Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:Only MD5/LM/NTLM? (Score 1) 95

by quelrods (#28764425) Attached to: Free Rainbow Tables Looking For New Admin
There is some SHA1 as well via the download mirrors in TFA.

Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)

Comment: Re:rainbow table? (Score 1) 95

by quelrods (#28764219) Attached to: Free Rainbow Tables Looking For New Admin
Yes, the paper is not very clear. The FAQ on comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.

Comment: Re:Salts? (Score 1) 95

by quelrods (#28764147) Attached to: Free Rainbow Tables Looking For New Admin
Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.

One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.

For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.

One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.

Comment: Re:OMG is that annoying... (Score 1) 95

by quelrods (#28764063) Attached to: Free Rainbow Tables Looking For New Admin
Please see my comment on the matter of "a new name for it for no reason."

If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.

For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.

Comment: Re:OMG is that annoying... (Score 1) 95

by quelrods (#28763925) Attached to: Free Rainbow Tables Looking For New Admin
If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.

One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.

With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.

No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery :(

Never worry about theory as long as the machinery does what it's supposed to do. -- R. A. Heinlein