RE: Whitespace in passwords

From: dave kleiman (dave@isecureu.com)
Date: Sun Sep 11 2005 - 13:24:49 EDT

• Next message: Luke Eckley: "Re: nmap showing port 21 (ftp) open, but port is actually closed"
• Previous message: Bénoni MARTIN: "RE: database server audit tools"
• In reply to: Steve.Cummings@barclayscapital.com: "Re: Whitespace in passwords"
• Next in thread: Tim: "Re: Whitespace in passwords"
• Reply: Tim: "Re: Whitespace in passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

They also do not have a lot of the Extended ASCII characters:

http://www.securityfocus.com/archive/88/312263

Dave

> -----Original Message-----
> From: Steve.Cummings@barclayscapital.com
> [mailto:Steve.Cummings@barclayscapital.com]
> Sent: Thursday, September 08, 2005 12:54
> To: AMeyers@msolgroup.com; Anders.Thulin@tietoenator.com;
> homegrown@bryanallott.net; pen-test@securityfocus.com
> Subject: Re: Whitespace in passwords
>
> Alt characters are also pretty cool
>
> Try alt 255 this is blank space
>
>
> -----Original Message-----
> From: Andrew Meyers <AMeyers@msolgroup.com>
> To: Anders Thulin <Anders.Thulin@tietoenator.com>; bryan
> allott <homegrown@bryanallott.net>;
> pen-test@securityfocus.com <pen-test@securityfocus.com>
> Sent: Thu Sep 08 01:40:34 2005
> Subject: RE: Whitespace in passwords
>
> I like pass phrases better because crackers like john and
> l0pht, by default, don't have white spaces in their list of
> characters.
>
>
> -------------------
> Andrew Meyers
> Systems Engineer
> Managed Solution
> Email: ameyers@mssandiego.com
> Phone: 619-220-0544 x115
> Fax: 619-220-0599
> http://www.mssandiego.com
>
> -----Original Message-----
> From: Anders Thulin [mailto:Anders.Thulin@tietoenator.com]
> Sent: Wednesday, September 07, 2005 3:17 AM
> To: bryan allott; pen-test@securityfocus.com
> Subject: RE: Whitespace in passwords
>
> > From: bryan allott [mailto:homegrown@bryanallott.net]
>
> > to the misnomer "passWORD" rather than passPHRASE but it seems that
> > [most?] people choose passes that dont contain whitespaces,
>
> Most people still stick to alphanumeric passwords, and most
> of those are passwords where the digits are placed at the end.
> Whitespace is probably not more special than any of the other
> 'specials' that appear on a standard keyboard. A problem is
> to know just what those are -- a look at a keyboard may lead
> a user to think the 'x' on the keypad is a different special
> character than the '*'.
>
> > my main question, re security, is wether the whitespace made the
> > password too vulnerable? [historically] and why this constraint is
> > introduced in many systems..
>
> Tradition, probably. In environments where users are given
> fixed passwords that they can't change themselves, space
> belongs together with S58, O0, and Il1 to the characters that
> probably will be misunderstood, and so cause calls to helpdesk.
> Anything that is likely to cause a help-desk call is a no-no
> in large environments.
>
> Another aspect is regularity of user interface design:
> should space be treated as significant when it appears first
> and last in a string in general, say a Search field in a text
> editor or a From- field in an e-mail program? If not, spaces
> first and last in passwords will be assumed to be
> insignificant as well -- and so become another source for
> helpdesk complaints.
> Regularity pays off.
>
> [but then, if
> > myth- why propogate it?]
>
> Probably also a case that password are seldom documented in
> detail, and few people are willing to sit down to find out
> details by experiment.
> (Windows NT hashes use the OEM character set ... which is
> another source of documentation problems.) So instructions
> for password construction tend to avoid mentioning characters
> that might be troublesome, even though there are some
> important things to know.
>
> For instance, dead accent keys (on my kbd ^ is one) usually
> don't change the base character in a password, so 'pass' and
> 'pâss' may produce the same password hash.
>
> The most useful character to have in a reasonably modern
> Windows password is EUR (Alt-Gr E on my kbd.) I suspect the
> reason why is well known -- if not, I'll leave it as an
> exercize. I'm sure there are similar 'oddities' on other
> password situations.
>
> > i'm thinking that whitespaces [if yr
> > system can handle them, and why not?] would add another measure of
> > complexity in cracking pwds?
>
> Of course they do. But ... if you alredy have an adequate
> password protection -- say, accounts are locked out after 25
> failed attempts per day regardless of source -- the extra
> complexity doesn't add much protection. (If you have the
> password hashes, security has already failed, and any attempt
> to add a last line of defense in the form of password
> complexity is misguided: it's only a question of time before
> the passwords are discovered, and that time should not be
> left to users to ensure.)
>
> Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
> TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
>
>
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
>
>
> --------------------------------------------------------------
> ----------
> For more information about Barclays Capital, please visit our
> web site at http://www.barcap.com.
>
>
> Internet communications are not secure and therefore the
> Barclays Group does not accept legal responsibility for the
> contents of this message. Although the Barclays Group
> operates anti-virus programmes, it does not accept
> responsibility for any damage whatsoever that is caused by
> viruses being passed. Any views or opinions presented are
> solely those of the author and do not necessarily represent
> those of the Barclays Group. Replies to this email may be
> monitored by the Barclays Group for operational or business reasons.
>
> --------------------------------------------------------------
> ----------
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Luke Eckley: "Re: nmap showing port 21 (ftp) open, but port is actually closed"
• Previous message: Bénoni MARTIN: "RE: database server audit tools"
• In reply to: Steve.Cummings@barclayscapital.com: "Re: Whitespace in passwords"
• Next in thread: Tim: "Re: Whitespace in passwords"
• Reply: Tim: "Re: Whitespace in passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:52 EDT