Gold at the end of rainbow cracking?

Gold at the end of rainbow cracking?
Robert Lemos, SecurityFocus 2005-11-09

A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems.

Expand all | Post comment

Gold at the end of rainbow cracking? 2005-11-09
Anonymous (4 replies)

Re: Gold at the end of rainbow cracking? 2005-11-10
Anonymous (1 replies)

Re: Re: Gold at the end of rainbow cracking? 2005-11-10
Anonymous (2 replies)

Re: Re: Re: Gold at the end of rainbow cracking? 2005-11-10
Anonymous

Re: Re: Re: Gold at the end of rainbow cracking? 2005-11-11
Anonymous (2 replies)

Re: Re: Re: Re: Gold at the end of rainbow cracking? 2005-11-14
Anonymous

No, it's not practical to lookup salted passwords 2005-11-14
Roger

Re: Gold at the end of rainbow cracking? 2005-11-11
Roger

Re: Gold at the end of rainbow cracking? 2005-11-11
Anonymous

Re: Gold at the end of rainbow cracking? 2005-12-12
Anonymous

Gold at the end of rainbow cracking? 2005-11-09
Elio

Gold at the end of rainbow cracking? 2005-11-10
Anthony LAI, CISSP, CISM (1 replies)

Re: Gold at the end of rainbow cracking? 2005-11-10
Anonymous

Gold at the end of rainbow cracking? 2005-11-10
Anonymous

Gold at the end of rainbow cracking? 2005-11-10
Mike B (3 replies)

Re: Gold at the end of rainbow cracking? 2005-11-10
Pete (3 replies)

Re: Re: Gold at the end of rainbow cracking? 2005-11-11
Roger (1 replies)

Re: Re: Re: Gold at the end of rainbow cracking? 2005-11-13
RockyH

Re: Re: Gold at the end of rainbow cracking? 2005-11-11
Anonymous

Re: Gold at the end of rainbow cracking? 2005-11-11
Roger

This attack is not effective against /etc/shadow, not simply because /etc/shadow is hidden from the attacker (which, as others have pointed out, is a first line of defense only), but because it's passwords are salted -- heavily salted, in the case of reasonably modern versions.

Rather the attack is for something like, say, a badly implemented web site login system, where a SQL injection attack allows an attacker to get a list of all the password hashes, which the site developer has simply MD5 or SHA1 hashed without any salting or stretching.

But yes, regardless of the exact attack vector, you need some way to obtain the hashes first.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11355/32717#32717

Re: Gold at the end of rainbow cracking? 2005-11-14
Anonymous

Gold at the end of rainbow cracking? 2005-11-11
Anonymous (1 replies)

Re: Gold at the end of rainbow cracking? 2005-11-24
Anonymous (1 replies)

Re: Re: Gold at the end of rainbow cracking? 2006-04-16
Anonymous