Penetration Testing mailing list archives
Re: Whitespace in passwords
From: Tim <pand0ra.usa () gmail com>
Date: Mon, 19 Sep 2005 13:10:20 -0600
Ok, we are now onto Rainbow tables. Sure, they can recover passwords very quickly BUT they too have a limitation. Currently the Shmoo tables are focused on LanMan challenge/responses which we all know are WEAK (in soo many meanings of the word). Rainbow tables take quite a bit of time to generate and to go through all of the possible combinations for a table that is ALL LOWERCASE and 14 characters long regardless of the algo would take more time then I have on this planet (possibly more time that all of us combined). I am soo sorry for using LanMan as an example in my earlier post. LanMan only goes to 7 characters as that is the foundation of one of it's biggest flaws. Also, keep in mind that there are not too many programs that accept Alt-ASCII characters so that may not be acceptable. Bryan Allott posted earlier the biggest point --> passPHRASES <-- Go back to my earlier post with the math (ignore that I used LanMan as an example). The longer the passPHRASE it becomes exponentally more difficult to recover he passPHRASE. Any password that is under 10 characters is EASILY recoverable within the typical 90 day expiration time. That is why pushing the users to create easily remembered passPHRASES is much more effective then some sort of goobly gook that they will have a hard time remembering and end up writing down in a post-it note stuck to their monitor. One stupid character (regardless of what it is) will NOT make a significant difference. Do not assume that by throwing in a Alt-182 character will make your password 'unbreakable'. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Whitespace in passwords, (continued)
- RE: Whitespace in passwords dave kleiman (Sep 12)
- Re: Whitespace in passwords Tim (Sep 14)
- RE: Whitespace in passwords dave kleiman (Sep 12)
- RE: Whitespace in passwords Craig Wright (Sep 14)
- RE: Whitespace in passwords Craig Wright (Sep 18)
- RE: Whitespace in passwords dave kleiman (Sep 19)
- Re: Whitespace in passwords Stephen J. Smoogen (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 19)
- RE: Whitespace in passwords dave kleiman (Sep 19)
- RE: Whitespace in passwords Bryan McAninch (Sep 19)
- Re: Whitespace in passwords Tim (Sep 19)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Tim (Sep 20)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Message not available
- Re: Whitespace in passwords Sahir Hidayatullah (Sep 22)
- Message not available
- RE: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)