It was a DES hash. Which is why comparing to old windows is dumb. It is an old linux server compared to an old windows table lookup. If you look at the list of passwords that were found, they are all really easily brute forced, I don't think they used a DES rainbow table.

Windows 7 and Windows 2008 does not store passwords in the same format that Windoz 95, 98 did. You have to go in and manually specify that you want it to do LM or NTLM. Which I might add you can also do on any linux machine. So are linux passwords weak because you can specify a weak NTLM hash or MD5? Not because anyone in their right mind does? The thing that kills me on the "weak windows" argument here is that the only reason people usually enable old NTLM on a windows AD is to get some Mac or open source code to authenticate properly. The problem with trying to prepare for an offline hash attack is that you can't. Well if you issue users yubikey or RSA tokens, then you can. But that is a little impractical. I would submit the idea that a strong password is still your best defense. And that the password listed was a poor example in this situation because with a modern windows or linux salt, it would take a very long time to get. I don't think anyone has noticed that all the passwords in the hashes referenced have not been found yet. There are references to ALL accounts have been found, they have not at this point in time. Strong passwords in this situation have proven themselves. Also in most cases, when you have broken in to a machine to where you have access to that hash file, the password guessing game is over and moves on to replaced gina, keystroke logger, stolen hash etc. All the easy stuff. It comes back to the admin having a strong password and patching on time.

A little harder to block, yes I would agree, however even a botnet of 1 million computers all active on my pathetic site can only guess 5 million per hour. I would love to see your logs that are a clear show of botnet force. Doesn't happen to my company's webservers. (knock on wood) Still a long time until the example password gets cracked. So at the heart of this question- are strong passwords like "Fgpyyih804423" worthless because an old NTLM hash cracker with precalculated tables can hit it in 160 seconds? Absolutely not. The example does not belong in the article.

Why on earth are they mentioning how fast rainbow tables can break an old windows hash? That has nothing to do with most pages running apache on linux. The example password would last for quite a while against a brute force attack. Anyone worth their salt wouldn't allow that many auth attempts from one IP. Get it worth their salt? Lololol. Anyhow why is the windows example being used in this article at all?

Agreed, we implemented secure gmail at a fraction of the cost of running exchange. If you compare apples to apples, you need to be running clustered exchange, multiple DCs etc. Once you add in support staff, hardware, percent of datacenter and all the other costs, gmail is cheap even with the 10k a year we pay. It has gone down a few times in the last 3.5 years of my company. It has not gone down as often as our redundant exchange solution at the previous university job. Anonymous is correct about HIPAA/HITECH. I have a feeling the people above just read about it on a blog and have no real world experience. When one of our doctors sends patient data either in text or as an attachment we are covered. Postini(gmail) allows you to create all of the RegEx rules you want to filter. It will notify and or block any email containing the PHI you have chosen to filter. Sometimes slashdot is frustrating because we have so much good knowledge, but people who want to flame jump on and do so. It muddies the waters where a lot of us do this for a job every day and have real experience.