OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: john the ripper

From: Charles Clancy (clancywww.missl.cs.umd.edu)
Date: Sun Dec 14 2003 - 13:03:17 CST


If you're introducing a smartcard, you might as well just use public-key
authentication.

[ t. charles clancy ]--[ tccumd.edu ]--[ www.cs.umd.edu/~clancy ]

On Wed, 10 Dec 2003, Jason Watson wrote:

> Hi people,
>
> For a few years I have had this idea in my head about a secure(er)
> authentication system to that of telling the user the password. My system
> is basically still a password system but it uses a key-card to access (there
> are several of these systems out there). the password is then stored by PGP
> (GnuPGP) in a 1024 bit hash, everyday at a "random" time the password server
> sends a new (encrypted of course) key to the card reader which stores the
> new password on it's magnetic strip). Everytime the password is read a new
> password is sent. This would easily allow for 1000 character passwords, in
> turn increasing system security dramatically. Passwords alone are never
> going to secure systems but every little-bit helps.
>
> Kind regards,
>
> Jason Watson.
>
> >Okay, I hear what you're saying about the amount of time being used and
> >all... but..
> >
> >If your users are like the ones I've seen, that "reasonably strong"
> >password (such as &Y6N8gg0 -- presumably strong) is just going to get
> >written down on a sticky tab and put on the users monitor or under their
> >keyboard. The point is, while you've done a great job creating a strong
> >keyspace which is difficult to break, I may open up a bigger problem.
> >The goal is to get through the proverbial wall. Whether I do that by
> >breaking through the bricks or scaling it or just going around, it
> >doesn't really matter to me. If I make the wall thicker, that just
> >moves the problem -- I'm still interested in getting to the other side,
> >and I know I won't be able break through it, so off I go to find a
> >different solution...
> >
> >Just my thoughts.
> >
> >
> >-----Original Message-----
> >From: Benjamin Tomhave [mailto:falconsecureconsulting.net]
> >Sent: Monday, December 08, 2003 10:58 AM
> >To: pen-testsecurityfocus.com
> >Subject: RE: john the ripper
> >
> >Scary numbers...so, semi-drifting question: how long is an "acceptable"
> >length of time to run a cracker before pronouncing that uncracked
> >passwords
> >are "reasonably strong and well-chosen"?
> >
> > > -----Original Message-----
> > > From: Mike [mailto:myname17bellsouth.net]
> > > Sent: Monday, December 08, 2003 3:45 AM
> > > To: Giacomo; pen-testsecurityfocus.com
> > > Subject: Re: john the ripper
> > >
> > >
> > > I recently did a little research on this, and if the password was
> > > well chosen
> > > you will not find the password.
> > >
> > > An 8 character password, based on a 72 character set (26 lower
> > > case letters,
> > > 26 uppercase letters, 10 digits, and 10 special characters)
> > > results in 72^8
> > > or 7.2x10^14 possible passwords. My reference PC was only able
> > > to crack at
> > > 1500c/s. Doing the math reveals that 150,000 years would be required
> >to
> > > crack all combinations, or 75,000 years on average. For a 12
> >character
> > > password the result was 2,000,000,000,000 years.
> > >
> > > If my math is wrong, please break it to me gently.
> > >
> > > Mike
> > >
> > > On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
> > > > Hi all
> > > >
> > > > I am tryning to crack cisco md5 password.
> > > > Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
> >john
> > > > continue to crack at 3800c/s (it started at 4500c/s).
> > > > I am asking myself and all of you what is the best system (hardware)
> >to
> > > > crack md5 password.
> > > > I am thinking that the best way Is the powerfull (mhz) i386 in
> >commerce.
> > > > I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
> > > > without lucky results.
> > > > The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s
> > > >
> > > > which is you reference system to use john on md5 password ?
> > > >
> > > > Giacomo
> > > >
> > > >
> > > >
> > > >
> > > ------------------------------------------------------------------
> > > ---------
> > > >
> > > ------------------------------------------------------------------
> > > ---------
> > > >-
> > >
> > >
> > > ------------------------------------------------------------------
> > > ---------
> > > ------------------------------------------------------------------
> > > ----------
> > >
> > >
> >
> >
> >------------------------------------------------------------------------
> >---
> >------------------------------------------------------------------------
> >----
> >
> >
> >
> >---------------------------------------------------------------------------
> >----------------------------------------------------------------------------
> >
>
> _________________________________________________________________
> Download MSN Messenger http://messenger.xtramsn.co.nz - talk to family
> and friends overseas!
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------