Passwords coming out of my ears

Dorian A. Monroe, II plug-discuss@lists.plug.phoenix.az.us
Wed, 14 May 2003 16:01:32 -0400 

On machines or systems where things are a bit sensitive, I sometimes thro=
w in an alt-character.  Something like these...

Alt-157 =3D>  =A5
Alt-154 =3D>  =DC
Alt-787 =3D>  ‼

Hold down the Alt key, type "157" on the number pad, release the Alt key.=
  These characters don't fall within the character sets that most (any?) =
brute-force password crackers check, therefore they will never be cracked=
=2E  =


Test it to be sure it works through all methods that you'll be accessing =
that system though!  Sometimes, it's just not easy or possible to enter t=
hose characters through some OS'en or terminal emulators.  :)



> =

> From: Jeffrey Pyne <jpyne@worldatwork.org>
> Date: 2003/05/14 Wed PM 02:32:32 EDT
> To: "'plug-discuss@lists.plug.phoenix.az.us'" <plug-discuss@lists.plug.=
phoenix.az.us>
> Subject: RE: Passwords coming out of my ears
> =

> On Tuesday, May 13, 2003 10:41 PM, foodog wrote:
> =

> > For secure passwords, two suggestions to start with: 1, =

> > learn to write in 1337 (Leet), 2, choose a passphrase =

> > and misspell it in leet. Combine those techniques with =

> > a host-specific prefix or suffix and you're on the road =

> > to using good passwords.
> =

> I do something pretty similar to this.  I take my base 37337 password (=
e.g.
> "I love pie." =3D=3D> "! 1Uv p!3."), and prepend the first character of=
 the
> hostname or domain name in lowercase and postpend (?) the last characte=
r of
> the hostname or domain name in uppercase.  So my password to www.hotmai=
l.com
> (if I had one) would be "h! 1Uv p!3.L", and my logon to appserver would=
 be
> "a! 1Uv p!3.R".  So, you would have a different password for every web =
site
> or host, but you'd really only have to remember one.
> =

> I used to feel good about this scheme until I read on l0phtcrack's site=
:
> =

> "Consider that at one of the largest technology companies, where policy=

> required that passwords exceed 8 characters, mix cases, and include num=
bers
> or symbols... =

> =

> * L0phtCrack obtained 18% of the passwords in 10 minutes =

> * 90% of the passwords were recovered within 48 hours on a Pentium II/3=
00 =

> * The Administrator and most Domain Admin passwords were cracked"
> =

> So what is a "good" password, really?  Does anyone have an example of a=

> password that would not be easily cracked by a tool such as l0phtcrack?=

> =

> ~Jeff
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> =