Rainbow Tables The end of password cracking as we know it

The end of password cracking as we know it

Agenda Theory of password security & why it doesn't apply anymore Demo: Cracking Windows LM Hashes Questions & Answers

Theory of password security & why it doesn't apply anymore

Demo: Cracking Windows LM Hashes

Questions & Answers

Theory of password security Concept: Take too much resources to crack to be useful Complex enough to make it unfeasible to crack Precomputed passwords requires too much storage

Concept: Take too much resources to crack to be useful

Complex enough to make it unfeasible to crack

Precomputed passwords requires too much storage

Don't work so well anymore Faster and faster CPUs Cheap storage High bandwidth network connections

Faster and faster CPUs

Cheap storage

High bandwidth network connections

“Cracking” windows passwords using rainbow tables LM Hashes Maximum 14 characters long Broken up into two 7-character UPPER CASE strings Lacks salt

LM Hashes

Maximum 14 characters long

Broken up into two 7-character UPPER CASE strings

Lacks salt

Why are salt so important? Without a salt the same password will always result in the same hash Salts, if unique, adds additional bits to the mix that requires cracking Often making rainbow tables unfeasible

Without a salt the same password will always result in the same hash

Salts, if unique, adds additional bits to the mix that requires cracking

Often making rainbow tables unfeasible

Demo Cracking an Windows LM Hash using rainbow tables

Cracking an Windows LM Hash

using rainbow tables

Current state of rainbow tables LM Hash completely broken (more or less) MD5 rainbow tables are starting to appear SHA1 / SHA128 / SHA256 rainbow tables are being worked upon

LM Hash completely broken (more or less)

MD5 rainbow tables are starting to appear

SHA1 / SHA128 / SHA256 rainbow tables are being worked upon

The Future Salt your hashes Move away from passwords as an authentication token

Salt your hashes

Move away from passwords as an authentication token

Questions & Answers

Questions & Answers

Thank You! Slides and recorded version of the presentation will be available at http://michaelboman.org Contact me @ michaelboman.org if you have feedback, suggestions or comments

Slides and recorded version of the presentation will be available at http://michaelboman.org

Contact me @ michaelboman.org if you have feedback, suggestions or comments