QUESTION & ANSWER

Question & Answer



Question & Answer

Question 1

If we were to compare the use of a dictionary attack with a rainbow table attack we would highlight that while the dictionary attack requires a relatively small wordlist, the rainbow tables are generally a lot bigger, requiring a quite large storage capacity. Rainbow tables must either be downloaded or generated in advance of the attack, and this may take quite a long time depending on your download speed and the system you are using. It is important to be aware that attackers with ill intentions probably would invest a big effort to recover the password. Another observation is that when it comes to cracking passwords with the use of rainbow tables, it does not matter if the password is strong or weak as long as the password is within the requirements sat for the particular rainbow tables.

The password as an authentication mechanism is headed for obsolesce, as the password lengths required to thwart rainbow table attacks are rapidly approaching unmanageable (or unrememberable) proportions. If you are still using the LM hash on your laptop, you might as well put your password in a clear text file and call it “password.txt” - according to our results, anyone who wants your password will have it by the end of the working day. Even though we were not able to crack all the NT hashes, it seems that it is only a matter of time before rainbow tables for all practical password lengths will be generally available also for the NT hash (Garfinkel, 2003).

An obvious opportunity for further work would be to employ rainbow tables for MD5 to see how a vanilla Linux distribution bears up under a cracking attack. It could also be interesting to see if discovered MD5 vulnerabilities could be translated into a practical attack. More fundamental contributions could be made in finding alternatives to passwords that are more secure, but with the same level of social acceptance and ease of use.

Question 2

In today's world, security is a very big concern, and passwords are the primary method of authentication for computer systems. Strong passwords are a must, as are strong encryption algorithms to store those passwords, since they must ultimately be stored somewhere, in order for a user to authenticate to a computer system. This document analyzes the Windows NT implementation of passwords, both native and LAN Manager (Windows 95 compatible), Linux and UNIX passwords, including MD5, DES, Blowfish, and Shadow password files, and the authentication methods of each system. According to Robert Morris, the original author of the crypt (3) function, the original algorithm used in crypt (3) was far too fast, so a slower algorithm needed to be created (Dulaunoy, 2007). This was DES, standardized by the National Bureau of Standards (now the National Institute of Standards and Technology) and designed to be slow when implemented in software. The Data Encryption Standard was first developed in 1988 and later revised in 1993 to fix some ...