Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 9 Sep 2006 16:57:20 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Using a pre-computed list of alphanumeric strings. (not rainbow tables)

On Mon, Aug 28, 2006 at 05:50:46PM -0400, John wrote:
> Before someone answers this message, yes I do understand what a salted hash
> is, and why running a rainbow table on such a hash would be
> ineffective...

Actually, it could work for small salt sizes - but you would need many
sets of smaller rainbow tables - e.g., 4096 for the traditional crypt(3).

> if I have a pre-computed hash table with hashes of every
> alphanumeric combination up to say, 14 chars long,

As others have pointed out, you're not going to have it.  You can have
one for 7-character LM hash halves, though.  However, even if you're
smart enough to store partial hashes or to index by partial hashes and
store plaintext password deltas, you're not going to save more than a
few hours of CPU time per hard drive - for a reasonable modern system -
and less than that when cracking large numbers of hashes.

Rainbow tables are a lot more efficient than that; their only downside
is that they don't provide a guarantee (but rather a very high chance)
that every alphanumeric (or whatever) password will be cracked.

> why couldn't something like this be used in place of a word list?

It could, but saltless hashes tend to be so fast that this doesn't make
sense.  The traditional crypt(3) is slower, but you'd have to store 4096
times more data (yet this was implemented in QCrack in 1995).

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.