Instead, today’s rainbow tables are made up of the most popular types of passwords. In Windows, most passwords are one to eight characters long and made up of lowercase letters. Many password hash tables go further to "capture" more passwords and contain all the uppercase and lowercase letters, plus numbers (0-9) and other keyboard symbols.
Windows LM hashes are limited to a maximum length of seven characters, and all characters are uppercase (because LM is not a good hash). Hence, the Internet is full of free, downloadable LM password hash tables capable of cracking most Windows passwords, if the attacker can get the LM hash.
But more and more often, Windows administrators are disabling the LM hashes to prevent password hash cracking. And LM hashes are disabled by default in Windows Vista, leaving only the much harder to crack NT password hashes. Couple that with longer and more complex passwords, and yesterday’s LM rainbow tables just aren’t up to snuff anymore.
If you want to stay up on password cracking (for auditing purposes), you need to get your hands on some very large NT password hash tables. We’re talking multigigabyte tables, sometimes hundreds of gigabytes. The problem is that generating large NT rainbow tables is beyond the scale of a single computer, or even a hundred computers.
Enter the Free Rainbow Table’s new distributed client. Download and install it, and your computer(s) become part of a large distributed computing project to generate larger rainbow tables. There are clients for Windows, Linux, and FreeBSD for now. Windows is the only GUI client, and you will need the latest Microsoft .Net Framework client installed beforehand.
Everyone’s effort will be collected together into free, downloadable large rainbow tables, representing LM and MD-5 passwords. MD-5 hashes are useful for auditing many other Linux-based security appliances and distributions.
If you are a Windows or security administrator, you can (and should) use rainbow tables to find and eliminate weak passwords in your environment. Me, I love the idea of distributing computing. I’ve been a SETI@home participant for years. I don’t really believe we will find aliens using it, but I love the idea of being involved in something bigger than myself. And what’s a few billion extra CPU cycles that I’m not using?
I also participate in some of the distributed crypto challenges, trying to break small key sizes. Now, I’m adding another distributed computing project to my computers with Free Rainbow Tables. Wonder how they will compete with each other for CPU cycles? Ah, but that's another column…