Security Basics mailing list archives
Re: Using non-printable characters in passwords
From: Mr Babak Memari <memari-b () softhome net>
Date: Sun, 10 Aug 2003 21:26:20 +0300
-----Original Message----- From: Optrics Engineering - Shaun Sturby, MCSE [mailto:Shaun () Optrics com] Sent: Thursday, August 07, 2003 10:20 AM To: 'security-basics () securityfocus com' Cc: 'Edmunds, Ron' Subject: RE: Using non-printable characters in passwords Hello Ron, This depends on the code page or character set used on your system but it doesn't really matter what code page you use for this trick as all you really want is to use characters on your system that are not in the common 'a-z' 'A-Z' '0-1' set. This causes John the Ripper or the @Stake password cracker take much longer to crack your password. That is if your hacker doesn't use the system recently reported that takes 13 seconds to compare, not generate and compare, your encrypted password to a pre-generated 1.7 GB list of all possible password hashes. Shaun P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I just did a Google search and forwarded what I thought was a good summary of this tip.
Hi all, I must add these lines : Minimum Password Length Blank passwords and shorter-length passwords are easily guessed by password cracking tools. To lessen the chances of a password being cracked, passwords should be longer in length. Allowable values for this option are 0 (no password required) or between 1 and 14 characters. NOTE: In actuality, Windows 2000 and XP support passwords up to 127 characters long. A password longer than 14 characters has a distinct advantage in that the LanManager hash of the password is invalid with these longer passwords, and, therefore, cannot be exploited as it normally could by password-cracking utilities. Unfortunately, the security templates interface will not allow setting of minimum password length to be greater than 14. Also, if a network contains Windows 9x or Windows NT 4.0 or earlier computers, the maximum password length cannot exceed 14 characters since those computers do not support entering passwords that long in the UI. NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE: NOTE:It is recommended that privileged users (such as administrators) have passwords longer than 12 characters. An optional method of strengthening administrative passwords is to use characters that are not in the default character sets. For example, Unicode characters 0128 through 0159 have two advantages: (1) they cause the LanMan hash to be invalid, and (2) they are not in the character set for any common password crackers. Be careful using Unicode characters, however. Certain Unicode characters, such as 0200 (È), get converted into other characters, in this example 0069 (E) and then hashed, effectively weakening the password. To enter these passwords, hold the ALT key and type the number on the numeric key-pad. On a notebook, hold down the FN and ALT keys and type the number on the overlay numeric keypad. 12 Characters ----- Babak from IRAN www.voidspace.org.uk/babak www.geocities.com/bmindex2000 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Using non-printable characters in passwords Birl (Aug 06)
- Re: Using non-printable characters in passwords Tim Greer (Aug 07)
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
- Re: Using non-printable characters in passwords Meritt James (Aug 07)
- RE: Using non-printable characters in passwords Manuel Lanctot (Aug 07)
- Re: Using non-printable characters in passwords Birl (Aug 07)
- RE: Using non-printable characters in passwords dave kleiman (Aug 08)
- <Possible follow-ups>
- RE: Using non-printable characters in passwords Optrics Engineering - Shaun Sturby, MCSE (Aug 07)
- Re: Using non-printable characters in passwords Jay Woody (Aug 08)
- Re: Using non-printable characters in passwords Mr Babak Memari (Aug 11)
- RE: Using non-printable characters in passwords Meidinger Chris (Aug 12)
- RE: Using non-printable characters in passwords Birl (Aug 26)
- RE: Using non-printable characters in passwords Chris Berry (Aug 12)
- RE: Using non-printable characters in passwords dave kleiman (Aug 13)
- RE: Using non-printable characters in passwords Chris Berry (Aug 13)
- RE: Using non-printable characters in passwords Birl (Aug 26)