Passwords coming out of my ears

technomage plug-discuss@lists.plug.phoenix.az.us
Wed, 14 May 2003 16:45:53 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gee,
I use "John the Ripper" here for password testing. all the ALT- characters are 
included (at least the ones I manually input). I also included charsets from 
every language that linux can support. You never know when they might be 
needed.

besides, if any cracker is worth his salt, he will have done the same thing.

Mage

On Wednesday 14 May 2003 01:01 pm, Dorian A. Monroe, II wrote:
> On machines or systems where things are a bit sensitive, I sometimes throw
> in an alt-character.  Something like these...
>
> Alt-157 =>  ¥
> Alt-154 =>  Ü
> Alt-787 =>  ‼
>
> Hold down the Alt key, type "157" on the number pad, release the Alt key. 
> These characters don't fall within the character sets that most (any?)
> brute-force password crackers check, therefore they will never be cracked.
>
> Test it to be sure it works through all methods that you'll be accessing
> that system though!  Sometimes, it's just not easy or possible to enter
> those characters through some OS'en or terminal emulators.  :)
>
> > From: Jeffrey Pyne <jpyne@worldatwork.org>
> > Date: 2003/05/14 Wed PM 02:32:32 EDT
> > To: "'plug-discuss@lists.plug.phoenix.az.us'"
> > <plug-discuss@lists.plug.phoenix.az.us> Subject: RE: Passwords coming out
> > of my ears
> >
> > On Tuesday, May 13, 2003 10:41 PM, foodog wrote:
> > > For secure passwords, two suggestions to start with: 1,
> > > learn to write in 1337 (Leet), 2, choose a passphrase
> > > and misspell it in leet. Combine those techniques with
> > > a host-specific prefix or suffix and you're on the road
> > > to using good passwords.
> >
> > I do something pretty similar to this.  I take my base 37337 password
> > (e.g. "I love pie." ==> "! 1Uv p!3."), and prepend the first character of
> > the hostname or domain name in lowercase and postpend (?) the last
> > character of the hostname or domain name in uppercase.  So my password to
> > www.hotmail.com (if I had one) would be "h! 1Uv p!3.L", and my logon to
> > appserver would be "a! 1Uv p!3.R".  So, you would have a different
> > password for every web site or host, but you'd really only have to
> > remember one.
> >
> > I used to feel good about this scheme until I read on l0phtcrack's site:
> >
> > "Consider that at one of the largest technology companies, where policy
> > required that passwords exceed 8 characters, mix cases, and include
> > numbers or symbols...
> >
> > * L0phtCrack obtained 18% of the passwords in 10 minutes
> > * 90% of the passwords were recovered within 48 hours on a Pentium II/300
> > * The Administrator and most Domain Admin passwords were cracked"
> >
> > So what is a "good" password, really?  Does anyone have an example of a
> > password that would not be easily cracked by a tool such as l0phtcrack?
> >
> > ~Jeff
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

- -- 
I will not be pushed, filed, stamped, indexed, briefed, debriefed, or 
numbered!
My life is my own - No. 6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+wtUyn/usgigAaLcRAsSsAJ9QIrAUM0G4PcTefv+DC7aK6bf9xgCfUaJY
W6Y6FIZIk15r8OuT52K6JOY=
=AZQD
-----END PGP SIGNATURE-----