RE: Whitespace in passwords

From: Peter Parker (peterparker_at_fastmail.fm)
Date: 09/09/05

  • Next message: Bryan D. Fish: "PacketStuff's nmap binary"
    To: "Anders Thulin" <Anders.Thulin@tietoenator.com>, "bryan allott" <homegrown@bryanallott.net>, pen-test@securityfocus.com
    Date: Fri, 09 Sep 2005 05:47:08 -0700
    
    

    Most of the available crackers have option to brute all possible
    characters (including whitespaces). We want strong password because we
    dont want them to be compromised (by anymeans)

    Since _most_ of the precomputed tables available for rainbow crack are
    generally not one generated with whitespaces so I started using it
    regularly in my passwords :D

    On Wed, 7 Sep 2005 12:16:39 +0200, "Anders Thulin"
    <Anders.Thulin@tietoenator.com> said:
    > > From: bryan allott [mailto:homegrown@bryanallott.net]
    >
    > > to the misnomer "passWORD" rather than passPHRASE but it
    > > seems that [most?] people choose passes that dont contain
    > > whitespaces,
    >
    > Most people still stick to alphanumeric passwords, and most
    > of those are passwords where the digits are placed at the end.
    > Whitespace is probably not more special than any of the other
    > 'specials' that appear on a standard keyboard. A problem is to
    > know just what those are -- a look at a keyboard may lead a user to
    > think the 'x' on the keypad is a different special character than the
    > '*'.
    >
    > > my main question, re security, is wether the whitespace made
    > > the password too vulnerable? [historically] and why this
    > > constraint is introduced in many systems..
    >
    > Tradition, probably. In environments where users are given
    > fixed passwords that they can't change themselves, space
    > belongs together with S58, O0, and Il1 to the characters that
    > probably will be misunderstood, and so cause calls to helpdesk.
    > Anything that is likely to cause a help-desk call is a no-no
    > in large environments.
    >
    > Another aspect is regularity of user interface design: should
    > space be treated as significant when it appears first and last in
    > a string in general, say a Search field in a text editor or a From-
    > field in an e-mail program? If not, spaces first and last in
    > passwords will be assumed to be insignificant as well -- and
    > so become another source for helpdesk complaints.
    > Regularity pays off.
    >
    > [but then, if
    > > myth- why propogate it?]
    >
    > Probably also a case that password are seldom documented in detail,
    > and few people are willing to sit down to find out details by experiment.
    > (Windows NT hashes use the OEM character set ... which is another source
    > of documentation problems.) So instructions for password construction
    > tend to avoid mentioning characters that might be troublesome, even
    > though there are some important things to know.
    >
    > For instance, dead accent keys (on my kbd ^ is one) usually don't
    > change
    > the base character in a password, so 'pass' and 'pāss' may produce the
    > same
    > password hash.
    >
    > The most useful character to have in a reasonably modern Windows
    > password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is well
    > known -- if not, I'll leave it as an exercize. I'm sure there are similar
    > 'oddities' on other password situations.
    >
    > > i'm thinking that whitespaces [if yr
    > > system can handle them, and why not?] would add another
    > > measure of complexity in cracking pwds?
    >
    > Of course they do. But ... if you alredy have an adequate
    > password protection -- say, accounts are locked out after 25 failed
    > attempts per day regardless of source -- the extra complexity doesn't
    > add much protection. (If you have the password hashes, security
    > has already failed, and any attempt to add a last line of defense
    > in the form of password complexity is misguided: it's only a
    > question of time before the passwords are discovered, and that
    > time should not be left to users to ensure.)
    >
    > Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
    > TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
    >
    >
    >
    >
    > ------------------------------------------------------------------------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking applications on your
    > website. Up to 75% of cyber attacks are launched on shopping carts,
    > forms,
    > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    > are
    > futile against web application hacking. Check your website for
    > vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks before
    > hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > -------------------------------------------------------------------------------
    >

    -- 
      peter
      peterparker@fastmail.fm
    -- 
    http://www.fastmail.fm - The professional email service
    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
    futile against web application hacking. Check your website for vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------
    

  • Next message: Bryan D. Fish: "PacketStuff's nmap binary"

    Relevant Pages

    • RE: Whitespace in passwords
      ... They also do not have a lot of the Extended ASCII characters: ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > Hackers are concentrating their efforts on attacking ... Up to 75% of cyber attacks are ...
      (Pen-Test)
    • Re: Whitespace in passwords
      ... input password is alphanumeric + special characters -- chances are strong ... >> Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: Whitespace in passwords - now alt+xxx
      ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: Whitespace in passwords
      ... 60 possible characters and the password is 7 characters long. ... >> Hackers are concentrating their efforts on attacking applications on ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Whitespace in passwords
      ... 60 possible characters and the password is 7 characters long. ... >> Hackers are concentrating their efforts on attacking applications on ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
      (Pen-Test)