Passwords with control characters

Ronnie Kon ronnie at mindcraft.com
Tue Apr 16 04:17:09 AEST 1991


In article <1991Apr11.135940.8717 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
>In article <26522 at adm.brl.mil>, IFAC%SNYCENVM.BITNET at cornellc.cit.cornell.edu ( FRANK CALLUCCI) writes:
>
>|> and there would be no way that anyone could decode it.
>
>  This, however, is not true.  Although most password crackers use a search
>space that does not include control characters, there is absolutely no reason
>why control characters cannot be added to the search space.

Case in point, as I am a security fascist, I wanted to make sure that people
were choosing passwords which were not going to be decodable, so I wrote a 
program which would go through /usr/dict/words and, for each word, would
try it, it with a number of common prefixes and suffixes, it with various
digits or punctuation marks before and after, with each letter in turn changed
to a capital and control character.  This approach took on the order of two
weeks to run on a Microvax II at priority 20 (as a practical matter, that meant
running only at night).  On my current machine (a RIOS 6000) I would expect
the whole process to run in under 48 hours.

The advantage of using control characters or punctuation marks is that it
requires a much longer search.  But it is far from uncrackable.

Best advice I ever heard was to come up with an eight word phrase and use
its initials as your password.  Thus "To be, or not to be.  That is" yields
the password "tbontbti" which is about as difficult to crack as anything,
and yet is easy to remember.

				Ronnie


-------------------------------------------------------------------------------
Ronnie B. Kon                         |
kon at groundfog.stanford.edu            |    "I like that everyone becomes food."
...!{decwrl,ames}!mindcrf!ronnie      |               -- Hobbes
-------------------------------------------------------------------------------



More information about the Comp.unix.wizards mailing list