Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Whitespace in passwords

From: "Andrew Meyers" <AMeyers () msolgroup com>
Date: Wed, 7 Sep 2005 17:40:34 -0700
I like pass phrases better because crackers like john and l0pht, by default, don't have white spaces in their list of 
characters. 


-------------------
Andrew Meyers
Systems Engineer
Managed Solution
Email: ameyers () mssandiego com
Phone: 619-220-0544 x115
Fax: 619-220-0599
http://www.mssandiego.com

-----Original Message-----
From: Anders Thulin [mailto:Anders.Thulin () tietoenator com] 
Sent: Wednesday, September 07, 2005 3:17 AM
To: bryan allott; pen-test () securityfocus com
Subject: RE: Whitespace in passwords


From: bryan allott [mailto:homegrown () bryanallott net]



to the misnomer "passWORD" rather than passPHRASE but it seems that 
[most?] people choose passes that dont contain whitespaces,


  Most people still stick to alphanumeric passwords, and most of those are passwords where the digits are placed at the 
end.
Whitespace is probably not more special than any of the other 'specials' that appear on a standard keyboard. A problem 
is to know just what those are -- a look at a keyboard may lead a user to think the 'x' on the keypad is a different 
special character than the '*'.


my main question, re security, is wether the whitespace made the 
password too vulnerable? [historically] and why this constraint is 
introduced in many systems..


  Tradition, probably.  In environments where users are given fixed passwords that they can't change themselves, space 
belongs together with S58, O0, and Il1 to the characters that probably will be misunderstood, and so cause calls to 
helpdesk.
Anything that is likely to cause a help-desk call is a no-no in large environments.
  
  Another aspect is regularity of user interface design: should space be treated as significant when it appears first 
and last in a string in general, say a Search field in a text editor or a From- field in an e-mail program? If not, 
spaces first and last in passwords will be assumed to be insignificant as well -- and so become another source for 
helpdesk complaints.
Regularity pays off.

 [but then, if 

myth- why propogate it?]


  Probably also a case that password are seldom documented in detail, and few people are willing to sit down to find 
out details by experiment.
(Windows NT hashes use the OEM character set ... which is another source of documentation problems.)  So instructions 
for password construction tend to avoid mentioning characters that might be troublesome, even though there are some 
important things to know. 

  For instance, dead accent keys (on my kbd ^ is one) usually don't change the base character in a password, so 'pass' 
and 'pâss' may produce the same password hash.

  The most useful character to have in a reasonably modern Windows password is EUR (Alt-Gr E on my kbd.) I suspect the 
reason why is well known -- if not, I'll leave it as an exercize. I'm sure there are similar 'oddities' on other 
password situations.


i'm thinking that whitespaces [if yr
system can handle them, and why not?] would add another measure of 
complexity in cracking pwds?


  Of course they do.  But ... if you alredy have an adequate password protection -- say, accounts are locked out after 
25 failed attempts per day regardless of source --  the extra complexity doesn't add much protection.  (If you have the 
password hashes, security has already failed, and any attempt to add a last line of defense in the form of password 
complexity is misguided: it's only a question of time before the passwords are discovered, and that time should not be 
left to users to ensure.) 

Anders Thulin   anders.thulin () tietoenator com   040-661 50 63          
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are 
launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile 
against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and 
other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: