Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Whitespace in passwords
From: "dave kleiman" <dave () isecureu com>
Date: Sun, 18 Sep 2005 17:08:43 -0400

Craig,

Are you suggesting they have a Unicode/extend ASCII table hidden from use?

How about we try possibly forcing Unicode character:

if(strInList(szPwd,aBadWords))
    bComplex = FALSE;

if(cchPassword > 9){
    for(i = 0; i < cchPassword ; i++){
        if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; }
        if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; }
        if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; }
        if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue}
        if(isUnicode(szPwd[i])) {dwUnicode = 1; continue}
}

if(bUserIsAdmin){ //Admins need better passwords than users
    if ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) &&
cchPassword>14)
        bComplex = TRUE;
}
else { //User is not an admin, use lower requirements
    if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4)
        bComplex = TRUE;
}


I will see if I can find more info for you.


Dave

-----Original Message-----
From: Craig Wright [mailto:cwright () bdosyd com au]
Sent: Sunday, September 18, 2005 16:55
To: dave kleiman; pen-test () securityfocus com
Cc: Anders Thulin; bryan allott; compuwar () gmail com; Peter Parker
Subject: RE: Whitespace in passwords

Please note I was pointing to the "success rates" table for NTLM

The lowest is 80.19% as it stands. This is not all the tables
are precomputed, but there is still an 80+ % crack rate (and
this is growing)

Further - this is not the only table source. Further - there
is no manner in which you will enforce extended passwords. As
I initially stated - the issue is in protecting the password
and stopping a copy from being tested. There are means
available to do this. If you are still on NT 4.0 - than it is
time to upgrade.

The success rate is 80.19% for "alpha numeric symbol 32
space" - this is EVERYthing in NTLM - not just space or
extended - the table is 53% derived- but if you read further
- this equates to an 80.19% crack rate.

Remember there is a user at the other end - they have to
remember. Please explain how a user will enter and remember a
passphrase such as "S%'beep'('Smiley face'?G$" - where ' '
encloses extended chars

Craig

      -----Original Message----- 
      From: dave kleiman [mailto:dave () isecureu com]
      Sent: Mon 19/09/2005 5:49 AM
      To: pen-test () securityfocus com
      Cc: 'Anders Thulin'; 'bryan allott'; Craig Wright;
compuwar () gmail com; 'Peter Parker'
      Subject: RE: Whitespace in passwords








------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]