Re: Using non-printable characters in passwords

[Mr Babak Memari <memari-b () softhome net>]

> -----Original Message-----
> From: Optrics Engineering - Shaun Sturby, MCSE [mailto:Shaun () Optrics com]
> Sent: Thursday, August 07, 2003 10:20 AM
> To: 'security-basics () securityfocus com'
> Cc: 'Edmunds, Ron'
> Subject: RE: Using non-printable characters in passwords
>
>
> Hello Ron,
>
> This depends on the code page or character set used on your system but it
> doesn't really matter what code page you use for this trick as all you really
> want is to use characters on your system that are not in the common 'a-z' 'A-Z'
> '0-1' set. This causes John the Ripper or the @Stake password cracker take much
> longer to crack your password.
>
> That is if your hacker doesn't use the system recently reported that takes 13
> seconds to compare, not generate and compare, your encrypted password to a
> pre-generated 1.7 GB list of all possible password hashes.
>
> Shaun
>
> P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I
> just did a Google search and forwarded what I thought was a good summary of this
> tip.


Hi all,

I must add these lines :

Minimum Password Length
Blank passwords and shorter-length passwords are easily guessed by
password cracking tools. To lessen the chances of a password being
cracked, passwords should be longer in length. Allowable values for this
option are 0 (no password required) or between 1 and 14 characters.
NOTE: In actuality, Windows 2000 and XP support
passwords up to 127 characters long. A password
longer than 14 characters has a distinct advantage in
that the LanManager hash of the password is invalid
with these longer passwords, and, therefore, cannot be
exploited as it normally could by password-cracking
utilities. Unfortunately, the security templates interface
will not allow setting of minimum password length to be
greater than 14. Also, if a network contains Windows 9x
or Windows NT 4.0 or earlier computers, the maximum
password length cannot exceed 14 characters since
those computers do not support entering passwords
that long in the UI.

NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:

NOTE:It is recommended that privileged users (such as
administrators) have passwords longer than 12
characters. An optional method of strengthening
administrative passwords is to use characters that are
not in the default character sets. For example, Unicode
characters 0128 through 0159 have two advantages: (1)
they cause the LanMan hash to be invalid, and (2) they
are not in the character set for any common password
crackers. Be careful using Unicode characters,
however. Certain Unicode characters, such as 0200 (È),
get converted into other characters, in this example
0069 (E) and then hashed, effectively weakening the
password. To enter these passwords, hold the ALT key
and type the number on the numeric key-pad. On a
notebook, hold down the FN and ALT keys and type the
number on the overlay numeric keypad.
12 Characters


-----
Babak from IRAN
www.voidspace.org.uk/babak
www.geocities.com/bmindex2000


---------------------------------------------------------------------------
----------------------------------------------------------------------------