Penetration Testing mailing list archives
RE: Whitespace in passwords
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 22 Sep 2005 08:44:39 +1000
If you are this worried and the users are capable enough - than use OTP's or certificates or something RSA keyfobs or SKEY beat passwords hands down Craig -----Original Message----- From: Steve.Cummings () barclayscapital com [mailto:Steve.Cummings () barclayscapital com] Sent: 21 September 2005 5:27 To: Craig Wright; BMcAninch () PENSON COM; pen-test () securityfocus com Cc: pand0ra.usa () gmail com Subject: RE: Whitespace in passwords I never said that I didn't agree with you but the alt system in my book is a more useful way of protecting passwords than 14 character password etc Regards Steve Cummings Barclays Capital DDI 0207 773 4245 -----Original Message----- From: Craig Wright [mailto:cwright () bdosyd com au] Sent: 21 September 2005 07:32 To: Cummings, Steve: IT (LDN); BMcAninch () PENSON COM; pen-test () securityfocus com Cc: pand0ra.usa () gmail com Subject: RE: Whitespace in passwords John was a tool which was good a decade ago The tools have moved on - just because not everyone here has used precomputed tables and quadratic methods does not mean that an attacker does not know of them. I am sure that Barclays Capital has enough of a presence to attract the corporate criminal type... I reiterate - the real issue is to stop an attacker getting this info in the first place. Secure Server plus secure client settings in group policy on a MSFT network and this is no longer an issue. "An Ounce of Prevention is worth a pound of cure"... Craig -----Original Message----- From: Steve.Cummings () barclayscapital com [mailto:Steve.Cummings () barclayscapital com] Sent: 21 September 2005 3:37 To: Craig Wright; BMcAninch () PENSON COM; pen-test () securityfocus com Cc: pand0ra.usa () gmail com Subject: Re: Whitespace in passwords Try the password of your choice with alt 255 in the middle currently things like lopht and john don't get near it -----Original Message----- From: Craig Wright <cwright () bdosyd com au> To: Cummings, Steve: IT (LDN) <Steve.Cummings () barclayscapital com>; BMcAninch () PENSON COM <BMcAninch () PENSON COM>; pen-test () securityfocus com <pen-test () securityfocus com> CC: pand0ra.usa () gmail com <pand0ra.usa () gmail com> Sent: Tue Sep 20 20:27:52 2005 Subject: RE: Whitespace in passwords HI 1st it does not make them untouchable Next, MOST applications do not accept Alt+xxx based passwords - very few users will use them as well Do your users authenticate via a Radius systems, the web...? Any of these will not accept Alt+xxx chars. Most users will have issues using this the following does not make a very memerable password - see how often it is remembered? ¦ß?|?O11s Craig -----Original Message----- From: Steve.Cummings () barclayscapital com [mailto:Steve.Cummings () barclayscapital com] Sent: Wed 21/09/2005 2:41 AM To: Craig Wright; BMcAninch () PENSON COM; pen-test () securityfocus com Cc: pand0ra.usa () gmail com Subject: Re: Whitespace in passwords Why aren't alt characters feasible alt255 is an easy one for anyone to remember and if the policy for passwords dictates the requirement then most large firms would accept this especially if it made the password in the current view untouchable for the for seable future ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Whitespace in passwords, (continued)
- Re: Whitespace in passwords Tim (Sep 20)
- RE: Whitespace in passwords Craig Wright (Sep 20)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Message not available
- Re: Whitespace in passwords Sahir Hidayatullah (Sep 22)
- Message not available
- RE: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)
- Re: Whitespace in passwords Steve.Cummings (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)
- RE: Whitespace in passwords Craig Wright (Sep 21)