Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Whitespace in passwords
From: "dave kleiman" <dave () isecureu com>
Date: Sun, 11 Sep 2005 13:24:49 -0400

They also do not have a lot of the Extended ASCII characters:

http://www.securityfocus.com/archive/88/312263


Dave

-----Original Message-----
From: Steve.Cummings () barclayscapital com
[mailto:Steve.Cummings () barclayscapital com]
Sent: Thursday, September 08, 2005 12:54
To: AMeyers () msolgroup com; Anders.Thulin () tietoenator com;
homegrown () bryanallott net; pen-test () securityfocus com
Subject: Re: Whitespace in passwords

Alt characters are also pretty cool

Try alt 255 this is blank space


-----Original Message-----
From: Andrew Meyers <AMeyers () msolgroup com>
To: Anders Thulin <Anders.Thulin () tietoenator com>; bryan
allott <homegrown () bryanallott net>;
pen-test () securityfocus com <pen-test () securityfocus com>
Sent: Thu Sep 08 01:40:34 2005
Subject: RE: Whitespace in passwords

I like pass phrases better because crackers like john and
l0pht, by default, don't have white spaces in their list of
characters.


-------------------
Andrew Meyers
Systems Engineer
Managed Solution
Email: ameyers () mssandiego com
Phone: 619-220-0544 x115
Fax: 619-220-0599
http://www.mssandiego.com

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin () tietoenator com]
Sent: Wednesday, September 07, 2005 3:17 AM
To: bryan allott; pen-test () securityfocus com
Subject: RE: Whitespace in passwords

From: bryan allott [mailto:homegrown () bryanallott net]

to the misnomer "passWORD" rather than passPHRASE but it seems that
[most?] people choose passes that dont contain whitespaces,

  Most people still stick to alphanumeric passwords, and most
of those are passwords where the digits are placed at the end.
Whitespace is probably not more special than any of the other
'specials' that appear on a standard keyboard. A problem is
to know just what those are -- a look at a keyboard may lead
a user to think the 'x' on the keypad is a different special
character than the '*'.

my main question, re security, is wether the whitespace made the
password too vulnerable? [historically] and why this constraint is
introduced in many systems..

  Tradition, probably.  In environments where users are given
fixed passwords that they can't change themselves, space
belongs together with S58, O0, and Il1 to the characters that
probably will be misunderstood, and so cause calls to helpdesk.
Anything that is likely to cause a help-desk call is a no-no
in large environments.

  Another aspect is regularity of user interface design:
should space be treated as significant when it appears first
and last in a string in general, say a Search field in a text
editor or a From- field in an e-mail program? If not, spaces
first and last in passwords will be assumed to be
insignificant as well -- and so become another source for
helpdesk complaints.
Regularity pays off.

 [but then, if
myth- why propogate it?]

  Probably also a case that password are seldom documented in
detail, and few people are willing to sit down to find out
details by experiment.
(Windows NT hashes use the OEM character set ... which is
another source of documentation problems.)  So instructions
for password construction tend to avoid mentioning characters
that might be troublesome, even though there are some
important things to know.

  For instance, dead accent keys (on my kbd ^ is one) usually
don't change the base character in a password, so 'pass' and
'pâss' may produce the same password hash.

  The most useful character to have in a reasonably modern
Windows password is EUR (Alt-Gr E on my kbd.) I suspect the
reason why is well known -- if not, I'll leave it as an
exercize. I'm sure there are similar 'oddities' on other
password situations.

i'm thinking that whitespaces [if yr
system can handle them, and why not?] would add another measure of
complexity in cracking pwds?

  Of course they do.  But ... if you alredy have an adequate
password protection -- say, accounts are locked out after 25
failed attempts per day regardless of source --  the extra
complexity doesn't add much protection.  (If you have the
password hashes, security has already failed, and any attempt
to add a last line of defense in the form of password
complexity is misguided: it's only a question of time before
the passwords are discovered, and that time should not be
left to users to ensure.)

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö




--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking
applications on your website. Up to 75% of cyber attacks are
launched on shopping carts, forms, login pages, dynamic
content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting
and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking
applications on your website. Up to 75% of cyber attacks are
launched on shopping carts, forms, login pages, dynamic
content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting
and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------




--------------------------------------------------------------
----------
For more information about Barclays Capital, please visit our
web site at http://www.barcap.com.


Internet communications are not secure and therefore the
Barclays Group does not accept legal responsibility for the
contents of this message.  Although the Barclays Group
operates anti-virus programmes, it does not accept
responsibility for any damage whatsoever that is caused by
viruses being passed.  Any views or opinions presented are
solely those of the author and do not necessarily represent
those of the Barclays Group.  Replies to this email may be
monitored by the Barclays Group for operational or business reasons.

--------------------------------------------------------------
----------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking
applications on your website. Up to 75% of cyber attacks are
launched on shopping carts, forms, login pages, dynamic
content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting
and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------






------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]