Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Whitespace in passwords
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 15 Sep 2005 08:15:53 +1000

The issue is who cares anymore really?

They have been precomputed - so time to download is all that matters.

At worst time to get the DVDs of the precomputed hashes in the mail. 

Why reinvent the wheel? Again and again and again

How about considering all passwords bad. If there is a stream that you can capture - than it should be considered able 
to be broken. Set up the systems correctly in the first place so that there is nothing to capture and password guessing 
(if used rather than a better method) is limited 

Craig 

-----Original Message-----
From: Tim [mailto:pand0ra.usa () gmail com] 
Sent: 13 September 2005 4:01
To: pen-test () securityfocus com
Subject: Re: Whitespace in passwords

It all about the math. Let's write it out, say you have a machine that runs 3,000,000 combinations per second (about a 
1.6 GHz machine). In this example we will use the Windows LanMan Challange/Response (which is bad to begin with, but 
the main key in this is that it does not use a salt).

60 possible characters and the password is 7 characters long.(no spaces)
60^7 = 2,799,360,000,000 = 10.8 days (A-Z, 0-9, special)

86 possible characters and the password is 7 characters long.(no spaces)
86^7 = 34,792,782,221,696 = 134.23 days (A-Z, a-z, 0-9, special)

62 possible characters and the password is 8 characters long.(no spaces)
62^8 = 218,340,105,584,896 = 2.3 years (A-Z, 0-9, special)

86 possible characters and the password is 8 characters long.(no spaces)
86^8 = 2992179271065856 = 31.62 years (A-Z, a-z, 0-9, special)

36 possible characters and the password is 14 characters long. (no spaces)
36^14 = 6,140,942,214,464,815,497,216 combinations = 64,909,333 years (a-z, 0-9) 2bigbrown1dogs (throw some special 
characters in) We have 2 big brown dogs! (25 characters using numbers, upper and lower, and special cahracters, you do 
the math). Microsoft Windows supports up to ~250 characters for the passwords/phrases.

The point here is that a 14 character all lowercase passphrase with numbers is millions of time more difficult that a 
'strong' 8 character password with all sorts of characters. A space is just another character and don't believe that it 
will protect you from getting your password  cracked (security through obsecurity?). Also, keep in mind that if you use 
a algo that has a salt and supports many characters you will be much better off. Instead of making things more complex 
for your users (which also increses the risk of them posting their password on a stick-it note) make the passphrase 
easy for them to remember.

Side note: Disable LanMan on all Windows machines if you are not running any Windows 95/98/ME machines. It is there for 
backward compatability and is still enabled by default on Windows 2003 Servers.


On 9/11/05, dave kleiman <dave () isecureu com> wrote:
They also do not have a lot of the Extended ASCII characters:

http://www.securityfocus.com/archive/88/312263


Dave

-----Original Message-----
From: Steve.Cummings () barclayscapital com
[mailto:Steve.Cummings () barclayscapital com]
Sent: Thursday, September 08, 2005 12:54
To: AMeyers () msolgroup com; Anders.Thulin () tietoenator com; 
homegrown () bryanallott net; pen-test () securityfocus com
Subject: Re: Whitespace in passwords

Alt characters are also pretty cool

Try alt 255 this is blank space


-----Original Message-----
From: Andrew Meyers <AMeyers () msolgroup com>
To: Anders Thulin <Anders.Thulin () tietoenator com>; bryan allott 
<homegrown () bryanallott net>; pen-test () securityfocus com 
<pen-test () securityfocus com>
Sent: Thu Sep 08 01:40:34 2005
Subject: RE: Whitespace in passwords

I like pass phrases better because crackers like john and l0pht, by 
default, don't have white spaces in their list of characters.


-------------------
Andrew Meyers
Systems Engineer
Managed Solution
Email: ameyers () mssandiego com
Phone: 619-220-0544 x115
Fax: 619-220-0599
http://www.mssandiego.com

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin () tietoenator com]
Sent: Wednesday, September 07, 2005 3:17 AM
To: bryan allott; pen-test () securityfocus com
Subject: RE: Whitespace in passwords

From: bryan allott [mailto:homegrown () bryanallott net]

to the misnomer "passWORD" rather than passPHRASE but it seems 
that [most?] people choose passes that dont contain whitespaces,

  Most people still stick to alphanumeric passwords, and most of 
those are passwords where the digits are placed at the end.
Whitespace is probably not more special than any of the other 
'specials' that appear on a standard keyboard. A problem is to know 
just what those are -- a look at a keyboard may lead a user to think 
the 'x' on the keypad is a different special character than the '*'.

my main question, re security, is wether the whitespace made the 
password too vulnerable? [historically] and why this constraint is 
introduced in many systems..

  Tradition, probably.  In environments where users are given fixed 
passwords that they can't change themselves, space belongs together 
with S58, O0, and Il1 to the characters that probably will be 
misunderstood, and so cause calls to helpdesk.
Anything that is likely to cause a help-desk call is a no-no in 
large environments.

  Another aspect is regularity of user interface design:
should space be treated as significant when it appears first and 
last in a string in general, say a Search field in a text editor or 
a From- field in an e-mail program? If not, spaces first and last in 
passwords will be assumed to be insignificant as well -- and so 
become another source for helpdesk complaints.
Regularity pays off.

 [but then, if
myth- why propogate it?]

  Probably also a case that password are seldom documented in 
detail, and few people are willing to sit down to find out details 
by experiment.
(Windows NT hashes use the OEM character set ... which is another 
source of documentation problems.)  So instructions for password 
construction tend to avoid mentioning characters that might be 
troublesome, even though there are some important things to know.

  For instance, dead accent keys (on my kbd ^ is one) usually don't 
change the base character in a password, so 'pass' and 'pâss' may 
produce the same password hash.

  The most useful character to have in a reasonably modern Windows 
password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is 
well known -- if not, I'll leave it as an exercize. I'm sure there 
are similar 'oddities' on other password situations.

i'm thinking that whitespaces [if yr system can handle them, and 
why not?] would add another measure of complexity in cracking 
pwds?

  Of course they do.  But ... if you alredy have an adequate 
password protection -- say, accounts are locked out after 25 failed 
attempts per day regardless of source --  the extra complexity 
doesn't add much protection.  (If you have the password hashes, 
security has already failed, and any attempt to add a last line of 
defense in the form of password complexity is misguided: it's only a 
question of time before the passwords are discovered, and that time 
should not be left to users to ensure.)

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö




--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on 
your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application hacking. 
Check your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on 
your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application hacking. 
Check your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------




--------------------------------------------------------------
----------
For more information about Barclays Capital, please visit our web 
site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus 
programmes, it does not accept responsibility for any damage 
whatsoever that is caused by viruses being passed.  Any views or 
opinions presented are solely those of the author and do not 
necessarily represent those of the Barclays Group.  Replies to this 
email may be monitored by the Barclays Group for operational or 
business reasons.

--------------------------------------------------------------
----------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on 
your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application hacking. 
Check your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------






----------------------------------------------------------------------
-------- Audit your website security with Acunetix Web Vulnerability 
Scanner:

Hackers are concentrating their efforts on attacking applications on 
your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application hacking. Check 
your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------
---------




--
Tim Van Cleave

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are 
launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile 
against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and 
other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]