RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords"

From: Dufresne, Pierre (PIERRE.DUFRESNE_at_MESS.GOUV.QC.CA)
Date: 09/27/05

  • Next message: "Ballpark figures on a PBX assessment"
    Date: Tue, 27 Sep 2005 14:57:33 -0400

    I hope everybody following this thread is aware that whether any version of
    a cracking tool can crack or not non-printable characters is irrelevant. If
    it can't, the authors could probably patch their tool very fast.

    As someone mentioned earlier, the game is now: how do you protect the hashes
    when a computer is lost or stolen?

    I work in a Windows environment. The only immediate measure I can think of
    is the use of SYSKEY with a password prompt.
    Could anyone provide me with other simple solution? Thanks

    Note to moderator: may be it would be better to start a new thread with a
    subject like "hashes protection in Windows"


    >Hi Dave,
    >Lepton's Crack can, for sure. I dunno if the version with non-printable
    >characters is 20040914 or 20040916 (the later is not online, I'm afraid, I
    >have it on a CD somewhere).
    >Just had a look at the CHANGES file:>
    > 20040914/
    > - Added support for any ASCII character (ie. also non-printable) in
    > the charset and regex definition, via \0(octal), \x(hex),
    >Do a Google search for
    > password cracker "non printable" characters
    >And have fun collating the results.
    >-----Original Message-----
    >From: dave kleiman []
    >Sent: 26 September 2005 15:00
    >To: 'Miguel Dilaj'
    >.Subject: RE: Password "security" - was"Passwords with Lan Manager (LM)
    >Windows" and "Whitespace in passwords"
    >> Regarding "Whitespace in passwords", and as some people already
    >> mentioned, modern password cracking software (both commercial and
    >> free) can find non-printable chars, so space or ALT-whatever are going
    >> to be found anyway. Rainbow tables now tend to include space, but I
    >> still haven't heard of anyone producing a table for 0x00-0xff
    >> (0x0000-0xffff if you use extended unicode chars ;-)
    >> Applications CAN be broken by using strange characters, so YMMV.
    >Can you provide a list of those that have that ability, I will gladly test
    >The most popular ones cannot i.e. L0pht, Cain etc. See:

    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

  • Next message: "Ballpark figures on a PBX assessment"