Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Whitespace in passwords
From: Paul Robertson <compuwar () gmail com>
Date: Fri, 16 Sep 2005 13:47:28 -0400

On 9/9/05, Peter Parker <peterparker () fastmail fm> wrote:

Most of the available crackers have option to brute all possible
characters (including whitespaces). We want strong password because we
dont want them to be compromised (by anymeans)

Strong passwords *normally* force users to write them down, and unless
you've exposed a dictionary-attackable service like OWA, don't really
help- since the big risk is local exploitation where those little
yellow notes make all the difference.



Since _most_ of the precomputed tables available for rainbow crack are
generally not one generated with whitespaces so I started using it
regularly in my passwords :D

1.  Thanks for helping reduce the keyspace necessary to acquire your
passwords :-P
2.  The newest Shmoo tables include the space character.
3.  Disabling backwards-compatible hashes and the local storage of
hashes (if possible) will go a lot further than hoping that an
attacker's tables don't have the characters you're using or that the
math doesn't suddenly become easy.
4.  OTPs which are well-generated in hardware are generally worth more
than any other scheme for solving the password problem.

Paul
-- 
www.compuwar.net

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]