Securing Passwords with the upper ascii characters

"One of the SNP viewers took time to write and share with us an improved clarification on Microsoft's description on creating strong passwords. In the Microsoft OpenHack guide MS said :

"For maximum security, the password should be composed of characters from all
four groups as well as from characters generated using the ALT key. By
creating passwords from these sets that are at least eight characters long,
you minimize the chances that an attacker will be able to deduce your log-in
credentials. This is the approach we took with each of the servers in our
OpenHack solution and one that we highly recommend."

What they fail to mention is all letters and numbers on they keyboard can be rendered by this method. For example an alt-65 will create an upper-case "A". If you think you are being sneaky by creating "Be(alt-65)r!", all you've done is type in "BeAr!" the hard way. The ASCII table has 256 characters (0-255) in it. Most alt-nnn combinations will print some type of character, or move the curser (alt-1 produces a smiley face on most systems, OS and application dependent). Others will produce letters, numbers, or special characters). The ones that are most useful are the numbers above 128 all the way up to 255 (alt-300 is like typing alt-45, alt-255 is a space character that is very different from the space key character). We used to build text menus out of the characters in this range.

If you are attempting to beat something like L0phtcrack, you'll want to insert the high ASCII character somewhere in the first 7 characters of the password.

If you put in the 8th spot and use a dictionary or hybrid word in the first 7 spots, L0phtCrack will simply crack the first part, leaving the operator to guess what that last character might be.

It won't totally defeat L0phtcrack, but it certainly raises the smarts bar and computing power required to crack it.
It's a good point that our reader raised and I thought it was worth sharing with everyone...".

(I thought it was pretty neat, too!). Pete

 

I just spent an hour on a reply - and lost it. I'm not going to write it again but to say the above scenario - if I understand it correctly - is a very dangerous game. Encryption is something you cannot play games with.

If I understood it correctly, ( and PLEASE correct me if I am wrong) I thought I read the idea of an eight character password, with the first seven characters being a dictionary word, and the eighth character the real protection. Considering a dictionary cracker could crack the seven word dictword in no time at all, he then switches to a character plower and in the first pass - and in less than 15-30 seconds plowing a standard English keyboard - bingo! For all practical purposes, to even the neophyte cracker, he only had to break a one character password!

First of all, the "gimme" of the dictionary word violates one of the crucial rules of cryptography: the psychological. You don't want to ever allow him/her any success at all. The cracking of the dictword only emboldens the cracker psychologically, gets his adrenaline flowing and the excitement of a victory in the battle is a psychological victory for the cracker. The idea is to frustrate the cracker at every turn, psychologically wear him down, and DESTROY his confidence to the point where he surrenders. Passphrase: secure.

I may have misunderstood, and I hope I did. I don't know everything there is to know about cryptography - it's a science of continual learning. However, if I did understand the post from the reader to Pete correctly - it's horrible advice and given time to think about it, I think Pete will agree.

I had "What Makes a Good Passphrase" and more written for a sticky - but it will have to wait until another day.

All the best,
John
Luv2BSecure

 

I used an apostrophe in my password when I first signed up for hosting at my present web host. Apparently linux didn't like that, because it crashed their entire server.

oops

I'd like to use non alpha-num characters in passwords, but it causes problems when I do.

 

Why do you need an non-alphanumeric character in a password? Who is going to guess that IwcnxCCbnK77 is my password? (I don't have a password like that, just made it up.)

 

John, I took the liberty of re-arranging the post and italicizing and bolding the important parts of the way it was (I think) meant to be read.

The actual posting was from here: http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanU%2edb&command=viewone&id=51&op=t .

Pete

 

It's funny how you can read something several times and think you understand what it said. With your italicizing and bolding, it makes sense now. He was basically saying the same thing as I was - I think. Just as long as one never uses a dictionary word (in any language of course).

Thanks for making it clear. Next time, Pete, could you please put it in story form? You know, maybe use characters like, oh, Dick and Jane? Add pictures? Big print?

John
Luv2BSecure

 

I lurk here now and then to read new posts on encryption issues. I was in the United States Army assigned to the National Cryptologic School in Fort Meade (Maryland). It's interesting to read about the latest tools used in the field. There are not many sites that even discuss it. I subscribe to a few of the key bulletins, a few newsgroups and a list here and there. I believe encryption is the one thing consumers still don't have a grasp of yet, and that's too bad.

I really just wanted to say that all of you are lucky to have someone like John "Love2bsecure" as a part of your forum. Most of what I read in forums and on the Internet as a whole is full of silliness when it comes to cryptography. It is clear to me that this man knows of what he speaks. The password (we called them code words in the Army) post that is in this group several posts above mine should be required reading by all. He is not only right, he is so solid it is clear he has some training in the field. I have read other posts related to crypto by this man and I can spot a professional. Maybe he is self taught but I would be surprised. Listen to him. The post I just read was the words of someone who knows crypto.

I have one question that I am curious about. Why don't any of the security forums have a dedicated encryption room or whatever they are called within the forums? Maybe this is something you fine people could consider.
J.B.
Dar es Salaam, Tanzania
--------------------
http://www.tanzania-web.com/towns/home.htm

 

I should leave this to John (especially after Jason B's endorsement) but it seems to me that first of all, it's not a matter of 'guessing'. A relatively inexpensive password cracking program, set on brute strength, would not so much 'guess', as dissect your passphrase, and apparently according to the routines those types of programs use, non-alpha characters kick the cracking into a higher degree of difficulty. It must be based on the laws of probability and once you include the additional variables of those characters, you increase, exponentially, the difficulty in cracking the phrase. At least, that's how it makes sense to me. (But John or Jason the Lurker, feel free to jump in and lop off my logic any time.)
sk

 

Errr....... Because..... I have to .... because THEY want to get in .... and I don't want THEM getting access to all my secret ... ummm stuff............ http://www.spywareinfoforum.com/images/unsure.gif

........ yeah...

[me=Mike Healan]adjusts his tin foil hat ......[/me]

 

Wow. Well, thank you J.B....I appreciate your comments. To answer your curiosity, yes, I was professionally trained. I wish you would email me and we can "talk." I went to school in the UCal system and spent three years at UC Davis in the Computer Security Laboratory. A good program still going strong. I narrowed my field of interest to cryptography the first 3 months I was there. Please drop me an email - I appreciated your kind comments.

Yeah, SK, pretty good. Mostly though, it's a prevent against the most common of encryption crack attempts: the dictionary attack. Actually, Windows password cracking software such as L0phtCrack is fairly weak. It has limitations that true-blue cracking software does not have. Most code cracking takes place with Unix and there are two MAJOR programs that can do 1000 times more than L0phtCrack. They are Crack 5 and John the Ripper. Windows has no equal. With Crack 5 you're looking at a 100,000 word dictionary looking at words regularly, reversed, mirrored, every which way but loose. A dictionary word password with Crack 5 would take one second to crack with a P3 500mhz or above. With these Unix crackers, you can look at foreign dictionaries every which way, include them all in the dictionary attack and if it's a seven word password in Greek, you're looking at 7-10 seconds. So, you can see, the use of non-alphanumeric characters complicates things immensely as the location of the NANC in the string is unknown and lengthens the process sometimes by hours, sometimes by weeks, months, or many years.

But people are learning and dictionary attacks are giving way to Brute Force requiring A LOT of computing power which makes today's encryption so much better than just a few years ago; mainly because of the progress made in plugging that weakest link: the end-user. A brute force attack against a password with just a couple of random @#$%^&*()_+ (take your pick) will usually render the passphrase unbreakable for the foreseeable future.

Edit to add a qualifier: The last paragraph assumes you don't use encryption that is "proprietary" "secret" "novel" "our own encryption that's never been cracked," etc. The last paragraph assumes using an algorithm that was a Round-Two NIST finalist, plus a couple of others.
FYI: NIST finalists were:
TwoFish
Serpent
RC6
Mars
and the AES winner was Rijndael. Which you will hear a lot about. BTW, it is pronounced "Rain Doll".....I would add PGP, Blowfish and of course, Triple-DES is always safe. Oh, heck then there's always CAST, IDEA, even the old Soviet Union's Gost (modified since Russia released the source code) is very good. But, NO proprietary algorithms ever!

John
Luv2BSecure

 

Hey, Mike:

Make sure it's pointed toward the Southeast!

John

btw, you know what they're saying about cell phones. Wonder what the medical research says about those tin foil hats? Be careful out there and limit your exposure!
But I understand ..... gotta keep that STUFF away from THEM!

 

since the character set is larger when non-alphanumeric charaters are included, brute force checkers take far longer to crack passwords.

eg:

with an 8 digit password and a 62 character set (26 lower case + 26 upper case+ 10 numbers = 62)

we get 8 ^ 62 = 218,340,105,584,896 or 218 trillion possible passwords

adding some non- alphanumeric mumbo-jumbo into the mix:

!@#$%^&*()_+-=`~|\[]{};:'",.<>/? like these 32 easy ones because they exist on a modern keyboard increases our set to 94, therefore:

94 ^ 8 = 6,095,689,385,410,816 or 6 quadrillion possible passwords

which is 28 times more solutions, and therefore 28 times longer to crack. So a password that used to take a day to crack, now takes a month (well February anyhow)

These may seen like big numbers until you check what even a moderate modern pc can do in regards to calculation sper second, then it doesn't seem very impossible at all. In fact it is PROBABLE your password will be cracked if the cracker can "work on it at home"

The chracker must use the big set to check for the extra chars even if there isn't any in the password. Also, if he/she wants to speed up the proccess and only check alphanumeric, he will not crack the password at all if it contains the special characters.

 

Hey, John. I was actually referring to LC4, the "evolved version" of L0phtCrack, according to the developer. Is LC4 closer to the ones you mentioned, or closer to L0phtCrack?

sk

 

John - just for edification: I'm trying to place this in some kind of context, primarily in the context of which is the more secure of the two, Unix and Windows, and logistically, what is actually going on here process-wise. Are you saying that the superior programs are Unix-based programs attacking Windows programs/coded passphrases, or Unix-based programs attacking Unix programs/coded passphrases? I'm sure that question really doesn't make much sense; probably because it's a direct result of total unfamiliarity with what you've described. But I'd still like to try to understand it as best I can. TIA.

sk

 

Allan, Pretty good!

Except..... please explain your second to last paragraph. Nobody is going to be cracking the new AES in their home or anywhere else for that matter (assuming a quality passphrase was employed). Not in our lifetime anyway with current technology.

SK: @stake is proud of LC4 - I still think it is not the robust software it claims to be. But, remember, you're getting into water cooler talk. Ten people can have ten opinions they can argue ten different ways for ten days.

No, JTR is available as a Windows app, but it's real reason for living is to crack lame UNIX passwords - period.

Bottom line: quality passphrase, quality algorithm = unbreakable (for all practical purposes). Never say never, but if the new AES - or even one of the candidates were to be broken it would make headlines in mathmetical, science, and tech letters and journals the world over. Just some guy hangin' out at home with a few computers will not be cracking the encryption - period. Now, a kiddie cracker using other exploits to retrieve information and "break" into a computer system? Sure. But he's not getting through strong encryption.

If you get REALLY interested, Applied Cryptography is available online. Good stuff! The BIBLE.

John
Luv2BSecure

 

No doubt, John. But would you categorize it closer to the higher end, lower end, or middle or the programs you give high marks for? Just curious. TIA.

sk

 

John: I wasn't referring to AES in particular. Brute force doesn't care about algorithms because it doen't try to break them. Brute force tries every possible password; algorithms are irrelevant to brute force.

Relevant issue s for brute force are:

length of password
size of character set
inconspicuous access (a trillion failed hits to a ssh server will be noticed!)

"Taking it home" refers to someone who obtains a copy of a file containing encrypted passwords (like the OS systems password file for instance) and has a program that uses the file to authenticate guesses. both windows and *nixes have them and they can be copied, taken home and brute forced, then the individual who did this can now log in a admin/root.

At no point was the alorithm itself analyzed or deconstructed (like you would try if you wanted to defeat the encryption ntirely as opposed to bypassing it) brite force merely guesses a password, then uses it to bypass the security.

I hope that clarifies my previous statement. Indeed, current encryption uses prime numbers that have over 4 million digits in the algorithms. This is not script kiddie stuff. This is university proffessor stuff.

 

using all 255 ascii codes with a generous 14 character password like I would use:

255 ^ 14 = 4.9154414350646441771130432128906e+33

a truly large number of possiblilities. One of the main rerasons you are always told to change your password regularly, so that by the time this thing gets done, you have changed your password 10 times. Brute force is useless if it cannot crack a password before you change it again.

The last office I worked at, I did a password strength test and obtained 95% of the company employee's passwords in under 4 minutes.

 

Hello,

I have a simple question, would setting an attempt lockout feature to 3 tries defeat a brute force password program?

Loki

 

most systems have rules regarding sequential failures. My university account allows 3 failed ssh connection attempts, then disables remote access for a half an hour. This is a scripted response and could have been anything. I once put the wrong code in 3 times at a bank machine and the machine ate my card (then mailed it to me).

Brute force has many drawbacks other than time, namely, a conspicuous nature. Brute force attemps are not normally feasable unless the attacker can obtain a copy of the password file, and pound on it at home, then return with an obtained password. This means that the attacker might be an insider (the most common) or the attacker gained access through an exploit and was able to obtain the password file. This is less likely since, in this case, the attacker has no immediate need for a password (he is alread in). Sometimes an exploit becomes known, and an attacker will obtain the password file because he/she knows the exploit will be patched sooner or later, and will no longer have access via the exploit. So the password file is obtained "while the gettin' is good" Using an obtained password is also stealthier than changing the root/admin password when you have the chance. (the real admin will notice that!)

Bad thing about brute force is that any idiot can do it. 99% of brute force attacks are done by people who couldn't code their way out of a wet paper bag.

 

So given what you've just said, how would that answer loki's question? (tia)
sk

 

that depends