RE: Using non-printable characters in passwords

[Birl <sbirl () temple edu>]

As it was written on Aug 12, thus Meidinger Chris spake:

Chris:  Date: Tue, 12 Aug 2003 08:10:57 +0100
Chris:  From: Meidinger Chris <chris.meidinger () badenit de>
Chris:  To: "'security-basics () securityfocus com'"
Chris:      <security-basics () securityfocus com>
Chris:  Subject: RE: Using non-printable characters in passwords
Chris:
Chris:  I know you don't want to hear this, but remember that MS Windows NT or 2000
Chris:  running in hybrid mode uses an NTLM hash to represent the password. This
Chris:  hash represents only 7 characters, meaning that if you have a 21 character
Chris:  password, it is really 3 consecutive 7 character passwords. Thus your 21
Chris:  char pass is barely stronger than a 7 character password. For this reaason
Chris:  complexity is very important in windows, and not length.
Chris:
Chris:  just a reminder for anyone in a windows environment who is setting password
Chris:  requirements.
Chris:
Chris:  badenIT GmbH
Chris:  System Support
Chris:
Chris:  Chris Meidinger
Chris:  Tullastrasse 70
Chris:  79108 Freiburg


Ah, you must re-read my original post.
Since I work cross-platform, I look for cross-platform solutions.

I use SecureCRT (at work) to ssh from Windows to Solaris 9.
I use Cygwin at home to get into my Solaris 9 server.

I am aware of the 2 hashes in NT, but my concern is more compatibility
between platforms.  Yes, complexity is best, but wouldnt help me if the
keyboard or application cannot translate the keystrokes correctly.

Thanks for the information anyway.  Im sure it will be useful to someone
else.


Chris:  -----Original Message-----
Chris:  From: Birl [mailto:sbirl () temple edu]
Chris:  Sent: Wednesday, August 06, 2003 8:41 PM
Chris:  To: security-basics () securityfocus com
Chris:  Subject: Using non-printable characters in passwords
Chris:
Chris:
Chris:  Using cross-platform keyboards (SUN, Windows, Mac), how does one use
Chris:  non-printable characters in their passwords?
Chris:
Chris:  Since I work cross-platform, I use only a limited number of characters
Chris:  while holding down the CTRL key.
Chris:
Chris:  Whilst searching Google, I came across a SecurityFocus article that said:
Chris:  "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric
Chris:  keypad"
Chris:
Chris:  Additionally, the Google search I used
Chris:        non-printable characters passwords
Chris:  came up with more information about recovery and programs to avoid using
Chris:  non-printable characters.
Chris:
Chris:  Are there any other combinations?  If I recall correctly, a SANS
Chris:  instructor mentioned making use of the "Print Screen" key.
Chris:
Chris:
Chris:  Thanks in advance
Chris:
Chris:   Scott Birl                              http://concept.temple.edu/sysadmin/
Chris:   Senior Systems Administrator            Computer Services   Temple
Chris:  University
Chris:  ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*=
Chris:  ===*
Chris:
Chris:  ---------------------------------------------------------------------------
Chris:  ----------------------------------------------------------------------------
Chris:
Chris:  ---------------------------------------------------------------------------
Chris:  ----------------------------------------------------------------------------
Chris:

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------