RE: Whitespace in passwords

From: dave kleiman (dave_at_isecureu.com)
Date: 09/11/05

  • Next message: Luke Eckley: "Re: nmap showing port 21 (ftp) open, but port is actually closed"
    To: <pen-test@securityfocus.com>
    Date: Sun, 11 Sep 2005 13:24:49 -0400
    
    

    They also do not have a lot of the Extended ASCII characters:

    http://www.securityfocus.com/archive/88/312263

    Dave

    > -----Original Message-----
    > From: Steve.Cummings@barclayscapital.com
    > [mailto:Steve.Cummings@barclayscapital.com]
    > Sent: Thursday, September 08, 2005 12:54
    > To: AMeyers@msolgroup.com; Anders.Thulin@tietoenator.com;
    > homegrown@bryanallott.net; pen-test@securityfocus.com
    > Subject: Re: Whitespace in passwords
    >
    > Alt characters are also pretty cool
    >
    > Try alt 255 this is blank space
    >
    >
    > -----Original Message-----
    > From: Andrew Meyers <AMeyers@msolgroup.com>
    > To: Anders Thulin <Anders.Thulin@tietoenator.com>; bryan
    > allott <homegrown@bryanallott.net>;
    > pen-test@securityfocus.com <pen-test@securityfocus.com>
    > Sent: Thu Sep 08 01:40:34 2005
    > Subject: RE: Whitespace in passwords
    >
    > I like pass phrases better because crackers like john and
    > l0pht, by default, don't have white spaces in their list of
    > characters.
    >
    >
    > -------------------
    > Andrew Meyers
    > Systems Engineer
    > Managed Solution
    > Email: ameyers@mssandiego.com
    > Phone: 619-220-0544 x115
    > Fax: 619-220-0599
    > http://www.mssandiego.com
    >
    > -----Original Message-----
    > From: Anders Thulin [mailto:Anders.Thulin@tietoenator.com]
    > Sent: Wednesday, September 07, 2005 3:17 AM
    > To: bryan allott; pen-test@securityfocus.com
    > Subject: RE: Whitespace in passwords
    >
    > > From: bryan allott [mailto:homegrown@bryanallott.net]
    >
    > > to the misnomer "passWORD" rather than passPHRASE but it seems that
    > > [most?] people choose passes that dont contain whitespaces,
    >
    > Most people still stick to alphanumeric passwords, and most
    > of those are passwords where the digits are placed at the end.
    > Whitespace is probably not more special than any of the other
    > 'specials' that appear on a standard keyboard. A problem is
    > to know just what those are -- a look at a keyboard may lead
    > a user to think the 'x' on the keypad is a different special
    > character than the '*'.
    >
    > > my main question, re security, is wether the whitespace made the
    > > password too vulnerable? [historically] and why this constraint is
    > > introduced in many systems..
    >
    > Tradition, probably. In environments where users are given
    > fixed passwords that they can't change themselves, space
    > belongs together with S58, O0, and Il1 to the characters that
    > probably will be misunderstood, and so cause calls to helpdesk.
    > Anything that is likely to cause a help-desk call is a no-no
    > in large environments.
    >
    > Another aspect is regularity of user interface design:
    > should space be treated as significant when it appears first
    > and last in a string in general, say a Search field in a text
    > editor or a From- field in an e-mail program? If not, spaces
    > first and last in passwords will be assumed to be
    > insignificant as well -- and so become another source for
    > helpdesk complaints.
    > Regularity pays off.
    >
    > [but then, if
    > > myth- why propogate it?]
    >
    > Probably also a case that password are seldom documented in
    > detail, and few people are willing to sit down to find out
    > details by experiment.
    > (Windows NT hashes use the OEM character set ... which is
    > another source of documentation problems.) So instructions
    > for password construction tend to avoid mentioning characters
    > that might be troublesome, even though there are some
    > important things to know.
    >
    > For instance, dead accent keys (on my kbd ^ is one) usually
    > don't change the base character in a password, so 'pass' and
    > 'pāss' may produce the same password hash.
    >
    > The most useful character to have in a reasonably modern
    > Windows password is EUR (Alt-Gr E on my kbd.) I suspect the
    > reason why is well known -- if not, I'll leave it as an
    > exercize. I'm sure there are similar 'oddities' on other
    > password situations.
    >
    > > i'm thinking that whitespaces [if yr
    > > system can handle them, and why not?] would add another measure of
    > > complexity in cracking pwds?
    >
    > Of course they do. But ... if you alredy have an adequate
    > password protection -- say, accounts are locked out after 25
    > failed attempts per day regardless of source -- the extra
    > complexity doesn't add much protection. (If you have the
    > password hashes, security has already failed, and any attempt
    > to add a last line of defense in the form of password
    > complexity is misguided: it's only a question of time before
    > the passwords are discovered, and that time should not be
    > left to users to ensure.)
    >
    > Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
    > TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
    >
    >
    >
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your website. Up to 75% of cyber attacks are
    > launched on shopping carts, forms, login pages, dynamic
    > content etc. Firewalls, SSL and locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities to SQL injection, Cross site scripting
    > and other web attacks before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your website. Up to 75% of cyber attacks are
    > launched on shopping carts, forms, login pages, dynamic
    > content etc. Firewalls, SSL and locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities to SQL injection, Cross site scripting
    > and other web attacks before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >
    >
    >
    >
    > --------------------------------------------------------------
    > ----------
    > For more information about Barclays Capital, please visit our
    > web site at http://www.barcap.com.
    >
    >
    > Internet communications are not secure and therefore the
    > Barclays Group does not accept legal responsibility for the
    > contents of this message. Although the Barclays Group
    > operates anti-virus programmes, it does not accept
    > responsibility for any damage whatsoever that is caused by
    > viruses being passed. Any views or opinions presented are
    > solely those of the author and do not necessarily represent
    > those of the Barclays Group. Replies to this email may be
    > monitored by the Barclays Group for operational or business reasons.
    >
    > --------------------------------------------------------------
    > ----------
    >
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your website. Up to 75% of cyber attacks are
    > launched on shopping carts, forms, login pages, dynamic
    > content etc. Firewalls, SSL and locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities to SQL injection, Cross site scripting
    > and other web attacks before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >
    >
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: Luke Eckley: "Re: nmap showing port 21 (ftp) open, but port is actually closed"

    Relevant Pages

    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: Whitespace in passwords - now alt+xxx
      ... Subject: Whitespace in passwords ... 60 possible characters and the password is 7 characters long. ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: Whitespace in passwords
      ... 60 possible characters and the password is 7 characters long. ... >> Hackers are concentrating their efforts on attacking applications on ... >> Check your website for vulnerabilities to SQL injection, ... >> scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • RE: Penetration test of 1 IP address
      ... Before I do anything very intrusive I personally go to the website ... Also remember once you have found a vulnerability, ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)