell Albion Research Ltd. http://www.albionresearch.com/
- Next message: phn_at_icke-reklam.ipsec.nu: "Re: Cracking decrypted file when knowing partial contents"
- Previous message: Alan Connor: "Re: incoming mail without information in the from, to, subject fields"
- In reply to: Sigbjørn Lund Olsen: "Time-to-crack MD5 passwords"
- Next in thread: Sigbjørn Lund Olsen: "Re: Time-to-crack MD5 passwords"
- Reply: Sigbjørn Lund Olsen: "Re: Time-to-crack MD5 passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
