The strength of the pound

By on
The strength of the pound

One simple way to improve your firm’s password security is incorporating non-US characters. Ken Munro explains

Strong passwords should contain non-alphanumeric characters, be of a sufficient length, and not contain dictionary words.

That sort of familiar advice can be heard echoing round IT help departments up and down the land. But there are other methods of improving password security, methods that both the security manager and the hacking community might have overlooked. For example, few have considered that some non-alphanumerics are more effective than others.

Password cracking is cyclical. As processor power increases, so passwords are made stronger only for processor power to be ramped up again, and so on.

If you have access to password hashes, or physical access to the target device, then these are a quick route to accessing passwords.

We have computed 99.9 per cent of LM hashes, and as a result, can crack virtually any hash in around two minutes.

Most of the widely used password-cracking tools are coded in the US, or outside Europe. Few are constructed in the UK or continental Europe. As a result, the default character sets used for brute-force attacks are usually based on the US language and its associated symbols.

The same applies for pre-computed password tables. Most of these were computed, or the computation has been co-ordinated, in the US. As a result, the character sets used are, once again, US-specific.

This small detail can provide real security benefits. By including characters in your Windows password that don't appear on the US keyboard, you can reduce the cracker's rate of success dramatically.

And what would be the ideal character? The good old British pound sign. We have tried this on several crackers with default character sets and pre-computed hash tables, and even using the "£" as a single character password defeats them.

It might seem obvious, but few attackers think of adding in country-specific characters. John the Ripper, a well-known brute-force tool, doesn't include it by default. Indeed, to our knowledge, a Rainbow Table that includes the "£" is not publicly available, although we have now computed it for our own testing purposes.

And if you are reading this outside the UK, be assured that other country-specific characters, which are not associated with American-English, can also be just as effective.

The sheer scale of possibilities means that attackers are going to struggle to include the pound sign and other non-US characters in their hash tables. A standard US-language alphanumeric character set is 62 characters, but if you include US-keyboard non-alphanumerics (!"#$%&'() and so on), there are no less than 94.

And if you also include the "Latin-1" character set from ISO 8859-1, which covers Western European languages, among which is the pound sign, you get a whopping 191 characters.

That number of symbols means that carrying out a brute-force attack against a password takes rather longer. And it makes pre-computing password hashes take significantly more processing time or power.

It's worth noting that, to date, comprehensive NTLM hash tables for passwords exceeding seven characters have not yet been completed, although they are being computed. You should bear in mind, however, that LM passwords are made up of two seven-character segments, which can be cracked one by one.

But if you are verbally querying the character set of a cracking tool with an American colleague, don't forget that "pound sign" means something completely different to them: it equates to the hash symbol.

Forget this and you could end up with a very confused colleague who fails to see the value in incorporating this into the password policy.

And I should mention that Euro-scepticism has no place in this, either – the euro symbol works just as well as the pound sign.

Ken Munro is managing director of SecureTest. He can be contacted at

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?