Re: Time-to-crack MD5 passwords

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 04/24/04 

Date: Fri, 23 Apr 2004 22:10:10 +0000 (UTC)

=?ISO-8859-1?Q?Sigbj=F8rn_Lund_Olsen?= <sigbjorn@lundolsen.net> writes:

]Bill Unruh wrote:

]> "Lohkee!" <lohkee@worldnet.att.net> writes:
]>
]>
]> ]"Sigbjørn Lund Olsen" <sigbjorn@lundolsen.net> wrote in message
]> ]news:kybhc.7791$px6.110683@news2.e.nsc.no...
]> ]> I'm currently in a bit of a debate with a web hosting company I am a
]> ]> customer of, regarding the length of passwords. They limit the length of
]> ]> passwords to under 8 letters on grounds of some client applications not
]> ]> being capable of handling more. They claim, furthermore, that cracking
]> ]> an 8-letter md5 hashed password would take much too long to be relevant.
]> ]>
]> ]> I do recall looking at some information for how long it took to crack
]> ]> any crypt() password at some point, and was quite shocked at how fast it
]> ]> could be done. I'm however having trouble finding out how long it would
]> ]> take to brute force any 8-letter md5 hashed password via Google.
]>
]> The md5 passwords do not use just md5. They use a rather complex series
]> of permutation and md5, designed primarily to slow down md5. Thus the
]> md5 password is probably 10-100 times slower than crypt. Otherwise you
]> would just use the same exhaustive search (try all passwords, starting
]> with the most probable). The advantage of the md5 scheme is that you can
]> use an arbitrary length string-- you are not limited to 8 characters.
]> You can use 5983 characters if you want (well, getpass would probably
]> die, but there is nothing in the password scheme which would disallow
]> that)

]Read what I wrote - I know that. The company I am a customer of do too,
]but limit the length regardless due to clients that according to them
]cannot handle more than 8 characters.

Certainly some of the older getpass routines in Linux/unix truncate all
input to 8 characters.

Relevant Pages

  • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
    ... When they see that you can find passwords so easily, they will start demanding better passwords. ... difficult to convince them to go much further past 6 characters. ... entropy per ... bits than DES) but not a home computer assuming MD5 is not harder than ...
    (Firewall-Wizards)
  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I've seen passwords with zeros for O's and 3's for E's. ... What hacker ever think of that? ...
    (comp.os.vms)