Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Whitespace in passwords

from [Steve.Cummings] Network Security [Permanent Link]
Subject: Re: Whitespace in passwords
Date: Thu, 8 Sep 2005 17:54:02 +0100 
Alt characters are also pretty cool

Try alt 255 this is blank space
 

-----Original Message-----
From: Andrew Meyers <AMeyers@msolgroup.com>
To: Anders Thulin <Anders.Thulin@tietoenator.com>; bryan allott 
<homegrown@bryanallott.net>; pen-test@securityfocus.com 
<pen-test@securityfocus.com>
Sent: Thu Sep 08 01:40:34 2005
Subject: RE: Whitespace in passwords

I like pass phrases better because crackers like john and l0pht, by default, 
don't have white spaces in their list of characters. 


-------------------
Andrew Meyers
Systems Engineer
Managed Solution
Email: ameyers@mssandiego.com
Phone: 619-220-0544 x115
Fax: 619-220-0599
http://www.mssandiego.com

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin@tietoenator.com] 
Sent: Wednesday, September 07, 2005 3:17 AM
To: bryan allott; pen-test@securityfocus.com
Subject: RE: Whitespace in passwords


From: bryan allott [mailto:homegrown@bryanallott.net]



to the misnomer "passWORD" rather than passPHRASE but it seems that 
[most?] people choose passes that dont contain whitespaces,


  Most people still stick to alphanumeric passwords, and most of those are 
passwords where the digits are placed at the end.
Whitespace is probably not more special than any of the other 'specials' that 
appear on a standard keyboard. A problem is to know just what those are -- a 
look at a keyboard may lead a user to think the 'x' on the keypad is a 
different special character than the '*'.


my main question, re security, is wether the whitespace made the 
password too vulnerable? [historically] and why this constraint is 
introduced in many systems..


  Tradition, probably.  In environments where users are given fixed passwords 
that they can't change themselves, space belongs together with S58, O0, and Il1 
to the characters that probably will be misunderstood, and so cause calls to 
helpdesk.
Anything that is likely to cause a help-desk call is a no-no in large 
environments.
  
  Another aspect is regularity of user interface design: should space be 
treated as significant when it appears first and last in a string in general, 
say a Search field in a text editor or a From- field in an e-mail program? If 
not, spaces first and last in passwords will be assumed to be insignificant as 
well -- and so become another source for helpdesk complaints.
Regularity pays off.

 [but then, if 

myth- why propogate it?]


  Probably also a case that password are seldom documented in detail, and few 
people are willing to sit down to find out details by experiment.
(Windows NT hashes use the OEM character set ... which is another source of 
documentation problems.)  So instructions for password construction tend to 
avoid mentioning characters that might be troublesome, even though there are 
some important things to know. 

  For instance, dead accent keys (on my kbd ^ is one) usually don't change the 
base character in a password, so 'pass' and 'pâss' may produce the same 
password hash.

  The most useful character to have in a reasonably modern Windows password is 
EUR (Alt-Gr E on my kbd.) I suspect the reason why is well known -- if not, 
I'll leave it as an exercize. I'm sure there are similar 'oddities' on other 
password situations.


i'm thinking that whitespaces [if yr
system can handle them, and why not?] would add another measure of 
complexity in cracking pwds?


  Of course they do.  But ... if you alredy have an adequate password 
protection -- say, accounts are locked out after 25 failed attempts per day 
regardless of source --  the extra complexity doesn't add much protection.  (If 
you have the password hashes, security has already failed, and any attempt to 
add a last line of defense in the form of password complexity is misguided: 
it's only a question of time before the passwords are discovered, and that time 
should not be left to users to ensure.) 

Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63     
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: pdas for testing (What about palm devices like the treo?), Brant Hale
Next by Date:  Re: Nortel Contivity 2600, Rodrigo Blanco
Previous by Thread:  RE: Whitespace in passwords, Andrew Meyers
Next by Thread:  RE: Whitespace in passwords, dave kleiman
Indexes:  [Date] [Thread] [Top] [All Lists]