Re: Whitespace in passwords

Why aren't alt characters feasible alt255 is an easy one for anyone to remember 
and if the policy for passwords dictates the requirement then most large firms 
would accept this especially if it made the password in the current view 
untouchable for the for seable future
 

-----Original Message-----
From: Craig Wright <cwright@bdosyd.com.au>
To: Bryan McAninch <BMcAninch@PENSON.COM>; pen-test@securityfocus.com 
<pen-test@securityfocus.com>
CC: pand0ra.usa@gmail.com <pand0ra.usa@gmail.com>
Sent: Tue Sep 20 02:01:34 2005
Subject: RE: Whitespace in passwords

Precomputed tables - all lanman  fits into 64Gb - time to post about a week
Complete tables - all NTLM MD5 etc should fit to about 2.5 Gb - there are 
external usb drive packs larger than this

Re the 1024-bit RSA keypair - there is some good work being done using 
quadratic methods

The point is that anyone can download a "14 character all lowercase passphrase 
with numbers" precomputed database and crack all of these in milliseconds with 
an old P3

The "14 character all lowercase passphrase with numbers" set is only 3gb and it 
took me a week to generate - without dedicating the hosts - see lm 
configuration #5 at http://www.antsight.com/zsl/rainbowcrack/

Go further lm #6 and I quote from the page "This charset includes all possbile 
characters on a standard keyboard (not including those alt+xxx characters)"

As previously stated - with standard users (ie any large firm) alt+xxx chars 
are NOT feasible

Regards
Craig 

PS 

Some reading for those (like me) that enjoy maths re the RSA keys

Biehl and J. Buchmann, An analysis of the reduction algorithm for binary 
quadratic forms, <i>Voronoi's Impact on Modern Science</i> (Kyiv, Ukriaine) (P. 
Engel and H. Syta, eds.), Vol. 1, Institute of Mathematics of National Academy 
of Sciences (1999). 

Dan Boneh , Matthew K. Franklin, Identity-Based Encryption from the Weil 
Pairing, Proceedings of the 21st Annual International Cryptology Conference on 
Advances in Cryptology, p.213-229, August 19-23, 2001 

D.A. Cox, <i>Primes of the form x<sup>2</sup> + ny<sup>2</sup></i>, John Wiley 
& Sons, New York (1989). 

Damian Weber , Thomas F. Denny, The Solution of McCurley's Discrete Log 
Challenge, Proceedings of the 18th Annual International Cryptology Conference 
on Advances in Cryptology, p.458-471, August 23-27, 1998 

-----Original Message-----
From: Bryan McAninch [mailto:BMcAninch@PENSON.COM] 
Sent: 20 September 2005 3:21
To: pen-test@securityfocus.com
Cc: pand0ra.usa@gmail.com
Subject: RE: Whitespace in passwords


As I understand it, the central limit theorem states that a randomized brute 
force attempt only takes x^y/x or x^(y-1) operations to crack a given keyspace, 
where x is the base (number of valid characters), y is the exponentiation 
variable (length) and x^y is the keyspace (total combinations). 

For example (pardon the formatting):

60^7/60  =          2799360000000/60 = 46656000000           -> 60^(7-1) = 60^6 
 = 46656000000 operations
86^7/86  =         34792782221696/86 = 404567235136          -> 86^(7-1) = 86^6 
 = 404567235136 operations
62^8/62  =        218340105584896/62 = 3521614606208         -> 62^(8-1) = 62^7 
 = 3521614606208 operations
86^8/86  =       2992179271065856/86 = 34792782221696        -> 86^(8-1) = 86^7 
 = 34792782221696 operations
36^14/36 = 6140942214464815497216/36 = 170581728179578208256 -> 36^(14-1)= 
36^13 = 170581728179578208256 operations

This is why public key authentication is recommended over passwords 
authentication. Given a mere 1024-bit key, it would theoretically take 2^1023 
operations to crack the key:

2^1024 = (1.797693134862315907729305190789 * 10^308)/2 = 
8.9884656743115795386465259539451 * 10^307 -> 10^1023 = 
8.9884656743115795386465259539451 * 10^307

Taking the 36^14 password above and comparing it to a 1024-bit RSA keypair, you 
have the follwing difference:

(2^1023) - (36^13) = (8.9884656743115795386465259539451 * 10^307) - 
(170581728179578208256) = 8.9884656743115795386465259539451e * 10^307 more 
operations with a 1024-bit RSA keypair, quite a difference! :)

Cheers,
Bryan

-----Original Message-----
From: Tim [mailto:pand0ra.usa@gmail.com]
Sent: Monday, September 12, 2005 01:01 PM
To: pen-test@securityfocus.com
Subject: Re: Whitespace in passwords

It all about the math. Let's write it out, say you have a machine that runs 
3,000,000 combinations per second (about a 1.6 GHz machine). In this example we 
will use the Windows LanMan Challange/Response (which is bad to begin with, but 
the main key in this is that it does not use a salt).

60 possible characters and the password is 7 characters long.(no spaces)
60^7 = 2,799,360,000,000 = 10.8 days (A-Z, 0-9, special)

86 possible characters and the password is 7 characters long.(no spaces)
86^7 = 34,792,782,221,696 = 134.23 days (A-Z, a-z, 0-9, special)

62 possible characters and the password is 8 characters long.(no spaces)
62^8 = 218,340,105,584,896 = 2.3 years (A-Z, 0-9, special)

86 possible characters and the password is 8 characters long.(no spaces)
86^8 = 2992179271065856 = 31.62 years (A-Z, a-z, 0-9, special)

36 possible characters and the password is 14 characters long. (no spaces)
36^14 = 6,140,942,214,464,815,497,216 combinations = 64,909,333 years (a-z, 
0-9) 2bigbrown1dogs (throw some special characters in) We have 2 big brown 
dogs! (25 characters using numbers, upper and lower, and special cahracters, 
you do the math). Microsoft Windows supports up to ~250 characters for the 
passwords/phrases.

The point here is that a 14 character all lowercase passphrase with numbers is 
millions of time more difficult that a 'strong' 8 character password with all 
sorts of characters. A space is just another character and don't believe that 
it will protect you from getting your password  cracked (security through 
obsecurity?). Also, keep in mind that if you use a algo that has a salt and 
supports many characters you will be much better off. Instead of making things 
more complex for your users (which also increses the risk of them posting their 
password on a stick-it note) make the passphrase easy for them to remember.

Side note: Disable LanMan on all Windows machines if you are not running any 
Windows 95/98/ME machines. It is there for backward compatability and is still 
enabled by default on Windows 2003 Servers.


On 9/11/05, dave kleiman <dave@isecureu.com> wrote:
> They also do not have a lot of the Extended ASCII characters:
>
> http://www.securityfocus.com/archive/88/312263
>
>
> Dave
>
> > -----Original Message-----
> > From: Steve.Cummings@barclayscapital.com
> > [mailto:Steve.Cummings@barclayscapital.com]
> > Sent: Thursday, September 08, 2005 12:54
> > To: AMeyers@msolgroup.com; Anders.Thulin@tietoenator.com; 
> > homegrown@bryanallott.net; pen-test@securityfocus.com
> > Subject: Re: Whitespace in passwords
> >
> > Alt characters are also pretty cool
> >
> > Try alt 255 this is blank space
> >
> >
> > -----Original Message-----
> > From: Andrew Meyers <AMeyers@msolgroup.com>
> > To: Anders Thulin <Anders.Thulin@tietoenator.com>; bryan allott 
> > <homegrown@bryanallott.net>; pen-test@securityfocus.com 
> > <pen-test@securityfocus.com>
> > Sent: Thu Sep 08 01:40:34 2005
> > Subject: RE: Whitespace in passwords
> >
> > I like pass phrases better because crackers like john and l0pht, by 
> > default, don't have white spaces in their list of characters.
> >
> >
> > -------------------
> > Andrew Meyers
> > Systems Engineer
> > Managed Solution
> > Email: ameyers@mssandiego.com
> > Phone: 619-220-0544 x115
> > Fax: 619-220-0599
> > http://www.mssandiego.com
> >
> > -----Original Message-----
> > From: Anders Thulin [mailto:Anders.Thulin@tietoenator.com]
> > Sent: Wednesday, September 07, 2005 3:17 AM
> > To: bryan allott; pen-test@securityfocus.com
> > Subject: RE: Whitespace in passwords
> >
> > > From: bryan allott [mailto:homegrown@bryanallott.net]
> >
> > > to the misnomer "passWORD" rather than passPHRASE but it seems 
> > > that [most?] people choose passes that dont contain whitespaces,
> >
> >   Most people still stick to alphanumeric passwords, and most of 
> > those are passwords where the digits are placed at the end.
> > Whitespace is probably not more special than any of the other 
> > 'specials' that appear on a standard keyboard. A problem is to know 
> > just what those are -- a look at a keyboard may lead a user to think 
> > the 'x' on the keypad is a different special character than the '*'.
> >
> > > my main question, re security, is wether the whitespace made the 
> > > password too vulnerable? [historically] and why this constraint is 
> > > introduced in many systems..
> >
> >   Tradition, probably.  In environments where users are given fixed 
> > passwords that they can't change themselves, space belongs together 
> > with S58, O0, and Il1 to the characters that probably will be 
> > misunderstood, and so cause calls to helpdesk.
> > Anything that is likely to cause a help-desk call is a no-no in 
> > large environments.
> >
> >   Another aspect is regularity of user interface design:
> > should space be treated as significant when it appears first and 
> > last in a string in general, say a Search field in a text editor or 
> > a From- field in an e-mail program? If not, spaces first and last in 
> > passwords will be assumed to be insignificant as well -- and so 
> > become another source for helpdesk complaints.
> > Regularity pays off.
> >
> >  [but then, if
> > > myth- why propogate it?]
> >
> >   Probably also a case that password are seldom documented in 
> > detail, and few people are willing to sit down to find out details 
> > by experiment.
> > (Windows NT hashes use the OEM character set ... which is another 
> > source of documentation problems.)  So instructions for password 
> > construction tend to avoid mentioning characters that might be 
> > troublesome, even though there are some important things to know.
> >
> >   For instance, dead accent keys (on my kbd ^ is one) usually don't 
> > change the base character in a password, so 'pass' and 'pâss' may 
> > produce the same password hash.
> >
> >   The most useful character to have in a reasonably modern Windows 
> > password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is 
> > well known -- if not, I'll leave it as an exercize. I'm sure there 
> > are similar 'oddities' on other password situations.
> >
> > > i'm thinking that whitespaces [if yr system can handle them, and 
> > > why not?] would add another measure of complexity in cracking 
> > > pwds?
> >
> >   Of course they do.  But ... if you alredy have an adequate 
> > password protection -- say, accounts are locked out after 25 failed 
> > attempts per day regardless of source --  the extra complexity 
> > doesn't add much protection.  (If you have the password hashes, 
> > security has already failed, and any attempt to add a last line of 
> > defense in the form of password complexity is misguided: it's only a 
> > question of time before the passwords are discovered, and that time 
> > should not be left to users to ensure.)
> >
> > Anders Thulin   anders.thulin@tietoenator.com   040-661 50 63
> > TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on 
> > your website. Up to 75% of cyber attacks are launched on shopping 
> > carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> > locked-down servers are futile against web application hacking.
> > Check your website for vulnerabilities to SQL injection, Cross site 
> > scripting and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on 
> > your website. Up to 75% of cyber attacks are launched on shopping 
> > carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> > locked-down servers are futile against web application hacking.
> > Check your website for vulnerabilities to SQL injection, Cross site 
> > scripting and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
> >
> >
> >
> > --------------------------------------------------------------
> > ----------
> > For more information about Barclays Capital, please visit our web 
> > site at http://www.barcap.com.
> >
> >
> > Internet communications are not secure and therefore the Barclays 
> > Group does not accept legal responsibility for the contents of this 
> > message.  Although the Barclays Group operates anti-virus 
> > programmes, it does not accept responsibility for any damage 
> > whatsoever that is caused by viruses being passed.  Any views or 
> > opinions presented are solely those of the author and do not 
> > necessarily represent those of the Barclays Group.  Replies to this 
> > email may be monitored by the Barclays Group for operational or 
> > business reasons.
> >
> > --------------------------------------------------------------
> > ----------
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on 
> > your website. Up to 75% of cyber attacks are launched on shopping 
> > carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> > locked-down servers are futile against web application hacking.
> > Check your website for vulnerabilities to SQL injection, Cross site 
> > scripting and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
>
>
>
> ----------------------------------------------------------------------
> -------- Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on 
> your website. Up to 75% of cyber attacks are launched on shopping 
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> locked-down servers are futile against web application hacking. Check 
> your website for vulnerabilities to SQL injection, Cross site scripting and 
> other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------


--
Tim Van Cleave

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------