RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords"

From: Dufresne, Pierre (PIERRE.DUFRESNE_at_MESS.GOUV.QC.CA)
Date: 09/27/05

  • Next message: mikem_at_tridigitalenterprises.com: "Ballpark figures on a PBX assessment"
    To: pen-test@securityfocus.com
    Date: Tue, 27 Sep 2005 14:57:33 -0400
    
    

    I hope everybody following this thread is aware that whether any version of
    a cracking tool can crack or not non-printable characters is irrelevant. If
    it can't, the authors could probably patch their tool very fast.

    As someone mentioned earlier, the game is now: how do you protect the hashes
    when a computer is lost or stolen?

    I work in a Windows environment. The only immediate measure I can think of
    is the use of SYSKEY with a password prompt.
    Could anyone provide me with other simple solution? Thanks

    Note to moderator: may be it would be better to start a new thread with a
    subject like "hashes protection in Windows"
    Thanks

    Pierre

    >Hi Dave,
    >
    >Lepton's Crack can, for sure. I dunno if the version with non-printable
    >characters is 20040914 or 20040916 (the later is not online, I'm afraid, I
    >have it on a CD somewhere).
    >Just had a look at the CHANGES file:>
    >
    > 20040914/
    > - Added support for any ASCII character (ie. also non-printable) in
    > the charset and regex definition, via \0(octal), \x(hex),
    >\(decimal)
    >
    >Do a Google search for
    >
    > password cracker "non printable" characters
    >
    >And have fun collating the results.
    >Cheers,
    >
    >Miguel
    >
    >
    >-----Original Message-----
    >From: dave kleiman [mailto:dave@isecureu.com]
    >Sent: 26 September 2005 15:00
    >To: 'Miguel Dilaj'
    >Cc: pen-test@securityfocus.com
    >.Subject: RE: Password "security" - was"Passwords with Lan Manager (LM)
    under
    >Windows" and "Whitespace in passwords"
    >
    >
    >>
    >> Regarding "Whitespace in passwords", and as some people already
    >> mentioned, modern password cracking software (both commercial and
    >> free) can find non-printable chars, so space or ALT-whatever are going
    >> to be found anyway. Rainbow tables now tend to include space, but I
    >> still haven't heard of anyone producing a table for 0x00-0xff
    >> (0x0000-0xffff if you use extended unicode chars ;-)
    >> Applications CAN be broken by using strange characters, so YMMV.
    >>
    >
    >
    >Can you provide a list of those that have that ability, I will gladly test
    >them.
    >
    >The most popular ones cannot i.e. L0pht, Cain etc. See:
    >http://www.securityfocus.com/archive/88/312263
    >
    >
    >Dave

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: mikem_at_tridigitalenterprises.com: "Ballpark figures on a PBX assessment"