Re: Whitespace in passwords

[Paul Robertson <compuwar () gmail com>]

On 9/9/05, Peter Parker <peterparker () fastmail fm> wrote:
> Most of the available crackers have option to brute all possible
> characters (including whitespaces). We want strong password because we
> dont want them to be compromised (by anymeans)

Strong passwords *normally* force users to write them down, and unless
you've exposed a dictionary-attackable service like OWA, don't really
help- since the big risk is local exploitation where those little
yellow notes make all the difference.


> Since _most_ of the precomputed tables available for rainbow crack are
> generally not one generated with whitespaces so I started using it
> regularly in my passwords :D

1.  Thanks for helping reduce the keyspace necessary to acquire your
passwords :-P
2.  The newest Shmoo tables include the space character.
3.  Disabling backwards-compatible hashes and the local storage of
hashes (if possible) will go a lot further than hoping that an
attacker's tables don't have the characters you're using or that the
math doesn't suddenly become easy.
4.  OTPs which are well-generated in hardware are generally worth more
than any other scheme for solving the password problem.

Paul
-- 
www.compuwar.net

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------