Slashdot Mirror

← Back to Stories (view on slashdot.org)

Letters-Only LM Hash Database

Posted by CmdrTaco on from the need-new-security dept.

Peter Clark writes "Disk storage has increased tremendously in the past 5 years and the blatant insecurities in the antiquated LM hashing technique have not gone away; though functionality has been added to disable LM hashes, this is not set by default. With some help from Elcomsoft, simple flat files have been created that hold every combination of LM hash for letters only passwords. Jesko has coded a server application which allows you to access this database. Simply telnet to: beginningtoseethelight.no-ip.org on port 2501 and paste in a LM hash. So how does this differ from Rainbow tables? Well this will return a password 100% of the time, using minimal processor power, in approximately less than 0.2 seconds."

9 of 237 comments (clear)

  1. less than 0.2 seconds by Sediyama · · Score: 5, Funny

    I think someone is underestimating the /. effect.

  2. Re:Someone explain? by Doctor+Memory · · Score: 4, Funny

    I suspect it may be the passwd itself but I am not sure since it is not clear.

    Of course it's not clear, it's been hashed -- haven't you been following along?

    --
    Just junk food for thought...
  3. This just in from beginningtoseethelight... by jmcneill · · Score: 4, Funny

    Dear Slashdot Readers,

    Thank you for letting us know your passwords.

    Regards,
    The staff of beginningtoseethelight

  4. Light? by alapalaya · · Score: 2, Funny

    in the article:

    beginningtoseethelight.no-ip.org

    the /. fortune:

    The light at the end of the tunnel is the headlight of an approaching train.

    Am I the only one to see a connection ?


    --
    667 The Neighbour of the Beast
  5. awright! by sootman · · Score: 5, Funny

    now we're gonna kick it old-skool and /. a telnet server! woo hoo, just like the old days! our next target: gopher://sunsite.unc.edu

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  6. Whew! I'm still safe by DongleFondle · · Score: 5, Funny

    I guess I'm still relatively safe though because my admin password is not only 10 characters long, but has capitals, lower case, numbers and symbols in random order.

    Its H82sd*e2Tn.

    Nobody is ever going to crack that!!!

  7. How long until... by rewt66 · · Score: 2, Funny

    beginningtoseethelight gets hit with a DMCA lawsuit?

    And, yes, I am aware of the irony of posting this on election day in the US...

  8. Holy Ratshit, Batman! by deacon · · Score: 2, Funny
    That's why Microsoft's LM hashing algorithm is so cool -- it uppercases your password before hashing. With this algorithm, multicase passwords do nothing to the statistics.

    Please, please tell me you are joking.

    I am no fan of MicroSoft, but come on, no one would really do something like this.

    I figured that my passwords are safe because they are normally the tunes of music..

    For example

    Taaaah-dum+dum*dum#dum#taaaaah|dum!tum^du m$tum%rumtittytum.

    And since I am tone deaf, It's not very likey that someone will hit upon the combination soon.

    The usage of the +-@# characters is based on a matrix written in pencil on the side of the monitor.

    8^)

  9. Re:modeling unknown passwords by shrikel · · Score: 2, Funny
    much less likely password

    Yes, much less likely, but people sometimes choose things like that for their passwords anyway. My wife's self-chosen password to her bank account, for example, is 'Nfok3G!~qOmp', and I can tell you that NOBODY is going to guess that one!

    --
    Any sufficiently simple magic can be passed off as mere advanced technology.