What This Means
Incorporating any one of these 187 characters into your password instantly makes it uncrackable to L0phtCrack. It doesn't matter how long the password, since the use of just one of these characters automatically means that it can't be cracked.
Now this isn't to say that at some time in the future, there might be a tool that could check for these characters and resolve hashes for them. In fact, that tool may already exist, but we just haven't been made aware of it yet. As far as we know, this writing is the first publicity this research has received anywhere. Scott Crawford has emailed the creators of L0phtCrack repeatedly regarding this information, but has never received a reply.
So you might be thinking, "Oh, well this is not really anything special. Tomorrow there will be a tool that can check for these characters as well and this will make this whole article moot and worthless." Well, not exactly. You see, doubling the number of characters in the character set that must be searched also doubles the length of time it will take. If my math is correct, this doesn't just double the total length of time, but instead doubles the amount of time it takes per character. This means that if you have a 7 character password, it will take 27 or 128 times longer to crack. So even if there is a tool out there that can crack these characters, it must be configured to crack them, meaning it must search through all 380 possible characters.
That's why most crackers, especially the lamers and wannabes, limit their password cracking to dictionary attacks, letters and possible letters plus numbers (36 total characters). Nearly all of the time, if you make it past those cracking waves, they will either find an easier target or some other way in.
This brings us to the final reason that it's important to consider this, even if a capable tool exists. Most of the crackers out there are posers and wannabes, just messing around for kicks. There is a reason that so many system administrators feared L0phtCrack. It made life for the kiddie hackers incredibly easy. Just as with any other application (take Windows, for example), people typically gravitate toward the easiest way to do a task, even if it isn't necessarily the best method. The vast majority of the cracking population will tend to use L0phtCrack even if a more capable alternative exists, simply because it is quite fast and simple to use.
Keep in mind that this covers only one small element of overall system and network security. Keystroke loggers and fast eyes can still spy on the keystrokes to get the password, and of course, if someone has physical access to a given machine, you must consider it compromised. So, incorporate strong ALT-character password use along with your other network security standards to have the best possible security.
Network Administrators need fear L0phtCrack and the script kiddies no more.
For more information, see the following:
- http://www.l0pht.com/l0phtcrack/
- http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=9186
- http://www.win2000mag.net/Channels/Windows2000/TopicResults.cfm?TopicID=75
- http://www.lanw.com/training/interop/securityurls.htm
You may download this file to see a list of the ALT codes with each of the associated characters.
IE 7
Firefox 2.0
