|
Penetration Testing
mailing list archives
Re: Whitespace in passwords
From: Anurag Joshi <mastermindanu () gmail com>
Date: Fri, 09 Sep 2005 08:16:03 +0530
List,
With due respect i dont think whitespaces would make any
difference. It just depends on the encrypting algo. In all cases
whitespace amounts to a ASCII code and hence a binary representation,
thus encrypting or decrypting would make no difference. If the algo has
no no rule for whitespaces then it is not allowed. But when it comes to
symbols whitespaces, underscores, dash are probably the first ones
anyone will look for.
Anurag Joshi
Bruce K. Marshall wrote:
Bryan,
I don't believe there is any reason that people are discouraged from
using the space character other than application programming
restrictions. If the space character was a field delimeter or
otherwise broke the coded password processing function the programmers
wouldn't allow it in a password.
I don't see this restriction very often these days. But we do have
Microsoft treating the space character differently than any other.
They don't classify it as lowercase, uppercase, number, or symbol when
checking the password against complexity requirements. I consider it
a symbol, and it falls within the top 10 most popular symbols when
analyzing password choices. But even then it is not a popular character.
Making complete use of all available characters is important for
increasing the difficulty of password cracking. It isn't enough to
just make the space character available and then only encourage people
to use letters and numbers.
----
Bruce K. Marshall - bkmarshall () passwordresearch com
Password Research Institute - http://www.passwordresearch.com
----- Original Message ----- From: "bryan allott"
<homegrown () bryanallott net>
To: <pen-test () securityfocus com>
Sent: Tuesday, September 06, 2005 4:19 AM
Subject: Whitespace in passwords
generally, and i dont know if this is social conditioning due to the
misnomer "passWORD" rather than passPHRASE but it seems that [most?]
people choose passes that dont contain whitespaces, and in fact,
there are some system implementations that wont allow whitespaces in
the password.
my main question, re security, is wether the whitespace made the
password too vulnerable? [historically] and why this constraint is
introduced in many systems.. [but then, if myth- why propogate it?]
i'm thinking that whitespaces [if yr system can handle them, and why
not?] would add another measure of complexity in cracking pwds?
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking. Check
your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: Multiple Spoofed HTTP Requests, (continued)
|
Intro
