February 2, 2006
A recent article in the SANS Ouch feed (securityawareness@sans.org) had a bit on the Rainbow Crack project. Basically, the utility has a LARGE database of pre-computed password hashes (for example, modern authentication systems don't send passwords, but exchange a checksum/hash of the password). The RaionbowCrack 'decrypts' the pasword hash by comparing to a these pre-computed hashes. If they match, they've got it.
Read on for the original reference.
- From one of our Readers: Commercial grade of "Rainbow Table" is
available now (http://www.rainbowcrack-online.com/?x=home). The
objective of "Rainbow Table" is to pre-compute all possible password
hash's for a given length on a specific encryption for instant password
decryption. While this requires significant resources (time to compute,
storage and RAM) to derive and hold the Rainbow Tables, its use is not
infeasible. According to the web site, the current password length that
could be decrypted is at most 7 characters, with a success rate
approaching 100%. This provides a rationale for why it is important to
choose upper/lower case letters, as well as numbers and symbols and to
make your passwords at least 8 characters long.
A formatted version of this newsletter in its original format may be read online at
http://www.sans.org/newsletters/ouch/issue/20060202.php
Posted by Thomas Siu at 10:29 PM
