From: Peter Parker (peterparker@fastmail.fm)
Date: Fri Sep 09 2005 - 08:47:08 EDT
Most of the available crackers have option to brute all possible
characters (including whitespaces). We want strong password because we
dont want them to be compromised (by anymeans)
Since _most_ of the precomputed tables available for rainbow crack are
generally not one generated with whitespaces so I started using it
regularly in my passwords :D
On Wed, 7 Sep 2005 12:16:39 +0200, "Anders Thulin"
<Anders.Thulin@tietoenator.com> said:
> > From: bryan allott [mailto:homegrown@bryanallott.net]
>
> > to the misnomer "passWORD" rather than passPHRASE but it
> > seems that [most?] people choose passes that dont contain
> > whitespaces,
>
> Most people still stick to alphanumeric passwords, and most
> of those are passwords where the digits are placed at the end.
> Whitespace is probably not more special than any of the other
> 'specials' that appear on a standard keyboard. A problem is to
> know just what those are -- a look at a keyboard may lead a user to
> think the 'x' on the keypad is a different special character than the
> '*'.
>
> > my main question, re security, is wether the whitespace made
> > the password too vulnerable? [historically] and why this
> > constraint is introduced in many systems..
>
> Tradition, probably. In environments where users are given
> fixed passwords that they can't change themselves, space
> belongs together with S58, O0, and Il1 to the characters that
> probably will be misunderstood, and so cause calls to helpdesk.
> Anything that is likely to cause a help-desk call is a no-no
> in large environments.
>
> Another aspect is regularity of user interface design: should
> space be treated as significant when it appears first and last in
> a string in general, say a Search field in a text editor or a From-
> field in an e-mail program? If not, spaces first and last in
> passwords will be assumed to be insignificant as well -- and
> so become another source for helpdesk complaints.
> Regularity pays off.
>
> [but then, if
> > myth- why propogate it?]
>
> Probably also a case that password are seldom documented in detail,
> and few people are willing to sit down to find out details by experiment.
> (Windows NT hashes use the OEM character set ... which is another source
> of documentation problems.) So instructions for password construction
> tend to avoid mentioning characters that might be troublesome, even
> though there are some important things to know.
>
> For instance, dead accent keys (on my kbd ^ is one) usually don't
> change
> the base character in a password, so 'pass' and 'pāss' may produce the
> same
> password hash.
>
> The most useful character to have in a reasonably modern Windows
> password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is well
> known -- if not, I'll leave it as an exercize. I'm sure there are similar
> 'oddities' on other password situations.
>
> > i'm thinking that whitespaces [if yr
> > system can handle them, and why not?] would add another
> > measure of complexity in cracking pwds?
>
> Of course they do. But ... if you alredy have an adequate
> password protection -- say, accounts are locked out after 25 failed
> attempts per day regardless of source -- the extra complexity doesn't
> add much protection. (If you have the password hashes, security
> has already failed, and any attempt to add a last line of defense
> in the form of password complexity is misguided: it's only a
> question of time before the passwords are discovered, and that
> time should not be left to users to ensure.)
>
> Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
> TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
>
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
-- peter peterparker@fastmail.fm -- http://www.fastmail.fm - The professional email service ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:51 EDT