Password Speed Check

[Deathdefyer2002]

Hey,

I have been doing some research on passwords and it seems that different computers can crack passwords at different speeds. I am wondering if there is an APP or program that one can run to determine how many passwords per second your particular computer can run through. I know that people have estimates on different machines but I was wondering if there was a specific program that can be run on a specific machine to determine the exact speed. My ultimate goal is to calculate how long my PC would take to crack my password. I have a P4 Dual core 2.4 Ghz. I know that my machine isn't the BEST of the BEST but it is pretty good. I figure that if it would be unreasonable for my computer to crack the password then it should be secure enough in that the general public wont be able to crack it.

Thanks

Deathdefyer

[Sparda]

You need to take a sample and extrapolate them to give a estimate. For example, if your computer can generate, if your computer can calculate 10 hashes in 1 second, and there are 1000000 possible password hashes, your computer will take 100000 seconds to calculate all possible hashes.

[Deathdefyer2002]

So how would I do that? Is there any specific programs?

[VaKo]

Take a rainbow tables or something like that.

[SomeoneE1se]

Remember, anyone worth worrying about will have rainbowtables or access to them so it's how fast your computer can read data, not calculate hashes.

[Sparda]

Remember, anyone worth worrying about will have rainbowtables or access to them so it's how fast your computer can read data, not calculate hashes.

But I use Ubuntu. (not referring to OpenSSL)

[SomeoneE1se]

But I use Ubuntu. (not referring to OpenSSL)

Even tho I use debian, I loveed the ssl exploit it's as bad if not worse then anything MS has ever done

[Sparda]

Even tho I use debian, I loveed the ssl exploit it's as bad if not worse then anything MS has ever done

You think it's worse than the problems XP had when it was launched?

Let me just, you know, throw I link out there http://www.symantec.com/security_response/...-081113-0229-99

[SomeoneE1se]

a exploit that allows any skiddy to crack just about every debian/ubuntu server's user password vs a worm that targets a large corporation who is already ready to handle a DDoS attack? yes I do

[Sparda]

So managing to catch some ones encrypted password flying over the Internet (not exactly what I would call easy) and then been able to cracking it is worse then windows been exploitable as soon as it's on the Internet to the point that if you actually do put XP with no firewall or patches on the Internet it will be infected in 10 seconds or less with out the user touching it?

[SomeoneE1se]

with no firewall or patches on the Internet it will be infected in 10 seconds or less with out the user touching it?

the same goes for linux

[ls]

the same goes for linux

no this is not true , i have a standard ubuntu installation and there are no open ports , you are not vulnerable to (most ) viruses , there is a standard firewall installed , ....

i'm pretty sure that linux (ubuntu) is more secure then windows

[moonlit]

Yes, let's all bash Windows. Whoop-de-do.

Quit being fanboys.

[VaKo]

While it is true that a RTM install of XP was highly unsecured when connected to public networks you have to remember that not only was the rise of home broadband connections unexpected by Microsoft, the people operating these systems were never techies. If you were to give an untrained operator a generic desktop install of linux from the same era, connected to a public network and without any security work done on it, it wouldn't last long either.

However, if you took a fully patched version of XP or Vista, complete with firewall and AV, put it behind nat+hardware firewall and gave the owner a standard 101 course on how not to get shafted, how would this compare to a similar Ubuntu setup security wise? My money is on them both being fairly secure until the operator makes a mistake.

The debian ssl fuck-up was worse in my books, simply because it was unexpected (if your running windows, your aware that you need to take care, where as linux users generally don't have that expectancy as a rule). It also involved stuff that is used on servers primarily where security and so forth is generally more considered. It was a bad fuckup, primarily given the developers approach which lead to the whole thing. It serves to remind everyone that no matter how open source and Free your OS is, you can't just blindly trust the people who made the thing.

[Deathdefyer2002]

Ok, so assuming that the attacker is using a rainbow table... How can I see how fast it works? And... Can rainbow tables be used on ALL types of passwords? Does this mean that truecrypt is now that much more insecure? I'm very confused

[VaKo]

http://en.wikipedia.org/wiki/Rainbow_table

Basically the password is converted into gibberish and that is stored instead of your password (called hashing). If you work out every possible hash there is in advance, you can just take a hash and search your list of hashes for a match, thus giving you the password. Its a trade off between time and storage space. The more of the latter you have, the less of the former it takes.

[Sparda]

Ok, so assuming that the attacker is using a rainbow table... How can I see how fast it works? And... Can rainbow tables be used on ALL types of passwords? Does this mean that truecrypt is now that much more insecure? I'm very confused

Rainbow tables is very fast, as in as fast as it takes to read data... fast.

Can rainbow tables be used on ALL types of passwords?

Rainbow tables only works with password password hashing algorithms that never change (for example, the password hashing on Windows).

They are fairly useless against salted passwords in general or any modified implementations of the hashing algorithm.

[Deathdefyer2002]

So for instance. Lets say I Encrypted a file with AES 256 using true crypt. How can I tell how many keys per second my computer is capable of trying. Now If I am correct in understanding this. If I use a rainbow table, the speed is determined by my HD speed. The faster my HD the quicker I can crack the password?

[Sparda]

When using a rainbow table, you aren't cracking the hash, it has already been cracked, you are just looking it up.

[VaKo]

You are confusing brute forcing a password (which is akin to dialing random numbers until you get the person your after) with a rainbow table lookup (which is akin to having a phone book, you just look through it until you find the right person and dial the number listed by there name).

[Deathdefyer2002]

Hey,

I think I found my answer. For anyone else who read this and was waiting for the solution. I found out that John The Ripper has a feature called Test. This actually runs through a quick brute force and tells you how many passwords per second your particular computer can handle.