Security, rainbow tables and other wonderful things.

[wewillfightintheshade]

So, I've just reinvented my online self. All HDs encrypted with TrueCrypt, double-layer Tor via a background user, every incoming & outgoing port on the system blocked but for Tor with my own personal firewall, so on, and so forth...

Now to the interesting part. I've written a rainbow table generator in OpenCL. It can generate tables in SHA2, MD5 and AES128-192-256, for passwords up to 20 characters in length with salt for each up to 128 characters. Letting it run for 24 hours it's generated 6 TB (and counting) of JSON-formatted passwords and hashes.

Would anyone be willing to pay BTC for it? (this is the 'other wonderful things' part!) I'm aware that you're all about open source, but this is a powerful tool.

[1715409954]

1715409954

[1715409954]

1715409954

[nmat]

I am not a security expert, but isn't salt used to make it impossible to create rainbow tables? Well, not really impossible, but I think rainbow tables with salt take so much space that it becomes unfeasible to create/store them.

Those 6TB correspond to what exactly? How many passwords do you have? I bet that hundreds of years will pass and you will not be even close to the 20 characters + 128 salt.

[JBDive]

The problem as I understand it in using such large tables is even though you have the table and it's clearly faster than running a brute force it still takes an extremely long time to run a password against such a table that it's just not worth it. It would depend on the need for the password I guess and your objective.

I am glad I use a password that exceeds 16 characters though as it's clear in the long term GPU hashing attacks will make short passwords extremely vulnerable.

[SomeoneWeird]

The problem as I understand it in using such large tables is even though you have the table and it's clearly faster than running a brute force it still takes an extremely long time to run a password against such a table that it's just not worth it. It would depend on the need for the password I guess and your objective.

I am glad I use a password that exceeds 16 characters though as it's clear in the long term GPU hashing attacks will make short passwords extremely vulnerable.

+1. Even alphanumeric passwords longer than 9 characters are safe.

[wewillfightintheshade]

The 6 TB is all MD5 hashes, up to 8 characters in length so far, with 1-128 characters of alphanumeric salt each. Hash and salt any 7 character password with any combination of ASCII characters, with MD5, and I'll tell you your password.

[nmat]

Hum... I don't think you will get past the 9th or 10th character... At least in 2011 But good luck with that. Maybe someone is interested.

[JBDive]

Hum... I don't think you will get past the 9th or 10th character... At least in 2011 But good luck with that. Maybe someone is interested.

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.

[nmat]

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.

But aren't these tables sort of useless? I mean, If a website decides that the salt is: "websitename.com"+128 characters, your 50TB of data is completely worthless. You have to brute force it again...

[SomeoneWeird]

The NSA, oh nevermind they already have their own tables.

I'm very interested since it's my job to be interested but the requirement to have a 50TB device just to house the tables required to solve a 16 character password not to mention the CPU/Bandwidth requirements to still process that amount of data against a password is something only the folks with unlimited budgets are able to buy into, as in those folks in DC or just outside it in VA.

It does or should make you wonder how long it would take the NSA to actually crack those 16+ character passwords as you know they surely have their own tables, most likely stored on some form of SSD and able to cluster the attack using multiple systems polling those tables.

But aren't these tables sort of useless? I mean, If a website decides that the salt is: "websitename.com"+128 characters, your 50TB of data is completely worthless. You have to brute force it again...

+1

[Dansko]

You would be surprised in the amount of websites that do not salt there passwords and use a simple md5 call to encrypt the passwords.

[timmey]

Isn't generating salted rainbow tables a bit pointless? 

[Xephan]

Isn't generating salted rainbow tables a bit pointless?  

Well, MtGox showed that it isn't entirely pointless

Despite the well established basic rules regarding storage of passwords (or more specifically storing only the salted hash), many sites (or maybe just the same irresponsible coder's code being widely used) are still doing very stupid things.

There are some sites, as recent as this year, that I came across that apparently saves the password in recoverable form. If I see a link to "Send me my password" and verifies they do indeed send the actual password, I very quickly stop using them.

So yeah, I suspect there are still plenty of site that would be vulnerable to a MD5 rainbow table attack.

[timmey]

Well, MtGox showed that it isn't entirely pointless

The MtGox hashes were mostly salted, the unsalted accounts were dead accounts where nobody has logged in for months. Each salted hash used a unique salt. You would need to generate a unique rainbow table for every single password(salt) in the list. And generating a rainbow table for every single salt in the list, would take just as long as "simply" brute-forcing them from the start. That's what i meant by "it's pointless to create salted rainbow tables"

[nmat]

The MtGox hashes were mostly salted, the unsalted accounts were dead accounts where nobody has logged in for months. Each salted hash used a unique salt. You would need to generate a unique rainbow table for every single password(salt) in the list. And generating a rainbow table for every single salt in the list, would take just as long as "simply" brute-forcing them from the start. That's what i meant by "it's pointless to create salted rainbow tables"

Yes, but our fellow wewillfightintheshade claims he has such tables

Unless your password is longer than what he has or the salt is bigger than 128.

[DJStealth]

This almost seams like far too much work. Only used for MD5 hash cracking so whats the use? unless your planing on hacking passwords and such from dumped tables.