Re: Time-to-crack MD5 passwords

From: Sigbjørn Lund Olsen (sigbjorn_at_lundolsen.net)
Date: 04/23/04

  • Next message: Bill Unruh: "Re: Time-to-crack MD5 passwords" 
    Date: Fri, 23 Apr 2004 23:20:05 +0200

    Mike Bell wrote:

    > I suspect that I, like most people replying, won't exactly answer the
    > original question of how long brute-forcing md5-hashed passwords will
    > take...
    >
    > "Sigbjørn Lund Olsen" <sigbjorn@lundolsen.net> wrote in message
    > news:kybhc.7791$px6.110683@news2.e.nsc.no...
    >
    >>I'm currently in a bit of a debate with a web hosting company I am a
    >>customer of, regarding the length of passwords. They limit the length of
    >>passwords to under 8 letters on grounds of some client applications not
    >>being capable of handling more. They claim, furthermore, that cracking
    >>an 8-letter md5 hashed password would take much too long to be relevant.
    >
    > They are probably right, in the sense that allowing more letters may not
    > significantly increase security. Brute forcing passwords probably isn't
    > the weakest link:
    >
    > Are the encrypted passwords available to crack offline? If so, a
    > dictionary attack can be launched to find any weak passwords (rather than
    > a brute force attack against a single account).

    Well, no, they shouldn't be. But cockups happen, as we know. Only last
    Sunday did I show the IT manager of my stock market trust company where
    they'd left a database login out in the open.

    I realise there are many ways *my* data could be compromised in an
    attack, a number of which I can't do anything about as long as I'm
    depending on someone else to secure the framework, so to speak. But a
    fundemental idea when it comes to security (offline or online) is that
    depending on one system is folly - and to some extent computer systems
    are built with multitier security. I'd hate a certain aspect to be
    neglected simply because another 'can be relied upon'. It may seem a
    little thin in terms of arguments, but the boot point is: I do not feel
    particularly comfortable with my current password being as weak as it is
    currently, and had I the choice I'd like it to be longer.

    > Are there any measures taken to prevent the use of weak passwords? Are
    > users encouraged to use word/number/punctuation combinations? Is there
    > a minimum password length?

    Yes, 6 characters minimum, minimum one lowercase, one uppercase and one
    numerical digit in all passwords. Better than most, but hardly very
    stringent. But anyone cracking the passwords would know about these
    rules too.

    > Is that limit really *under* 8 letters, or is it 8 letters, or 8 printable
    > characters? A few orders of magnitude are involved here.

    6 to 8 characters, inclusive.

    > Can an unlimited number of attempts be made to guess a single password?
    > If an account is locked after 10 or 100 guesses, or guesses are limited
    > to 3 in 5 minutes, then even poorly chosen passwords may prove adequate.

    I honestly don't know. I'd hope it's got some sort of sanity check, in
    fact, I've assumed it so far. Clearly, if someone is trying to log on
    100s and 1000s of times, something is wrong. Online attacks aren't my
    main concern though, and it wouldn't have any relevance to this question
    anyway. Bandwidth and the roundtrip latency would likely prove too
    constrictive a bottleneck.

    Cheers,
    Sigbjørn Lund Olsen

  • Next message: Bill Unruh: "Re: Time-to-crack MD5 passwords"