Re: Whitespace in passwords

From: Bruce K. Marshall (bkmlstsgohere@comcast.net)
Date: Sun Sep 11 2005 - 15:21:37 EDT

• Next message: Fósforo: "Re: Assessing a machine with 2 NICs"
• Previous message: Felikz: "Re: NAT is present?"
• In reply to: Anurag Joshi: "Re: Whitespace in passwords"
• Next in thread: Anders Thulin: "RE: Whitespace in passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Anurag,

You're right that a space character shouldn't make a difference if they are
using any respectable hashing algorithm. But since we're talking about real
applications, you can't assume they will use a well-known hashing algorithm,
or even perform hashing at all. People make unfortunate decisions all the
time when it comes to password systems. Remember the Unix 8 character
password limitation? Remember Windows LM hashing?

The ISACA (www.isaca.org) Web site wants you to use letters and numbers in
your account password. What about letters and symbols? There are actually
more symbols, so they should make a better pool to choose from than numbers.
Nope, the application doesn't accept it; you must have letters and numbers.
And this is a computer security organization.

I can't say for sure what symbols people actually try, but spaces,
underscores, and dashes aren't the most popular choices for users.

----
Bruce K. Marshall - bkmarshall@passwordresearch.com
Password Research Institute - http://www.passwordresearch.com
----- Original Message ----- 
From: "Anurag Joshi" <mastermindanu@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Thursday, September 08, 2005 9:46 PM
Subject: Re: Whitespace in passwords
> List,
>           With due respect i dont think whitespaces would make any 
> difference. It just depends on the encrypting algo. In all cases 
> whitespace amounts to a ASCII code and hence a binary representation, thus 
> encrypting or decrypting would make no difference. If the algo has no no 
> rule for whitespaces then it is not allowed. But when it comes to symbols 
> whitespaces, underscores, dash are probably the first ones anyone will 
> look for.
>
> Anurag Joshi 
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Fósforo: "Re: Assessing a machine with 2 NICs"
• Previous message: Felikz: "Re: NAT is present?"
• In reply to: Anurag Joshi: "Re: Whitespace in passwords"
• Next in thread: Anders Thulin: "RE: Whitespace in passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:52 EDT