Say what?? Some special characters are better than others for passwords.

When an attacker gets a password hash, they need to pick which charset to use to crack it. Some people say there are only 4 categories: lower alpha, upper alpha, numbers, and special characters. However brute-force password crackers like Cain, and more advanced cracking tools like rainbowtables, distinguish between types of special characters. They ask if you’d only like to include the weaker special characters which are more commonly used: !@#$%^&*()-_+=

…or would you like to include the far less likely to be chosen set of extended special characters? ~’>{[\|/.:”;,]}<`? Since cracking tools distinguish between these sets, you should too, and you should use characters from all 5 groupings. Even a password like Abc123 is more secure as "A,b,c,1.2.3?" - and how much harder is that to remember? It's easier than you think to bulletproof your password against advanced cracking technologies. You could surround your password in "quotes", or with [square brackets]. You could make it something easily memorable like {$19.95!}Ca||-n0\/\/ or "C:\WinNT\$Y5T3M\" or `Ta~0!!' The possibilities are, of course, endless. But the key is to use all 5 sets. Set 1: ABCDEFGHIJKLMNOPQRSTUVWXYZ Set 2: abcdefghijklmnopqrstuvwxyz Set 3: 0123456789 Set 4: !@#$%^&*()-_+= Set 5: ~'>{[\|/.:”;,]}<`? To further throw attackers off the trail, you could refuse to use commonly used characters, such as !, 1, e, 3, E, o, O, 0, 5, S, s, and some others. Then every time a cracker tries a pw with those chars in it, they will fail every time, and you can take comfort in their wasted CPU cycles.

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply