Re: Using non-printable characters in passwords
And you thought the UUENCODE bug was limited to URL hacks? Nah. Warning: Some systems will let you SET passwords using characters which are unrecognized by the system to gain access, resulting in you locking yourself out. It pays to know field separators, for instance. Things like " " (the space character) are a bad idea... Jim "Optrics Engineering - Shaun Sturby, MCSE" wrote: > > Executive Summary: This manifesto is designed to give system administrators a > better grasp on the importance of password security. It is also designed to help > users understand the importance of choosing a strong password > > http://www.somorita.com/Networking/PasswordManifesto.asp > > Want to make it even stronger? The there are some characters that you can type > but that don't exist on the keyboard. I call these ALT characters. You get > these characters by holding down the ALT key and typing a code on the numeric > keypad. For example, if I type ALT-156 I get ?. Pretty kewl, eh? And you can > use that as a key combination as one of the characters in your password. Most > password cracking programs never check those characters and if they did it would > take them much longer to crack passwords. Some of the common ALT combinations > are shown at the end of this document. > > -Original Message- > From: Birl [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 12:41 PM > To: [EMAIL PROTECTED] > Subject: Using non-printable characters in passwords > > Using cross-platform keyboards (SUN, Windows, Mac), how does one use > non-printable characters in their passwords? > > Since I work cross-platform, I use only a limited number of characters > while holding down the CTRL key. > > Whilst searching Google, I came across a SecurityFocus article that said: > "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric > keypad" > > Additionally, the Google search I used > non-printable characters passwords > came up with more information about recovery and programs to avoid using > non-printable characters. > > Are there any other combinations? If I recall correctly, a SANS > instructor mentioned making use of the "Print Screen" key. > > Thanks in advance > > Scott Birl http://concept.temple.edu/sysadmin/ > Senior Systems AdministratorComputer Services Temple University > *******+******** > > --- > > > _ > > IMail Server has scanned this e-mail for Viruses and SPAM using > Declude Virus & Declude Junkmail available from www.Optrics.com > > _ > > IMail Server has scanned this e-mail for Viruses and SPAM using > Declude Virus & Declude Junkmail available from www.Optrics.com > > --- > -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 ---
RE: Using non-printable characters in passwords
From: Meidinger Chris <[EMAIL PROTECTED]> I know you don't want to hear this, but remember that MS Windows NT or 2000 running in hybrid mode uses an NTLM hash to represent the password. This hash represents only 7 characters, meaning that if you have a 21 character password, it is really 3 consecutive 7 character passwords. Thus your 21 char pass is barely stronger than a 7 character password. For this reaason complexity is very important in windows, and not length. just a reminder for anyone in a windows environment who is setting password requirements. That's only correct if you're using LM and/or haven't made the registry change to get rid of the backwards compatibility mode. NTLM and NTLMv2 do not suffer from this problem. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "Q: How many software engineers does it take to change a lightbulb ? A: It can't be done; it's a hardware problem." _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus ---
RE: Using non-printable characters in passwords
Not quite; If you pass the 14 character margin, No LM hash will be stored of the password. 14 characters is its limit, so if you enforce a policy of 15 or greater you do not have to worry about it. _ Dave Kleiman [EMAIL PROTECTED] www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder -Original Message- From: Chris Berry [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 16:55 To: [EMAIL PROTECTED] Subject: RE: Using non-printable characters in passwords >From: Meidinger Chris <[EMAIL PROTECTED]> >I know you don't want to hear this, but remember that MS Windows NT or 2000 >running in hybrid mode uses an NTLM hash to represent the password. This >hash represents only 7 characters, meaning that if you have a 21 character >password, it is really 3 consecutive 7 character passwords. Thus your 21 >char pass is barely stronger than a 7 character password. For this reaason >complexity is very important in windows, and not length. > >just a reminder for anyone in a windows environment who is setting password >requirements. That's only correct if you're using LM and/or haven't made the registry change to get rid of the backwards compatibility mode. NTLM and NTLMv2 do not suffer from this problem. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "Q: How many software engineers does it take to change a lightbulb ? A: It can't be done; it's a hardware problem." _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus --- ---
RE: Using non-printable characters in passwords
From: "dave kleiman" <[EMAIL PROTECTED]> Not quite; If you pass the 14 character margin, No LM hash will be stored of the password. 14 characters is its limit, so if you enforce a policy of 15 or greater you do not have to worry about it. That's true, but I wouldn't rely on that. It's pretty easy to disable the storing of the LM hash permanently. Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "Q: How many software engineers does it take to change a lightbulb ? A: It can't be done; it's a hardware problem." _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail ---
Re: Using non-printable characters in passwords
-Original Message- From: Optrics Engineering - Shaun Sturby, MCSE [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:20 AM To: '[EMAIL PROTECTED]' Cc: 'Edmunds, Ron' Subject: RE: Using non-printable characters in passwords Hello Ron, This depends on the code page or character set used on your system but it doesn't really matter what code page you use for this trick as all you really want is to use characters on your system that are not in the common 'a-z' 'A-Z' '0-1' set. This causes John the Ripper or the @Stake password cracker take much longer to crack your password. That is if your hacker doesn't use the system recently reported that takes 13 seconds to compare, not generate and compare, your encrypted password to a pre-generated 1.7 GB list of all possible password hashes. Shaun P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I just did a Google search and forwarded what I thought was a good summary of this tip. Hi all, I must add these lines : Minimum Password Length Blank passwords and shorter-length passwords are easily guessed by password cracking tools. To lessen the chances of a password being cracked, passwords should be longer in length. Allowable values for this option are 0 (no password required) or between 1 and 14 characters. NOTE: In actuality, Windows 2000 and XP support passwords up to 127 characters long. A password longer than 14 characters has a distinct advantage in that the LanManager hash of the password is invalid with these longer passwords, and, therefore, cannot be exploited as it normally could by password-cracking utilities. Unfortunately, the security templates interface will not allow setting of minimum password length to be greater than 14. Also, if a network contains Windows 9x or Windows NT 4.0 or earlier computers, the maximum password length cannot exceed 14 characters since those computers do not support entering passwords that long in the UI. NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE:NOTE: NOTE:It is recommended that privileged users (such as administrators) have passwords longer than 12 characters. An optional method of strengthening administrative passwords is to use characters that are not in the default character sets. For example, Unicode characters 0128 through 0159 have two advantages: (1) they cause the LanMan hash to be invalid, and (2) they are not in the character set for any common password crackers. Be careful using Unicode characters, however. Certain Unicode characters, such as 0200 (È), get converted into other characters, in this example 0069 (E) and then hashed, effectively weakening the password. To enter these passwords, hold the ALT key and type the number on the numeric key-pad. On a notebook, hold down the FN and ALT keys and type the number on the overlay numeric keypad. 12 Characters - Babak from IRAN www.voidspace.org.uk/babak www.geocities.com/bmindex2000 ---
RE: Using non-printable characters in passwords
I know you don't want to hear this, but remember that MS Windows NT or 2000 running in hybrid mode uses an NTLM hash to represent the password. This hash represents only 7 characters, meaning that if you have a 21 character password, it is really 3 consecutive 7 character passwords. Thus your 21 char pass is barely stronger than a 7 character password. For this reaason complexity is very important in windows, and not length. just a reminder for anyone in a windows environment who is setting password requirements. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -Original Message- From: Birl [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 8:41 PM To: [EMAIL PROTECTED] Subject: Using non-printable characters in passwords Using cross-platform keyboards (SUN, Windows, Mac), how does one use non-printable characters in their passwords? Since I work cross-platform, I use only a limited number of characters while holding down the CTRL key. Whilst searching Google, I came across a SecurityFocus article that said: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric keypad" Additionally, the Google search I used non-printable characters passwords came up with more information about recovery and programs to avoid using non-printable characters. Are there any other combinations? If I recall correctly, a SANS instructor mentioned making use of the "Print Screen" key. Thanks in advance Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+*******= ===* --- ---
Re: Using non-printable characters in passwords
One that throws people off for file names and directory names, especially in certain platforms, is ALT+255. :-) -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. - Original Message - From: "Birl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 06, 2003 11:41 AM Subject: Using non-printable characters in passwords > Using cross-platform keyboards (SUN, Windows, Mac), how does one use > non-printable characters in their passwords? > > Since I work cross-platform, I use only a limited number of characters > while holding down the CTRL key. > > Whilst searching Google, I came across a SecurityFocus article that said: > "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric > keypad" > > Additionally, the Google search I used > non-printable characters passwords > came up with more information about recovery and programs to avoid using > non-printable characters. > > Are there any other combinations? If I recall correctly, a SANS > instructor mentioned making use of the "Print Screen" key. > > > Thanks in advance > > Scott Birl http://concept.temple.edu/sysadmin/ > Senior Systems AdministratorComputer Services Temple University > *******+*******= ===* > > -- - > -- -- > ---
Re: Using non-printable characters in passwords
Here is a listing of the alt keys. I think there are hundreds out there just like this. Maybe this will give you some of the keys, you are looking for. http://www.york.ac.uk/depts/maths/altchrc.htm JayW >>> [EMAIL PROTECTED] 08/07/03 12:25PM >>> Although I very much value the 4 responses I have received so far, I think I should clarify my original question better: Are there any other keys (or combination thereof) besides, CTRL or ALT, that can be used? Another question, it is possible to use CTRL + ALT +at the same time? Where, obviously, != DEL :p Third question: Any good docs on CTRL combinations? Right now Im limited to ^n (avoiding ^a ^c ^e ^h ^i ^j ^m ^q ^s ^u ^? etc. for obvious UNIX reasons) Thanks again. As it was written on Aug 6, thus I spake unto [EMAIL PROTECTED]: Previous post: Date: Wed, 6 Aug 2003 14:41:09 -0400 (EDT) Previous post: From: Birl <[EMAIL PROTECTED]> Previous post: Reply-To: [EMAIL PROTECTED] Previous post: To: [EMAIL PROTECTED] Previous post: Subject: Using non-printable characters in passwords Previous post: Previous post: Using cross-platform keyboards (SUN, Windows, Mac), how does one use Previous post: non-printable characters in their passwords? Previous post: Previous post: Since I work cross-platform, I use only a limited number of characters Previous post: while holding down the CTRL key. Previous post: Previous post: Whilst searching Google, I came across a SecurityFocus article that said: Previous post: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric Previous post: keypad" Previous post: Previous post: Additionally, the Google search I used Previous post:non-printable characters passwords Previous post: came up with more information about recovery and programs to avoid using Previous post: non-printable characters. Previous post: Previous post: Are there any other combinations? If I recall correctly, a SANS Previous post: instructor mentioned making use of the "Print Screen" key. Previous post: Previous post: Previous post: Thanks in advance Previous post: Previous post: Scott Birl http://concept.temple.edu/sysadmin/ Previous post: Senior Systems AdministratorComputer Services Temple University Previous post: *******+******** --- ---
Re: Using non-printable characters in passwords
Although I very much value the 4 responses I have received so far, I think I should clarify my original question better: Are there any other keys (or combination thereof) besides, CTRL or ALT, that can be used? Another question, it is possible to use CTRL + ALT +at the same time? Where, obviously, != DEL :p Third question: Any good docs on CTRL combinations? Right now Im limited to ^n (avoiding ^a ^c ^e ^h ^i ^j ^m ^q ^s ^u ^? etc. for obvious UNIX reasons) Thanks again. As it was written on Aug 6, thus I spake unto [EMAIL PROTECTED]: Previous post: Date: Wed, 6 Aug 2003 14:41:09 -0400 (EDT) Previous post: From: Birl <[EMAIL PROTECTED]> Previous post: Reply-To: [EMAIL PROTECTED] Previous post: To: [EMAIL PROTECTED] Previous post: Subject: Using non-printable characters in passwords Previous post: Previous post: Using cross-platform keyboards (SUN, Windows, Mac), how does one use Previous post: non-printable characters in their passwords? Previous post: Previous post: Since I work cross-platform, I use only a limited number of characters Previous post: while holding down the CTRL key. Previous post: Previous post: Whilst searching Google, I came across a SecurityFocus article that said: Previous post: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric Previous post: keypad" Previous post: Previous post: Additionally, the Google search I used Previous post:non-printable characters passwords Previous post: came up with more information about recovery and programs to avoid using Previous post: non-printable characters. Previous post: Previous post: Are there any other combinations? If I recall correctly, a SANS Previous post: instructor mentioned making use of the "Print Screen" key. Previous post: Previous post: Previous post: Thanks in advance Previous post: Previous post: Scott Birl http://concept.temple.edu/sysadmin/ Previous post: Senior Systems AdministratorComputer Services Temple University Previous post: *******+******** ---
RE: Using non-printable characters in passwords
-Original Message- From: Optrics Engineering - Shaun Sturby, MCSE [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 10:20 AM To: '[EMAIL PROTECTED]' Cc: 'Edmunds, Ron' Subject: RE: Using non-printable characters in passwords Hello Ron, This depends on the code page or character set used on your system but it doesn't really matter what code page you use for this trick as all you really want is to use characters on your system that are not in the common 'a-z' 'A-Z' '0-1' set. This causes John the Ripper or the @Stake password cracker take much longer to crack your password. That is if your hacker doesn't use the system recently reported that takes 13 seconds to compare, not generate and compare, your encrypted password to a pre-generated 1.7 GB list of all possible password hashes. Shaun P.S. Maybe I wasn't clear but the manifesto and hint listed below is not mine. I just did a Google search and forwarded what I thought was a good summary of this tip. -Original Message- From: Edmunds, Ron Sent: Thursday, August 07, 2003 9:35 AM To: 'Optrics Engineering - Shaun Sturby, MCSE' Subject: RE: Using non-printable characters in passwords What system are you typing these characters on? Alt-63 gives me ?.Alt-156 gives me £. -Original Message- From: Optrics Engineering - Shaun Sturby, MCSE Sent: Wednesday, August 06, 2003 5:30 PM To: [EMAIL PROTECTED] Subject:RE: Using non-printable characters in passwords Executive Summary: This manifesto is designed to give system administrators a better grasp on the importance of password security. It is also designed to help users understand the importance of choosing a strong password http://www.somorita.com/Networking/PasswordManifesto.asp Want to make it even stronger? The there are some characters that you can type but that don't exist on the keyboard. I call these ALT characters. You get these characters by holding down the ALT key and typing a code on the numeric keypad. For example, if I type ALT-156 I get ?. Pretty kewl, eh? And you can use that as a key combination as one of the characters in your password. Most password cracking programs never check those characters and if they did it would take them much longer to crack passwords. Some of the common ALT combinations are shown at the end of this document. -Original Message- From: Birl [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 12:41 PM To: [EMAIL PROTECTED] Subject:Using non-printable characters in passwords Using cross-platform keyboards (SUN, Windows, Mac), how does one use non-printable characters in their passwords? Since I work cross-platform, I use only a limited number of characters while holding down the CTRL key. Whilst searching Google, I came across a SecurityFocus article that said: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric keypad" Additionally, the Google search I used non-printable characters passwords came up with more information about recovery and programs to avoid using non-printable characters. Are there any other combinations? If I recall correctly, a SANS instructor mentioned making use of the "Print Screen" key. Thanks in advance Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** _ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus & Declude Junkmail available from www.Optrics.com ---
RE: Using non-printable characters in passwords
Birl, To your original question: It all depends on how the hash is being stored in your "cross-platform" situation. Microsoft's Unicode table often does not always map to the extended ASCII character representations of that particular character. What happens is although you type "ALT+somenumber" (on the number keypad) in the keyboard (extended ASCII character) it is immediately translated into the Unicode table representation of this. That is why many programs "user2sid", "Lopht" etc. cannot represent this character. Microsoft stores these in two separate strings; 1 is ANSI, 1 is Unicode. If the program is checking the ANSI string for username with "ALT+228 at the end it will not find it. (Same thing if it is in the password). Open Word go to insert symbol. Click on the v (square root symbol). Look at the bottom of the table it says "Character Code 221A from Unicode (Hex)" "Shortcut Key 221A, Alt+X. I bet you have to hit ALT+251 to reproduce it though. So your answer is "MAYBE". If the hash is passed along in Unicode from platform to platform and the Unicode tables match you may have a happy cross-platform password. For one software application it may work for another it might not. There is a short reference to it in a post I made a while back, please take a look at it. http://www.securityfocus.com/archive/88/312263 _ Dave Kleiman [EMAIL PROTECTED] www.netmedic.net -Original Message- From: Birl [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2003 13:26 To: [EMAIL PROTECTED] Subject: Re: Using non-printable characters in passwords Although I very much value the 4 responses I have received so far, I think I should clarify my original question better: Are there any other keys (or combination thereof) besides, CTRL or ALT, that can be used? Another question, it is possible to use CTRL + ALT +at the same time? Where, obviously, != DEL :p Third question: Any good docs on CTRL combinations? Right now Im limited to ^n (avoiding ^a ^c ^e ^h ^i ^j ^m ^q ^s ^u ^? etc. for obvious UNIX reasons) Thanks again. As it was written on Aug 6, thus I spake unto [EMAIL PROTECTED]: Previous post: Date: Wed, 6 Aug 2003 14:41:09 -0400 (EDT) Previous post: From: Birl <[EMAIL PROTECTED]> Previous post: Reply-To: [EMAIL PROTECTED] Previous post: To: [EMAIL PROTECTED] Previous post: Subject: Using non-printable characters in passwords Previous post: Previous post: Using cross-platform keyboards (SUN, Windows, Mac), how does one use Previous post: non-printable characters in their passwords? Previous post: Previous post: Since I work cross-platform, I use only a limited number of characters Previous post: while holding down the CTRL key. Previous post: Previous post: Whilst searching Google, I came across a SecurityFocus article that said: Previous post: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric Previous post: keypad" Previous post: Previous post: Additionally, the Google search I used Previous post:non-printable characters passwords Previous post: came up with more information about recovery and programs to avoid using Previous post: non-printable characters. Previous post: Previous post: Are there any other combinations? If I recall correctly, a SANS Previous post: instructor mentioned making use of the "Print Screen" key. Previous post: Previous post: Previous post: Thanks in advance Previous post: Previous post: Scott Birl http://concept.temple.edu/sysadmin/ Previous post: Senior Systems AdministratorComputer Services Temple University Previous post: *******+*******= ===* --- ---
RE: Using non-printable characters in passwords
Here's a list of the ALT+XXX possible characters: http://everything2.com/index.pl?node_id=649957 The list also gives the Mac and HTML ways to do these chars. Manuel Lanctot Novalis, Bayard Press > -Message d'origine- > De : Birl [mailto:[EMAIL PROTECTED] > Envoye : 6 aout, 2003 14:41 > A : [EMAIL PROTECTED] > Objet : Using non-printable characters in passwords > > > Using cross-platform keyboards (SUN, Windows, Mac), how does one use > non-printable characters in their passwords? > > Since I work cross-platform, I use only a limited number of characters > while holding down the CTRL key. > > Whilst searching Google, I came across a SecurityFocus article that said: > "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric > keypad" > > Additionally, the Google search I used > non-printable characters passwords > came up with more information about recovery and programs to avoid using > non-printable characters. > > Are there any other combinations? If I recall correctly, a SANS > instructor mentioned making use of the "Print Screen" key. > > > Thanks in advance > > Scott Birl > http://concept.temple.edu/sysadmin/ > Senior Systems AdministratorComputer Services > Temple University > *******+*****= > ===*** > > -- > - > -- > -- > > ---
RE: Using non-printable characters in passwords
Executive Summary: This manifesto is designed to give system administrators a better grasp on the importance of password security. It is also designed to help users understand the importance of choosing a strong password http://www.somorita.com/Networking/PasswordManifesto.asp Want to make it even stronger? The there are some characters that you can type but that don't exist on the keyboard. I call these ALT characters. You get these characters by holding down the ALT key and typing a code on the numeric keypad. For example, if I type ALT-156 I get ?. Pretty kewl, eh? And you can use that as a key combination as one of the characters in your password. Most password cracking programs never check those characters and if they did it would take them much longer to crack passwords. Some of the common ALT combinations are shown at the end of this document. -Original Message- From: Birl [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 12:41 PM To: [EMAIL PROTECTED] Subject: Using non-printable characters in passwords Using cross-platform keyboards (SUN, Windows, Mac), how does one use non-printable characters in their passwords? Since I work cross-platform, I use only a limited number of characters while holding down the CTRL key. Whilst searching Google, I came across a SecurityFocus article that said: "hold down the ALT key while pressing the 1,2, and 9 keys on the numeric keypad" Additionally, the Google search I used non-printable characters passwords came up with more information about recovery and programs to avoid using non-printable characters. Are there any other combinations? If I recall correctly, a SANS instructor mentioned making use of the "Print Screen" key. Thanks in advance Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** --- _ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus & Declude Junkmail available from www.Optrics.com _ IMail Server has scanned this e-mail for Viruses and SPAM using Declude Virus & Declude Junkmail available from www.Optrics.com ---
