John was a tool which was good a decade ago
The tools have moved on - just because not everyone here has used precomputed
tables and quadratic methods does not mean that an attacker does not know of
them. I am sure that Barclays Capital has enough of a presence to attract the
corporate criminal type...
I reiterate - the real issue is to stop an attacker getting this info in the
first place.
Secure Server plus secure client settings in group policy on a MSFT network and
this is no longer an issue. "An Ounce of Prevention is worth a pound of cure"...
Craig
-----Original Message-----
From: Steve.Cummings@barclayscapital.com
[mailto:Steve.Cummings@barclayscapital.com]
Sent: 21 September 2005 3:37
To: Craig Wright; BMcAninch@PENSON.COM; pen-test@securityfocus.com
Cc: pand0ra.usa@gmail.com
Subject: Re: Whitespace in passwords
Try the password of your choice with alt 255 in the middle currently things
like lopht and john don't get near it
-----Original Message-----
From: Craig Wright <cwright@bdosyd.com.au>
To: Cummings, Steve: IT (LDN) <Steve.Cummings@barclayscapital.com>;
BMcAninch@PENSON.COM <BMcAninch@PENSON.COM>; pen-test@securityfocus.com
<pen-test@securityfocus.com>
CC: pand0ra.usa@gmail.com <pand0ra.usa@gmail.com>
Sent: Tue Sep 20 20:27:52 2005
Subject: RE: Whitespace in passwords
HI
1st it does not make them untouchable
Next, MOST applications do not accept Alt+xxx based passwords - very few users
will use them as well
Do your users authenticate via a Radius systems, the web...? Any of these will
not accept Alt+xxx chars.
Most users will have issues using this
the following does not make a very memerable password - see how often it is
remembered?
¦ß?|?O11s
Craig
-----Original Message-----
From: Steve.Cummings@barclayscapital.com
[mailto:Steve.Cummings@barclayscapital.com]
Sent: Wed 21/09/2005 2:41 AM
To: Craig Wright; BMcAninch@PENSON.COM; pen-test@securityfocus.com
Cc: pand0ra.usa@gmail.com
Subject: Re: Whitespace in passwords
Why aren't alt characters feasible alt255 is an easy one for anyone to
remember and if the policy for passwords dictates the requirement then most
large firms would accept this especially if it made the password in the current
view untouchable for the for seable future
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at
http://www.barcap.com.
Internet communications are not secure and therefore the Barclays Group does
not accept legal responsibility for the contents of this message. Although the
Barclays Group operates anti-virus programmes, it does not accept
responsibility for any damage whatsoever that is caused by viruses being
passed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of the Barclays Group. Replies to this email
may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
