[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Thu, Jun 2, 2011 at 1:29 PM, Roland Tarver wrote: > Just saw this http://url.drogon.net/z and this http://url.drogon.net/00. They're making it sound a lot worse than it is. The passwords that can be cracked in "under a second" are five characters and consist only of letters (upper- and lower-case) and numbers. A seven character password with the same restrictions already takes them 17 minutes, while a five character password which also contains symbols (&, ., space etc.) takes them 7 hours. They don't say how long it takes them to crack an eight character mixed-case password, that includes numbers and symbols but it's going to be days. Another thing to note is that for this to work they need to have the MD5-hash of the password. Now with the data-leaks that occur on an almost daily basis, it is not a bad idea to assume that the hackers do have the MD5-hash of your password* and set your password policy accordingly, but in most cases they won't. In which case they can't but try every password from 00000 to ZZZZZ. Most systems will lock you out for a while if you try to login too many times. And even if the system doesn't, the fact that it usually takes a second or so to respond makes this kind of attack rather useless. Martijn. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq