Security Basics mailing list archives

RE: Using non-printable characters in passwords

From: "dave kleiman" <dave () netmedic net>
Date: Thu, 7 Aug 2003 21:44:20 -0400

Birl,

To your original question:  It all depends on how the hash is being stored
in your "cross-platform" situation. Microsoft's Unicode table often does not
always map to the extended ASCII character representations of that
particular character.

What happens is although you type "ALT+somenumber" (on the number keypad) in
the keyboard (extended ASCII character) it is immediately translated into
the Unicode table representation of this.  That is why many programs
"user2sid", "Lopht" etc. cannot represent this character. Microsoft stores
these in two separate strings; 1 is ANSI, 1 is Unicode.  If the program is
checking the ANSI string for username with "ALT+228 at the end it will not
find it. (Same thing if it is in the password).

Open Word go to insert symbol. Click on the v (square root symbol).

Look at the bottom of the table it says "Character Code 221A from Unicode
(Hex)"  "Shortcut Key 221A, Alt+X.  I bet you have to hit ALT+251 to
reproduce it though.


So your answer is "MAYBE".  If the hash is passed along in Unicode from
platform to platform and the Unicode tables match you may have a happy
cross-platform password.  For one software application it may work for
another it might not.


There is a short reference to it in a post I made a while back, please take
a look at it.

http://www.securityfocus.com/archive/88/312263



 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net


-----Original Message-----
From: Birl [mailto:sbirl () temple edu] 
Sent: Thursday, August 07, 2003 13:26
To: security-basics () securityfocus com
Subject: Re: Using non-printable characters in passwords

Although I very much value the 4 responses I have received so far, I think
I should clarify my original question better:

Are there any other keys (or combination thereof) besides, CTRL or ALT,
that can be used?

Another question, it is possible to use CTRL + ALT +  <key>  at the
same time?   Where, obviously, <key> != DEL     :p

Third question:  Any good docs on CTRL combinations?

Right now Im limited to ^n  (avoiding ^a ^c ^e ^h ^i ^j ^m ^q ^s ^u ^?
etc. for obvious UNIX reasons)


Thanks again.



As it was written on Aug 6, thus I spake unto
security-basics () securityfocus com:

Previous post:  Date: Wed, 6 Aug 2003 14:41:09 -0400 (EDT)
Previous post:  From: Birl <sbirl () temple edu>
Previous post:  Reply-To: security-basics () securityfocus com
Previous post:  To: security-basics () securityfocus com
Previous post:  Subject: Using non-printable characters in passwords
Previous post:
Previous post:  Using cross-platform keyboards (SUN, Windows, Mac), how does
one use
Previous post:  non-printable characters in their passwords?
Previous post:
Previous post:  Since I work cross-platform, I use only a limited number of
characters
Previous post:  while holding down the CTRL key.
Previous post:
Previous post:  Whilst searching Google, I came across a SecurityFocus
article that said:
Previous post:  "hold down the ALT key while pressing the 1,2, and 9 keys on
the numeric
Previous post:  keypad"
Previous post:
Previous post:  Additionally, the Google search I used
Previous post:        non-printable characters passwords
Previous post:  came up with more information about recovery and programs to
avoid using
Previous post:  non-printable characters.
Previous post:
Previous post:  Are there any other combinations?  If I recall correctly, a
SANS
Previous post:  instructor mentioned making use of the "Print Screen" key.
Previous post:
Previous post:
Previous post:  Thanks in advance
Previous post:
Previous post:   Scott Birl
http://concept.temple.edu/sysadmin/
Previous post:   Senior Systems Administrator            Computer Services
Temple University
Previous post:
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*=
===*

---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Using non-printable characters in passwords Birl (Aug 06)
- Re: Using non-printable characters in passwords Tim Greer (Aug 07)
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
  - Re: Using non-printable characters in passwords Meritt James (Aug 07)
- RE: Using non-printable characters in passwords Manuel Lanctot (Aug 07)
- Re: Using non-printable characters in passwords Birl (Aug 07)
  - RE: Using non-printable characters in passwords dave kleiman (Aug 08)
- <Possible follow-ups>
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
- Re: Using non-printable characters in passwords Jay Woody (Aug 08)
- Re: Using non-printable characters in passwords Mr Babak Memari (Aug 11)
- RE: Using non-printable characters in passwords Meidinger Chris (Aug 12)
  - RE: Using non-printable characters in passwords Birl (Aug 26)
- RE: Using non-printable characters in passwords Chris Berry (Aug 12)
  - RE: Using non-printable characters in passwords dave kleiman (Aug 13)
- RE: Using non-printable characters in passwords Chris Berry (Aug 13)
  - RE: Using non-printable characters in passwords Birl (Aug 26)