I always thought this would be kinda neat, in case someone was trying to snag my password over my shoulder, but I don’t know how it would be done, if at all possible. I tried putting ^H in there, but of course that didn’t work. Can I use some kind of ASCII sequence, or what? Incidentally, I’d like to do this on a Unix system, but tips and tricks for any OS are certainly appreciated.
In Unixland, this can be done, but it’s a bad idea. If you type “stty -a” you can see your terminal options. If your erase character is set to backspace, change it with “stty erase ^g” or something. Then you should be able to enter a backspace when you run the passwd command to change your password.
If you do this, you will regret it. There are a variety of programs that must ask for a password and not all of them can be coaxed into accepting a backspace. Upgrades to these programs may break a trick you were using to sneak a backspace in. You typically encounter the problem as you discover that you can’t log-in.
Use a combination of upper and lower case characters to protect your password instead. Since the password is not displayed as it is typed, it is hard to tell where the shift keys went.
You know, I recall using a few systems that allowed oddball characters in their passwords, but I’ve used so many obscure systems that I can’t recall which ones. I do recall it being a huge problem though, you can cause serious grief if you misapply these tricks. I would not try any bizzare password trickery on linux or unix unless I had a good idea of how your distro’s password structure works.
I still think the best strategies for hardened passwords are to use passphrases as an acronym. This way you can remember difficult passwords with mixed upper/lowercase/numerics. For example, you could use the passphrase “I’m gonna cry 96 tears” and use that to remember your password “Igc96t”… You can recall and type these phrases quickly and they are fairly hardened against dictionary attacks and other typical skript kid33 tools.
A lot of systems would have trouble with a backspace.
Chas’s advice is good. Another good tip is to include some sort of punctuation mark in the password.
However, a chilling bit of information – if the hacker can get at the password file, he can crack it by brute force in about two weeks. (At least, that’s was the number back in November – it may take less time now).
Putting a punctuation mark in the password on this system virtually guarantees that the password won’t work. I’ve had to fix many passwords that use this “clever trick”, which is so clever that the poster can’t even use his own password!
We’ve tightened security considerably. For one thing, many administrative/maintenance features cannot be done remotely, they MUST be done in the physical presence of the server. I am not going to go into further details.
Lynn
Administrator
For the Straight Dope
I’ve been using the method Chas.E mentioned for about six years. It provides an extremely secure password that is very easy to remember. Using phrases with numbers and/or proper names (to mix case) ups the security even further.
Thanks for the tips, but I’m quite adept at creating random passwords, usually incorporating mixed cases, numbers, and at least one non-alphanumeric character, in no sort of order that suggests a word. I was just curious about the possibility of using keys like tab and backspace in a password.
Perderabo, when you say
does that mean change it to “stty erase ^g”? If so, would it enter characters when I press backspace, instead of eating the preceding character? I’m just not clear on what you’re saying. I’ll trust everyone’s advice that it’s more trouble than it’s worth, and not try it, but I’d still like to know how it would work. Thanks.
The erase character removes the last character you typed. Normally the erase character is either backspace(cntl-h) or delete. If cntl-h has been assigned to a special function like erase, you need to restore cntl-h to just being a character.
“stty” is a command that displays and alters terminal settings. The “stty erase ^g” (which is typed with a ^ then a g, just like you see it) sets the erase character to control g. Now if you make a boo-boo, you will need to type cntl-g to erase the last character you typed. cntl-h on the other hand will now no longer do anything special.
This is the most universal way to free up cntl-h across the most versions of unix. Some tty drivers have other ways to accomplish this. But if this stty trick fails, the unix version you are using is not complying with the standards for unix.
But again, I urge you to not do this. You will regret unprintable characters in your password and cntl-h is a particularly bad choice.
It may take much longer or shorter to crack a password. It depends on:
-the program used to crack it
-the types of characters used (all lowercase text will take a much shorter time than different casing, numbers and symbols)
-how long the password is
-how powerful the computer used is
-how powerful the encryption is
-how long per day the computer was used
If Win98’s encryption for cached passwords was used, the password was 9 characters long and the computer was around an Athlon 800 with 128mb of ram, and if the password was made with all types of characters, it could upwards of a month if the computer was crackin’ 24/7. Of course with a much simpler password it could take less than a minute.