I am assisting with an in-house vulnerability assessment, and am
trying to determine the risk of exposing an encrypted password
generated on a UNIX machine. I.e. if you can snarf the 13 character 
string from the password (or shadow) file, how easy/long would it 
take to get the original password?


So I'm trying to get some ballpark estimates of what
current industry guidelines are for "crackability"
So I'm willing to pay someone $10 to fill out this table:
    Given a 13 character encrypted UNIX password that is
    8 characters in length and contains all 95 printable
    characters, how long would it take to crack it?
    Time       Equipment/level of effort
    ###        "weekend cracker" - < $10K general purpose hardware/software
    ###        "dedicated cracker" - up to $250K - specialized 
 hardware/software
    ###        NSA cracker - government level type funding/resources/equipment


You MUST include valid/legit references in your answer;
i.e. here is the type of reference URL I'm looking for:
    http://attila.stevens-tech.edu/~khockenb/crypt3.html
but note that this was done in 1997 - I want something in the last year.




P.S. As a "White Hat Sysadmin", I am NOT interesting in actually
cracking passwords, so pls don't Email me offering to do that;
as stated above, I just need some help in assessing some risk.

Hello Climbingboulder,

I am assuming your are looking for answers relative to the crypt(3)
function described in the paper you referenced. I will also include
some information related to MD5 as well since it is often provided in
Unix / Linux / Open LDAP implementations.

Let's start with a quick extrapolation of the data that Kurt
Hockenbury put together combined with some information I am aware of
an on line resources.

In general terms - the Mhz clock rates is closely related to overall
performance. I measured performance on a variety of platforms
including
 Pentium - 120, 133 Mhz
 Pentium Pro - 200 Mhz
 Pentium II - 350 Mhz
 Pentium III - 500 Mhz, 866 Mhz, 1000 Mhz
(spanning about 5-7 years of CPU technology) and the measured
performance of real applications increased at the same rate as the
clock rate (within 5%). You can get similar results from other
sources. So using that factor, an AMD 2400 MP will be roughly 12 times
faster than each Pentium Pro 200 used by Kurt. Note in Kurt's table
that he uses 10 PPro's to get the 130,000 crypts/sec, so a single AMD
2400 would be roughly 1.2 times faster than the 10 PPro's.

For about $10K and some suitable software, you can get 
  http://www.storeanywhere.com/news/html/storefront/product_info.php?cPath=55&products_id=113
a fully assembled cluster of 8 machines (16 processors) or roughly 192
times the performance of that single system. You can drop the price to
under $10K by suitable replacement of items. Single CPU machines will
cost less than the duals quoted above but take up more space.

The "Weekend Cracker" system can crack a 7 character (95 character
set) crypt(3) password in about 11 months but will take 84 years to
crack the 8 character password.

For the dedicated cracker, let's look at some larger systems. The
KASY0 system at the University of Kentucky
  http://aggregate.org/KASY0/
cost about $40000 and computes at a cost less than $100/GFLOPS. The
CPU's in this system are the AMD 2600's (128 total) so KASY0 would
compute at roughly 166 times faster than the values in Kurt's table.
But you asked for $240K, so six of these would compute just under a
thousand times faster then Kurt's table.

Using that data you get...
 7 characters, 96 character set - under a week
 8 characters, 96 character set - 1.6 years
Hmm. Seven characters are definitely within easy cracking range but
eight is still slightly out of reach.

The government on the other hand can afford a pretty high end system.
The largest Linux cluster on the top500 list
  http://www.top500.org/
is ranked #3, with 2300 2400 Mhz Xeon's (may be $12M or so to build).
  http://www.top500.org/lists/2003/06/3/
That is only about 3 times more powerful than the KASY0 solution in
compute, but also comes with over 100 terabytes of disk storage. If
you use a dictionary attack instead of the brute force calculations,
it would take less than 1/2 year to compute the dictionary and less
than a month to do the look up for the full 8 character, 96 character
set password.

All this analysis was done without use of any custom hardware.
However, there are descriptions of equipment such as DES Cracker
  http://www.eff.org/descracker/
  http://www.cryptography.com/resources/whitepapers/DES.html
built in 1999 that broke the RSA Labs DES Challenge II in three days
for a price of $250,000. There are also papers such as
  http://citeseer.nj.nec.com/345680.html
  (an 11 page paper in a variety of formats)
which describe crypt(3) as being roughly the same complexity as DES
(within a few percent). As a result, both the "dedicated cracker" and
the government can crack crypt(3) in well under a week.

The reference you provide is called out in a few other on line pages.
A search using:
://www.google.com/search?as_lq=http%3A%2F%2Fattila.stevens-tech.edu%2F%7Ekhockenb%2Fcrypt3.html&btnG=Search
provides six pages that directly reference the information. The fourth
one:
  http://www.cromwell-intl.com/security/security-sysaudit.html
provides the relative strengths of the different algorithms. Of
particular note is the increased complexity of MD5 in the table - if I
read correctly, about 15 orders of magnitude more complex than the 8
character crypt password.

So - the bottom line appears that what Kurt Hockenbury had predicted
has come true - crypt(3) is basically inadequate for any serious
protection. Use of a more robust algorithm such as MD5 is needed - and
thankfully is available in a number of systems.

If I have missed the mark in the analysis or you need more details on
the calculations - please use a clarification request. I'd be glad to
follow up on this question.

  --Maniac

Well written complete answer that nailed the question - good job & thanx!