![]() If, so, this multiplies the resource requirements again by 4,000.Īll together, the storage space is about 94 EiB, which is approximately equal to the amount of information interchanged across the world’s telecommunications networks in a year. ![]() – The man pages are unclear, but I believe the default range of random rounds in CentOS 6 & 7 is 1,000 to 5,000. – The salt is 12 bits of randomness, multiplying the number of required tables by 4,096. – SHA-512 takes about 3x the space of SHA-1, which produced about 2 TiB of tables on the page I linked above. Once you step beyond MD5 passwords on CentOS to SHA-256 or SHA-512, you have the option of using a random number of hashing rounds, greatly increasing the difficulty of producing a rainbow table and the space required to hold it: A lot of web sites store their passwords this way, which is why the standard advice is to never reuse the same password at more than one site, even if they claim to “encrypt” your password. The reason rainbow tables exist is that there are still password systems today that ignore this 37-year-old lesson. Linux copied that practice from the beginning. The single simplest way to defeat rainbow tables is by salting the password, which Unix systems have done since approximately forever. *If*, that is, it was stored in a password database that simply hashes the password to protect it. It tells you that if you’ve been using a 10-character all-lowercase password with possibly a digit or two, it can probably be cracked instantly by referring to this rainbow table. This uses a large array of computers to calculate the hash for every entry in a given set of passwords.Ĭheck out this list of freely-downloadable rainbow tables: ![]() ![]() Simply hashing the password *does* allow for a realistic attack: rainbow tables. Of course you mean “decrypt,” but there’s a bigger mistake in that statement. Just a few months ago on this very mailing list, we had a big battle over whether the default password rules should be tightened down to preclude them. The sad thing is that dictionary attacks still work. ![]()
0 Comments
Leave a Reply. |