Re: Using non-printable characters in passwords

From: Mr Babak Memari (
Date: 08/10/03

  • Next message: Simon: "RE: verifying an open or closed port on an ip address"
    Date: Sun, 10 Aug 2003 21:26:20 +0300

    > -----Original Message-----
    > From: Optrics Engineering - Shaun Sturby, MCSE []
    > Sent: Thursday, August 07, 2003 10:20 AM
    > To: ''
    > Cc: 'Edmunds, Ron'
    > Subject: RE: Using non-printable characters in passwords
    > Hello Ron,
    > This depends on the code page or character set used on your system but it
    > doesn't really matter what code page you use for this trick as all you really
    > want is to use characters on your system that are not in the common 'a-z' 'A-Z'
    > '0-1' set. This causes John the Ripper or the @Stake password cracker take much
    > longer to crack your password.
    > That is if your hacker doesn't use the system recently reported that takes 13
    > seconds to compare, not generate and compare, your encrypted password to a
    > pre-generated 1.7 GB list of all possible password hashes.
    > Shaun
    > P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I
    > just did a Google search and forwarded what I thought was a good summary of this
    > tip.

    Hi all,

    I must add these lines :

    Minimum Password Length
    Blank passwords and shorter-length passwords are easily guessed by
    password cracking tools. To lessen the chances of a password being
    cracked, passwords should be longer in length. Allowable values for this
    option are 0 (no password required) or between 1 and 14 characters.
    NOTE: In actuality, Windows 2000 and XP support
    passwords up to 127 characters long. A password
    longer than 14 characters has a distinct advantage in
    that the LanManager hash of the password is invalid
    with these longer passwords, and, therefore, cannot be
    exploited as it normally could by password-cracking
    utilities. Unfortunately, the security templates interface
    will not allow setting of minimum password length to be
    greater than 14. Also, if a network contains Windows 9x
    or Windows NT 4.0 or earlier computers, the maximum
    password length cannot exceed 14 characters since
    those computers do not support entering passwords
    that long in the UI.


    NOTE:It is recommended that privileged users (such as
    administrators) have passwords longer than 12
    characters. An optional method of strengthening
    administrative passwords is to use characters that are
    not in the default character sets. For example, Unicode
    characters 0128 through 0159 have two advantages: (1)
    they cause the LanMan hash to be invalid, and (2) they
    are not in the character set for any common password
    crackers. Be careful using Unicode characters,
    however. Certain Unicode characters, such as 0200 (),
    get converted into other characters, in this example
    0069 (E) and then hashed, effectively weakening the
    password. To enter these passwords, hold the ALT key
    and type the number on the numeric key-pad. On a
    notebook, hold down the FN and ALT keys and type the
    number on the overlay numeric keypad.
    12 Characters

    Babak from IRAN


  • Next message: Simon: "RE: verifying an open or closed port on an ip address"