Slashdot: News for Nerds


Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!



Free Rainbow Tables Looking For New Admin

quelrods Re:Only MD5/LM/NTLM? (95 comments)

There is some SHA1 as well via the download mirrors in TFA.

Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:rainbow table? (95 comments)

Yes, the paper is not very clear. The FAQ on comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:Salts? (95 comments)

AFAIK Vista is the first windows to completely remove LM hashes as the default. Other than that you had to use a password of a certain length to prevent LM hash creation, 16 characters if memory serves me correctly.

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:Salts? (95 comments)

"im clients, etc."

Ha! Seems IM clients tend to just store the passwords plaintext so even unsalted MD5 would be an improvement over the status quo.

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:Salts? (95 comments)

Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.

One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.

For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.

One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:OMG is that annoying... (95 comments)

Please see my comment on the matter of "a new name for it for no reason."

If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.

For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.

about 5 years ago

Free Rainbow Tables Looking For New Admin

quelrods Re:OMG is that annoying... (95 comments)

If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.

One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.

With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.

No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery :(

about 5 years ago

Politicians Target Social Sites For Restrictions

quelrods Re:So the Yahoo/China thing was (497 comments)

We aren't necessarily falling behind. Though, we may be a few years away from catching up to China.

more than 8 years ago


quelrods hasn't submitted any stories.


quelrods has no journal entries.

Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account