Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
crypt passwords
- From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
- Date: Fri, 18 Aug 2000 15:41:59 -0600
- Message-id: <004a01c0095d$246b6380$6900030a@xxxxxxxxxxxx>
Salts: 4096 (64x64)
Passwords input,,1,2,3,4,5,6,7,8,9
a-z,26,106496,2768896,71991296,1871773696,48666116096,1.26532E+12,3.28983E+1
3,8.55356E+14,2.22392E+16
"a-z,
A-Z",52,212992,11075584,575930368,29948379136,1.55732E+12,8.09804E+13,4.2109
8E+15,2.18971E+17,1.13865E+19
"a-z, A-Z,
0-9",62,253952,15745024,976191488,60523872256,3.75248E+12,2.32654E+14,1.4424
5E+16,8.94321E+17,5.54479E+19
"a-z, A-Z, 0-9,
shift0-9",72,294912,21233664,1528823808,1.10075E+11,7.92542E+12,5.7063E+14,4
.10854E+16,2.95815E+18,2.12987E+20
"a-z, A-Z, 0-9, shift0-9,
punctuation",94,385024,36192256,3402072064,3.19795E+11,3.00607E+13,2.82571E+
15,2.65616E+17,2.49679E+19,2.34699E+21
terrabyte:
1E+12,1E+12,1.06496E-07,2.7689E-06,7.19913E-05,0.001871774,0.048666116,1.265
319018,32.89829448,855.3556565,22239.24707
,,2.12992E-07,1.10756E-05,0.00057593,0.029948379,1.557315715,80.98041718,421
0.981694,218971.0481,11386494.5
,,2.53952E-07,1.5745E-05,0.000976191,0.060523872,3.75248008,232.653765,14424
.53343,894321.0725,55447906.49
,,2.94912E-07,2.12337E-05,0.001528824,0.110075314,7.925422621,570.6304287,41
085.39087,2958148.142,212986666.2
,,3.85024E-07,3.61923E-05,0.003402072,0.319794774,30.06070876,2825.706623,26
5616.4226,24967943.72,2346986710
So a password of 6 characters using only a-z would require ~1.2 terrabytes
to store it, not to bad. A password of 6 characters with a-z, A-Z, 0-9 would
require ~230 terrabytes (poetic license taken for database
storage/indexes/compression/etc). The moral of the story: you need to
protect the password file, since an attacker can glean the salt used from
it, reducing their workload considerably (by a factor of 4096). You also
need to make users choose strong passwords, if they choose a word you are
probably up the creek, taking a dictionary with 4 million words (ie almost
all words, names, etc, including foriegn languages) and you can hit a lot of
passwords, tests I have seen usually 1-5% of passwords are set to the
username, system default, or somehting like "password", meaning an attacker
can get their foot in the door easily.
The "problem" with crypt is it is relatively "cheap" to run through
combinations/etc. MD5 and Blowfish provide a much stronger one way hash and
the attacker will need a lot more time to generate a lookup database or
brute force them. I.e. it mush less harmful if someone steals the
/etc/shadow from my OpenBSD box (which uses blowfish) as opposed to a
crypt'ed password file off a SuSE box. Now I need to eat breakfast.
Kurt Seifried
SecurityPortal, your focal point for security on the net
http://www.securityportal.com/
Passwords input,,1,2,3,4,5,6,7,8,9
a-z,26,106496,2768896,71991296,1871773696,48666116096,1.26532E+12,3.28983E+1
3,8.55356E+14,2.22392E+16
"a-z,
A-Z",52,212992,11075584,575930368,29948379136,1.55732E+12,8.09804E+13,4.2109
8E+15,2.18971E+17,1.13865E+19
"a-z, A-Z,
0-9",62,253952,15745024,976191488,60523872256,3.75248E+12,2.32654E+14,1.4424
5E+16,8.94321E+17,5.54479E+19
"a-z, A-Z, 0-9,
shift0-9",72,294912,21233664,1528823808,1.10075E+11,7.92542E+12,5.7063E+14,4
.10854E+16,2.95815E+18,2.12987E+20
"a-z, A-Z, 0-9, shift0-9,
punctuation",94,385024,36192256,3402072064,3.19795E+11,3.00607E+13,2.82571E+
15,2.65616E+17,2.49679E+19,2.34699E+21
terrabyte:
1E+12,1E+12,1.06496E-07,2.7689E-06,7.19913E-05,0.001871774,0.048666116,1.265
319018,32.89829448,855.3556565,22239.24707
,,2.12992E-07,1.10756E-05,0.00057593,0.029948379,1.557315715,80.98041718,421
0.981694,218971.0481,11386494.5
,,2.53952E-07,1.5745E-05,0.000976191,0.060523872,3.75248008,232.653765,14424
.53343,894321.0725,55447906.49
,,2.94912E-07,2.12337E-05,0.001528824,0.110075314,7.925422621,570.6304287,41
085.39087,2958148.142,212986666.2
,,3.85024E-07,3.61923E-05,0.003402072,0.319794774,30.06070876,2825.706623,26
5616.4226,24967943.72,2346986710
So a password of 6 characters using only a-z would require ~1.2 terrabytes
to store it, not to bad. A password of 6 characters with a-z, A-Z, 0-9 would
require ~230 terrabytes (poetic license taken for database
storage/indexes/compression/etc). The moral of the story: you need to
protect the password file, since an attacker can glean the salt used from
it, reducing their workload considerably (by a factor of 4096). You also
need to make users choose strong passwords, if they choose a word you are
probably up the creek, taking a dictionary with 4 million words (ie almost
all words, names, etc, including foriegn languages) and you can hit a lot of
passwords, tests I have seen usually 1-5% of passwords are set to the
username, system default, or somehting like "password", meaning an attacker
can get their foot in the door easily.
The "problem" with crypt is it is relatively "cheap" to run through
combinations/etc. MD5 and Blowfish provide a much stronger one way hash and
the attacker will need a lot more time to generate a lookup database or
brute force them. I.e. it mush less harmful if someone steals the
/etc/shadow from my OpenBSD box (which uses blowfish) as opposed to a
crypt'ed password file off a SuSE box. Now I need to eat breakfast.
Kurt Seifried
SecurityPortal, your focal point for security on the net
http://www.securityportal.com/
| < Previous | Next > |