How secure is your password against RainbowCrack Online?
We all know that password is not very secure, but we always tell ourselves that it's still ok if we would choose strong password. The fundamental assumption to password security is that passwords stored and authenticated as hashs won't be easily recovered back to plain text. This assumption is guaranteed by the one-way property of hash algorithms.
While when you read in depth about the hash algorithms, there is one "clause" remarking that hash algorithms are attackable by using a Rainbow Table, which is a huge table of hashs correspoding to all possible plain text. Of course you will be told that this is impractical because it will took too much resources. So it seems passwords are still in a pretty safe situation.
But now you need to think twice about it. There are such people that are willing to put in the "impractical" resources, and they managed to compile a 500GB Rainbow Table. What makes it worse is that these group of people put it online as a subscription based service. (http://www.rainbowcrack-online.com/)
So you can use whatever means to get the password hashs (there are thousands hacking methods to do so), submit it to this online service, wait for a while and you will get the plain text password! With the traditional brute force cracking methods, it will take you "forever" to crack a password like "$FT%_3^," . But according to the news report, with this Rainbow Table, it's just about looking up a huge table. It will take much much less time compare to "forever".
We know that perfectly protecting password hashs is impossible. We used to think that thanks to password hash bad guys can do nothing better than brute force or dictionary cracking. But now with this ready rainbow table , how much good can the hash do?
And the bigger question is, "whether passwords are still secure?"
(News link: http://www.theregister.co.uk/2005/11/10/password_hashes/)
We all know that password is not very secure, but we always tell ourselves that it's still ok if we would choose strong password. The fundamental assumption to password security is that passwords stored and authenticated as hashs won't be easily recovered back to plain text. This assumption is guaranteed by the one-way property of hash algorithms.
While when you read in depth about the hash algorithms, there is one "clause" remarking that hash algorithms are attackable by using a Rainbow Table, which is a huge table of hashs correspoding to all possible plain text. Of course you will be told that this is impractical because it will took too much resources. So it seems passwords are still in a pretty safe situation.
But now you need to think twice about it. There are such people that are willing to put in the "impractical" resources, and they managed to compile a 500GB Rainbow Table. What makes it worse is that these group of people put it online as a subscription based service. (http://www.rainbowcrack-online.com/)
So you can use whatever means to get the password hashs (there are thousands hacking methods to do so), submit it to this online service, wait for a while and you will get the plain text password! With the traditional brute force cracking methods, it will take you "forever" to crack a password like "$FT%_3^," . But according to the news report, with this Rainbow Table, it's just about looking up a huge table. It will take much much less time compare to "forever".
We know that perfectly protecting password hashs is impossible. We used to think that thanks to password hash bad guys can do nothing better than brute force or dictionary cracking. But now with this ready rainbow table , how much good can the hash do?
And the bigger question is, "whether passwords are still secure?"
(News link: http://www.theregister.co.uk/2005/11/10/password_hashes/)
posted by Joe at 10:56 PM
0 Comments:
Post a Comment
<< Home