Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Whitespace in passwords
From: Tim <pand0ra.usa () gmail com>
Date: Mon, 19 Sep 2005 13:10:20 -0600

Ok, we are now onto Rainbow tables. Sure, they can recover passwords
very quickly BUT they too have a limitation. Currently the Shmoo
tables are focused on LanMan challenge/responses which we all know are
WEAK (in soo many meanings of the word). Rainbow tables take quite a
bit of time to generate and to go through all of the possible
combinations for a table that is ALL LOWERCASE and 14 characters long
regardless of the algo would take more time then I have on this planet
(possibly more time that all of us combined).

I am soo sorry for using LanMan as an example in my earlier post.
LanMan only goes to 7 characters as that is the foundation of one of
it's biggest flaws. Also, keep in mind that there are not too many
programs that accept Alt-ASCII characters so that may not be
acceptable. Bryan Allott posted earlier the biggest point -->
passPHRASES <-- Go back to my earlier post with the math (ignore that
I used LanMan as an example).

The longer the passPHRASE it becomes exponentally more difficult to
recover he passPHRASE. Any password that is under 10 characters is
EASILY recoverable within the typical 90 day expiration time. That is
why pushing the users to create easily remembered passPHRASES is much
more effective then some sort of goobly gook that they will have a
hard time remembering and end up writing down in a post-it note stuck
to their monitor. One stupid character (regardless of what it is) will
NOT make a significant difference. Do not assume that by throwing in a
Alt-182 character will make your password 'unbreakable'.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]