, SecurityFocus 2005-11-09
A trio of entrepreneurial hackers hope to do for the business of password cracking what Google did for search and, in the process, may remove the last vestiges of security from many password systems.
Expand all |
Post comment
Gold at the end of rainbow cracking?
2005-11-09
Anonymous (4 replies)
Anonymous (4 replies)
Re: Gold at the end of rainbow cracking?
2005-11-10
Anonymous (1 replies)
Anonymous (1 replies)
Re: Re: Gold at the end of rainbow cracking?
2005-11-10
Anonymous (2 replies)
Anonymous (2 replies)
Gold at the end of rainbow cracking?
2005-11-10
Mike B (3 replies)
Mike B (3 replies)
Re: Gold at the end of rainbow cracking?
2005-11-10
Pete (3 replies)
Pete (3 replies)
Gold at the end of rainbow cracking?
2005-11-11
Anonymous (1 replies)
Anonymous (1 replies)
Eg.
Lanman network authentication traffic (easier
with hubs than switches, but still doable with switches).
Websites that use NTML authentication and not HTTPS. There will be a "Authorization" head that
will provide hashes.
etc.
So yes ... It should be non-trivial to collect the hashes, but it isn't always the case. This doesn't cover the sites that use basic authentication without SSL from which password recovery is a base64 decode.
In reality, rainbow cracking has exposed a number of flaws in the implementation of password systems by a variety of people. At the times, these problems while known, didn't represent a huge risk ... 10, 20 years down the track ...
some of these systems are looking at having to be replaced and unfortunately replacing an existing authentication system with a more robust one is quite a challenge.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11355/32735#32735