Inserting Extended Characters into Passwords ?

[Paul]

Hello everyone,

Would inserting extended characters into login passwords make my accounts
more secure ?

By extended characters, I mean those in the "Windows: Western" or "Unicode"
character set that you type by pressing ALT+number. For example: § ‡ è

I am contemplating doing this in order to make it harder for
keystroke-logging malware and password cracker programs to steal my passwords
that I have setup for ebay, school, and online banking websites. Many
servers accept these characters.

Thanks for your time and information.

Sincerely,

Paul

 

['69 Camaro]

Hi, Paul.

Would inserting extended characters into login passwords make my accounts
more secure ?

Only for those accounts where a brute force attack is being used to
determine the password. Brute force attacks are still common, but there are
better tools and methods available for the bad guys. For example, it's easy
to send you an E-mail spoofing your bank's customer service E-mail address
telling you that there's a problem with your account and that you need to
log in via the Internet to set things straight. They provide a link to a
fake Web site that looks just like your bank's. You click on the link, type
in your User ID and password on the Web page, the Web site page returns with
"Thank you! All fixed!" and the bad guys now have your User ID and
password, despite your having a difficult-to-guess password.

I am contemplating doing this in order to make it harder for
keystroke-logging malware

Keystroke loggers don't have a problem with Unicode characters. They just
record the keys typed or the scan codes, so that these can be replayed
later.

and password cracker programs to steal my passwords

Many password crackers aren't using brute force attacks to guess the
password, so using Unicode characters makes no difference in those cases
where a different methodology is used.

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

[Paul]

So it looks like inserting extended characters would give only a marginal
increase in security since brute-force attacks are becoming less common. It
may not be worth doing.

How is a brute-force attack carried out ?

Thanks for your info "69 Camaro", I learned something here.

Paul

————————————————————————————

 

['69 Camaro]

Hi, Paul.

So it looks like inserting extended characters would give only a marginal
increase in security since brute-force attacks are becoming less common.

I wouldn't say that. As long as brute force attacks are successful, they'll
continue to be used. It's just a lot less work to use social engineering to
trick people into revealing their User ID's and passwords than it is to
attempt every possible password until the actual password is found.

How is a brute-force attack carried out ?

Please see the following Web page for more information:

http://en.wikipedia.org/wiki/Password_cracking

HTH.
Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips and tutorials.
Blogs: www.DataDevilDog.BlogSpot.com, www.DatabaseTips.BlogSpot.com
http://www.Access.QBuilt.com/html/expert_contributors2.html for contact
info.

 

[Paul]

Thanks, I will look up that website. Paul.
_______________________________________

 

[Sylvain Lafontaine]

The real brute force attack won't be defeated by using extended characters;
however, it will be usually defeated by any password long enough, something
like 8 characters or more.

In order to greatly reduce the requiring time or in an attempt to cope with
long passwords; many brute force attack will either try exclusively with
alphanumeric characters and only a few special symbols (like , ' : and ! )
or even better, use a dictionary attack; for example trying with things like
tomato, tomato69 or t0mat069 (where the letter o has been replaced with the
number 0).

The wikipedia article mention that something like 50% of all passwords could
be guessed using the dictionary approach.

However, using something like toma?o6969 should not only be easy to remember
but will probably defeat about every brute force attack. (If you want
absolute security, go with 20 letters but remember that most hackers will
persist to use a brute force attack only if it's economically logical. You
don't work one or more months to make a little profit of a few hundred
dollards and a hacker will usually goes only after weak target.)

Finally, as it's had been mentionned in the other posts, don't forget that
they are also other methods to find a password.