Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Whitespace in passwords

From: "Sahir Hidayatullah" <sahirh () mielesecurity com>
Date: Thu, 22 Sep 2005 15:14:50 +0530 (IST)


Why aren't alt characters feasible alt255 is an easy one for anyone to
remember and if the policy for passwords dictates the requirement then
most large firms would accept this especially if it made the password in
the current view untouchable for the for seable future



Just as most password cracking tools don't support this range, you run a
real risk of breaking your applications that were not coded with this
consideration. Programatically, since everything after alt+127 is part of
the extended ASCII character set, many applications will have filters and
parsers that don't consider this range.

For example, imagine an application has a function that checks if the
input password is alphanumeric + special characters -- chances are strong
that the programmer will check if the characters are within the ascii
range from 48 - 126.
(reference this ascii table:
http://www.cdrummond.qc.ca/cegep/informat/Professeurs/Alain/files/ascii.htm)

If you have an alt + <something above 126> in your password, that function
will fail. You might have account lockout scenarios, where a user was
allowed to change the password with an extended character, but the
application login screen checks for alphanumeric+special chars (I have
seen this happen).

This is just a small example off the top of my head, there are many more
scenarios were you can run into trouble with extended characters.
Unfortunately security foresight is not usually something that goes hand
in hand with application development.

Of course, you could have all your apps recoded properly, but thats rather
like nuking your house to solve a roach problem ;)

Cheers,

Sahir Hidayatullah
Technical Consultant - Information Security.





-----Original Message-----
From: Craig Wright <cwright () bdosyd com au>
To: Bryan McAninch <BMcAninch () PENSON COM>; pen-test () securityfocus com
<pen-test () securityfocus com>
CC: pand0ra.usa () gmail com <pand0ra.usa () gmail com>
Sent: Tue Sep 20 02:01:34 2005
Subject: RE: Whitespace in passwords

Precomputed tables - all lanman  fits into 64Gb - time to post about a
week
Complete tables - all NTLM MD5 etc should fit to about 2.5 Gb - there are
external usb drive packs larger than this

Re the 1024-bit RSA keypair - there is some good work being done using
quadratic methods

The point is that anyone can download a "14 character all lowercase
passphrase with numbers" precomputed database and crack all of these in
milliseconds with an old P3

The "14 character all lowercase passphrase with numbers" set is only 3gb
and it took me a week to generate - without dedicating the hosts - see lm
configuration #5 at http://www.antsight.com/zsl/rainbowcrack/

Go further lm #6 and I quote from the page "This charset includes all
possbile characters on a standard keyboard (not including those alt+xxx
characters)"

As previously stated - with standard users (ie any large firm) alt+xxx
chars are NOT feasible

Regards
Craig

PS

Some reading for those (like me) that enjoy maths re the RSA keys

Biehl and J. Buchmann, An analysis of the reduction algorithm for binary
quadratic forms, <i>Voronoi's Impact on Modern Science</i> (Kyiv,
Ukriaine) (P. Engel and H. Syta, eds.), Vol. 1, Institute of Mathematics
of National Academy of Sciences (1999).

Dan Boneh , Matthew K. Franklin, Identity-Based Encryption from the Weil
Pairing, Proceedings of the 21st Annual International Cryptology
Conference on Advances in Cryptology, p.213-229, August 19-23, 2001

D.A. Cox, <i>Primes of the form x<sup>2</sup> + ny<sup>2</sup></i>, John
Wiley & Sons, New York (1989).

Damian Weber , Thomas F. Denny, The Solution of McCurley's Discrete Log
Challenge, Proceedings of the 18th Annual International Cryptology
Conference on Advances in Cryptology, p.458-471, August 23-27, 1998

-----Original Message-----
From: Bryan McAninch [mailto:BMcAninch () PENSON COM]
Sent: 20 September 2005 3:21
To: pen-test () securityfocus com
Cc: pand0ra.usa () gmail com
Subject: RE: Whitespace in passwords


As I understand it, the central limit theorem states that a randomized
brute force attempt only takes x^y/x or x^(y-1) operations to crack a
given keyspace, where x is the base (number of valid characters), y is the
exponentiation variable (length) and x^y is the keyspace (total
combinations).

For example (pardon the formatting):

60^7/60  =          2799360000000/60 = 46656000000           -> 60^(7-1) =
60^6  = 46656000000 operations
86^7/86  =         34792782221696/86 = 404567235136          -> 86^(7-1) =
86^6  = 404567235136 operations
62^8/62  =        218340105584896/62 = 3521614606208         -> 62^(8-1) =
62^7  = 3521614606208 operations
86^8/86  =       2992179271065856/86 = 34792782221696        -> 86^(8-1) =
86^7  = 34792782221696 operations
36^14/36 = 6140942214464815497216/36 = 170581728179578208256 -> 36^(14-1)=
36^13 = 170581728179578208256 operations

This is why public key authentication is recommended over passwords
authentication. Given a mere 1024-bit key, it would theoretically take
2^1023 operations to crack the key:

2^1024 = (1.797693134862315907729305190789 * 10^308)/2 =
8.9884656743115795386465259539451 * 10^307 -> 10^1023 =
8.9884656743115795386465259539451 * 10^307

Taking the 36^14 password above and comparing it to a 1024-bit RSA
keypair, you have the follwing difference:

(2^1023) - (36^13) = (8.9884656743115795386465259539451 * 10^307) -
(170581728179578208256) = 8.9884656743115795386465259539451e * 10^307 more
operations with a 1024-bit RSA keypair, quite a difference! :)

Cheers,
Bryan

-----Original Message-----
From: Tim [mailto:pand0ra.usa () gmail com]
Sent: Monday, September 12, 2005 01:01 PM
To: pen-test () securityfocus com
Subject: Re: Whitespace in passwords

It all about the math. Let's write it out, say you have a machine that
runs 3,000,000 combinations per second (about a 1.6 GHz machine). In this
example we will use the Windows LanMan Challange/Response (which is bad to
begin with, but the main key in this is that it does not use a salt).

60 possible characters and the password is 7 characters long.(no spaces)
60^7 = 2,799,360,000,000 = 10.8 days (A-Z, 0-9, special)

86 possible characters and the password is 7 characters long.(no spaces)
86^7 = 34,792,782,221,696 = 134.23 days (A-Z, a-z, 0-9, special)

62 possible characters and the password is 8 characters long.(no spaces)
62^8 = 218,340,105,584,896 = 2.3 years (A-Z, 0-9, special)

86 possible characters and the password is 8 characters long.(no spaces)
86^8 = 2992179271065856 = 31.62 years (A-Z, a-z, 0-9, special)

36 possible characters and the password is 14 characters long. (no spaces)
36^14 = 6,140,942,214,464,815,497,216 combinations = 64,909,333 years
(a-z, 0-9) 2bigbrown1dogs (throw some special characters in) We have 2 big
brown dogs! (25 characters using numbers, upper and lower, and special
cahracters, you do the math). Microsoft Windows supports up to ~250
characters for the passwords/phrases.

The point here is that a 14 character all lowercase passphrase with
numbers is millions of time more difficult that a 'strong' 8 character
password with all sorts of characters. A space is just another character
and don't believe that it will protect you from getting your password
cracked (security through obsecurity?). Also, keep in mind that if you use
a algo that has a salt and supports many characters you will be much
better off. Instead of making things more complex for your users (which
also increses the risk of them posting their password on a stick-it note)
make the passphrase easy for them to remember.

Side note: Disable LanMan on all Windows machines if you are not running
any Windows 95/98/ME machines. It is there for backward compatability and
is still enabled by default on Windows 2003 Servers.


On 9/11/05, dave kleiman <dave () isecureu com> wrote:

They also do not have a lot of the Extended ASCII characters:

http://www.securityfocus.com/archive/88/312263


Dave


-----Original Message-----
From: Steve.Cummings () barclayscapital com
[mailto:Steve.Cummings () barclayscapital com]
Sent: Thursday, September 08, 2005 12:54
To: AMeyers () msolgroup com; Anders.Thulin () tietoenator com;
homegrown () bryanallott net; pen-test () securityfocus com
Subject: Re: Whitespace in passwords

Alt characters are also pretty cool

Try alt 255 this is blank space


-----Original Message-----
From: Andrew Meyers <AMeyers () msolgroup com>
To: Anders Thulin <Anders.Thulin () tietoenator com>; bryan allott
<homegrown () bryanallott net>; pen-test () securityfocus com
<pen-test () securityfocus com>
Sent: Thu Sep 08 01:40:34 2005
Subject: RE: Whitespace in passwords

I like pass phrases better because crackers like john and l0pht, by
default, don't have white spaces in their list of characters.


-------------------
Andrew Meyers
Systems Engineer
Managed Solution
Email: ameyers () mssandiego com
Phone: 619-220-0544 x115
Fax: 619-220-0599
http://www.mssandiego.com

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin () tietoenator com]
Sent: Wednesday, September 07, 2005 3:17 AM
To: bryan allott; pen-test () securityfocus com
Subject: RE: Whitespace in passwords


From: bryan allott [mailto:homegrown () bryanallott net]



to the misnomer "passWORD" rather than passPHRASE but it seems
that [most?] people choose passes that dont contain whitespaces,


  Most people still stick to alphanumeric passwords, and most of
those are passwords where the digits are placed at the end.
Whitespace is probably not more special than any of the other
'specials' that appear on a standard keyboard. A problem is to know
just what those are -- a look at a keyboard may lead a user to think
the 'x' on the keypad is a different special character than the '*'.


my main question, re security, is wether the whitespace made the
password too vulnerable? [historically] and why this constraint is
introduced in many systems..


  Tradition, probably.  In environments where users are given fixed
passwords that they can't change themselves, space belongs together
with S58, O0, and Il1 to the characters that probably will be
misunderstood, and so cause calls to helpdesk.
Anything that is likely to cause a help-desk call is a no-no in
large environments.

  Another aspect is regularity of user interface design:
should space be treated as significant when it appears first and
last in a string in general, say a Search field in a text editor or
a From- field in an e-mail program? If not, spaces first and last in
passwords will be assumed to be insignificant as well -- and so
become another source for helpdesk complaints.
Regularity pays off.

 [but then, if

myth- why propogate it?]


  Probably also a case that password are seldom documented in
detail, and few people are willing to sit down to find out details
by experiment.
(Windows NT hashes use the OEM character set ... which is another
source of documentation problems.)  So instructions for password
construction tend to avoid mentioning characters that might be
troublesome, even though there are some important things to know.

  For instance, dead accent keys (on my kbd ^ is one) usually don't
change the base character in a password, so 'pass' and 'pâss' may
produce the same password hash.

  The most useful character to have in a reasonably modern Windows
password is EUR (Alt-Gr E on my kbd.) I suspect the reason why is
well known -- if not, I'll leave it as an exercize. I'm sure there
are similar 'oddities' on other password situations.


i'm thinking that whitespaces [if yr system can handle them, and
why not?] would add another measure of complexity in cracking
pwds?


  Of course they do.  But ... if you alredy have an adequate
password protection -- say, accounts are locked out after 25 failed
attempts per day regardless of source --  the extra complexity
doesn't add much protection.  (If you have the password hashes,
security has already failed, and any attempt to add a last line of
defense in the form of password complexity is misguided: it's only a
question of time before the passwords are discovered, and that time
should not be left to users to ensure.)

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö




--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking.
Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking.
Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------




--------------------------------------------------------------
----------
For more information about Barclays Capital, please visit our web
site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message.  Although the Barclays Group operates anti-virus
programmes, it does not accept responsibility for any damage
whatsoever that is caused by viruses being passed.  Any views or
opinions presented are solely those of the author and do not
necessarily represent those of the Barclays Group.  Replies to this
email may be monitored by the Barclays Group for operational or
business reasons.

--------------------------------------------------------------
----------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking.
Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------







----------------------------------------------------------------------
-------- Audit your website security with Acunetix Web Vulnerability
Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking. Check
your website for vulnerabilities to SQL injection, Cross site scripting
and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------
---------





--
Tim Van Cleave

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------






------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: