Penetration Testing mailing list archives
RE: Whitespace in passwords
From: "dave kleiman" <dave () isecureu com>
Date: Sun, 18 Sep 2005 17:08:43 -0400
Craig, Are you suggesting they have a Unicode/extend ASCII table hidden from use? How about we try possibly forcing Unicode character: if(strInList(szPwd,aBadWords)) bComplex = FALSE; if(cchPassword > 9){ for(i = 0; i < cchPassword ; i++){ if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; } if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; } if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; } if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue} if(isUnicode(szPwd[i])) {dwUnicode = 1; continue} } if(bUserIsAdmin){ //Admins need better passwords than users if ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) && cchPassword>14) bComplex = TRUE; } else { //User is not an admin, use lower requirements if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4) bComplex = TRUE; } I will see if I can find more info for you. Dave
-----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: Sunday, September 18, 2005 16:55 To: dave kleiman; pen-test () securityfocus com Cc: Anders Thulin; bryan allott; compuwar () gmail com; Peter Parker Subject: RE: Whitespace in passwords Please note I was pointing to the "success rates" table for NTLM The lowest is 80.19% as it stands. This is not all the tables are precomputed, but there is still an 80+ % crack rate (and this is growing) Further - this is not the only table source. Further - there is no manner in which you will enforce extended passwords. As I initially stated - the issue is in protecting the password and stopping a copy from being tested. There are means available to do this. If you are still on NT 4.0 - than it is time to upgrade. The success rate is 80.19% for "alpha numeric symbol 32 space" - this is EVERYthing in NTLM - not just space or extended - the table is 53% derived- but if you read further - this equates to an 80.19% crack rate. Remember there is a user at the other end - they have to remember. Please explain how a user will enter and remember a passphrase such as "S%'beep'('Smiley face'?G$" - where ' ' encloses extended chars Craig -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: Mon 19/09/2005 5:49 AM To: pen-test () securityfocus com Cc: 'Anders Thulin'; 'bryan allott'; Craig Wright; compuwar () gmail com; 'Peter Parker' Subject: RE: Whitespace in passwords
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Whitespace in passwords, (continued)
- RE: Whitespace in passwords Andrew Meyers (Sep 08)
- Re: Whitespace in passwords Steve.Cummings (Sep 11)
- RE: Whitespace in passwords dave kleiman (Sep 12)
- Re: Whitespace in passwords Tim (Sep 14)
- RE: Whitespace in passwords dave kleiman (Sep 12)
- RE: Whitespace in passwords Craig Wright (Sep 14)
- RE: Whitespace in passwords Craig Wright (Sep 18)
- RE: Whitespace in passwords dave kleiman (Sep 19)
- Re: Whitespace in passwords Stephen J. Smoogen (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 19)
- RE: Whitespace in passwords dave kleiman (Sep 19)
- RE: Whitespace in passwords Bryan McAninch (Sep 19)
- Re: Whitespace in passwords Tim (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Tim (Sep 20)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Message not available
- Re: Whitespace in passwords Sahir Hidayatullah (Sep 22)
- Message not available
- RE: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)