Re: Using non-printable characters in passwords

From: Mr Babak Memari (memari-b_at_softhome.net)
Date: 08/10/03

  • Next message: Simon: "RE: verifying an open or closed port on an ip address"
    Date: Sun, 10 Aug 2003 21:26:20 +0300
    To: security-basics-digest-help@securityfocus.com
    
    

    > -----Original Message-----
    > From: Optrics Engineering - Shaun Sturby, MCSE [mailto:Shaun@Optrics.com]
    > Sent: Thursday, August 07, 2003 10:20 AM
    > To: 'security-basics@securityfocus.com'
    > Cc: 'Edmunds, Ron'
    > Subject: RE: Using non-printable characters in passwords
    >
    >
    > Hello Ron,
    >
    > This depends on the code page or character set used on your system but it
    > doesn't really matter what code page you use for this trick as all you really
    > want is to use characters on your system that are not in the common 'a-z' 'A-Z'
    > '0-1' set. This causes John the Ripper or the @Stake password cracker take much
    > longer to crack your password.
    >
    > That is if your hacker doesn't use the system recently reported that takes 13
    > seconds to compare, not generate and compare, your encrypted password to a
    > pre-generated 1.7 GB list of all possible password hashes.
    >
    > Shaun
    >
    > P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I
    > just did a Google search and forwarded what I thought was a good summary of this
    > tip.

    Hi all,

    I must add these lines :

    Minimum Password Length
    Blank passwords and shorter-length passwords are easily guessed by
    password cracking tools. To lessen the chances of a password being
    cracked, passwords should be longer in length. Allowable values for this
    option are 0 (no password required) or between 1 and 14 characters.
    NOTE: In actuality, Windows 2000 and XP support
    passwords up to 127 characters long. A password
    longer than 14 characters has a distinct advantage in
    that the LanManager hash of the password is invalid
    with these longer passwords, and, therefore, cannot be
    exploited as it normally could by password-cracking
    utilities. Unfortunately, the security templates interface
    will not allow setting of minimum password length to be
    greater than 14. Also, if a network contains Windows 9x
    or Windows NT 4.0 or earlier computers, the maximum
    password length cannot exceed 14 characters since
    those computers do not support entering passwords
    that long in the UI.

    NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:

    NOTE:It is recommended that privileged users (such as
    administrators) have passwords longer than 12
    characters. An optional method of strengthening
    administrative passwords is to use characters that are
    not in the default character sets. For example, Unicode
    characters 0128 through 0159 have two advantages: (1)
    they cause the LanMan hash to be invalid, and (2) they
    are not in the character set for any common password
    crackers. Be careful using Unicode characters,
    however. Certain Unicode characters, such as 0200 (),
    get converted into other characters, in this example
    0069 (E) and then hashed, effectively weakening the
    password. To enter these passwords, hold the ALT key
    and type the number on the numeric key-pad. On a
    notebook, hold down the FN and ALT keys and type the
    number on the overlay numeric keypad.
    12 Characters

    -----
    Babak from IRAN
    www.voidspace.org.uk/babak
    www.geocities.com/bmindex2000

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Simon: "RE: verifying an open or closed port on an ip address"

    Relevant Pages

    • Re: :Oracle unicode problem
      ... a few days ago I got a note dealing with character set problems (with German ... In a Windows environment you have to cope with at least 4 character sets. ... >> characters are not matching. ...
      (perl.dbi.users)
    • Re: International Characters in a merge field
      ... typically use ODBC to open the file if ODBC is set up and the text ... There may be one or two other settings but I don't remember anything ... Are there any settings in word that involve importing or special characters ... OEM character set) ...
      (microsoft.public.word.mailmerge.fields)
    • Re: Enhanced Unicode support for "Go" tools
      ... Right, you know ASCII? ... accent characters used in French and other European ... UNICODE isn't just about all the different alphabets out ... out wrongly because the character set the file was written in is ...
      (alt.lang.asm)
    • Re: Recommendation of a Forth to embed in C
      ... This character set includes control characters for code extension where its 128 characters are insufficient for particular applications. ... Code extension control characters: Code extension control characters are used to extend the character set of the code. ...
      (comp.lang.forth)
    • Re: what does "serialization" mean?
      ... characters with values past FF. ... only characters in the range 0..255 that have no common representation ... here] available on common keyboards in the USA". ... keyboards in both lands support the same character set as to keyboards ...
      (comp.programming)