From: dave kleiman (dave@isecureu.com)
Date: Sun Sep 18 2005 - 17:08:43 EDT
Craig,
Are you suggesting they have a Unicode/extend ASCII table hidden from use?
How about we try possibly forcing Unicode character:
if(strInList(szPwd,aBadWords))
bComplex = FALSE;
if(cchPassword > 9){
for(i = 0; i < cchPassword ; i++){
if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; }
if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; }
if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; }
if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue}
if(isUnicode(szPwd[i])) {dwUnicode = 1; continue}
}
if(bUserIsAdmin){ //Admins need better passwords than users
if ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) &&
cchPassword>14)
bComplex = TRUE;
}
else { //User is not an admin, use lower requirements
if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4)
bComplex = TRUE;
}
I will see if I can find more info for you.
Dave
> -----Original Message-----
> From: Craig Wright [mailto:cwright@bdosyd.com.au]
> Sent: Sunday, September 18, 2005 16:55
> To: dave kleiman; pen-test@securityfocus.com
> Cc: Anders Thulin; bryan allott; compuwar@gmail.com; Peter Parker
> Subject: RE: Whitespace in passwords
>
> Please note I was pointing to the "success rates" table for NTLM
>
> The lowest is 80.19% as it stands. This is not all the tables
> are precomputed, but there is still an 80+ % crack rate (and
> this is growing)
>
> Further - this is not the only table source. Further - there
> is no manner in which you will enforce extended passwords. As
> I initially stated - the issue is in protecting the password
> and stopping a copy from being tested. There are means
> available to do this. If you are still on NT 4.0 - than it is
> time to upgrade.
>
> The success rate is 80.19% for "alpha numeric symbol 32
> space" - this is EVERYthing in NTLM - not just space or
> extended - the table is 53% derived- but if you read further
> - this equates to an 80.19% crack rate.
>
> Remember there is a user at the other end - they have to
> remember. Please explain how a user will enter and remember a
> passphrase such as "S%'beep'('Smiley face'?G$" - where ' '
> encloses extended chars
>
> Craig
>
> -----Original Message-----
> From: dave kleiman [mailto:dave@isecureu.com]
> Sent: Mon 19/09/2005 5:49 AM
> To: pen-test@securityfocus.com
> Cc: 'Anders Thulin'; 'bryan allott'; Craig Wright;
> compuwar@gmail.com; 'Peter Parker'
> Subject: RE: Whitespace in passwords
>
>
>
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:55 EDT