Hi.

Sometimes if a strange customer is with me as I am firing up my PC, I
find it embarrassing, trying to supply my POWER ON password without
them seeing it.

I thought it would be nice if there was another way of providing this.

For example CTRL SHFT 64927 would be much harder for a stranger to
remember then lets say BARNEY.

I presume this is easier once Windows has fired up, but is there
anyway to have it active, even at the POWER ON stage?

By the way, is it possible to do it when Windows is running?

I don't mean within a specific software application, but globally
throughout all Windows applications?

i.e. if I type CTRL SHFT 669, for example, while even running Wordpad,
that BARNEY will appear on the screen, or even while using third party
software, not only Microsoft programs.

Thanks

Hi Alabastar:

It may be easier to change your password.

Do you know any technical jargon? Do you speak another language?

EG: If you have emergency-medical training, then you might set your
password to 'diaphoretic and cyanotic'.

EG: If you speak German, then you might set your password to 'Sie
werden nie sich erinnern!'.

EG: Throw in your daughter's birth date, and your password might be
'27diaphoretic1984cyanotic04'.

The goal is to find a phrase or sentence that an average person
would not be able to remember even if they saw it in print once.
After awhile, you'll be typing your password so fast that no casual
observance would stand a chance.

~ Mark


"Alabastar" <(E-Mail Removed)> wrote in part:

> Sometimes if a strange customer is with me as I am firing up my
> PC, I
> find it embarrassing, trying to supply my POWER ON password
> without
> them seeing it.
>
> I thought it would be nice if there was another way of providing
> this.

Alabastar wrote:
> Hi.
>
> Sometimes if a strange customer is with me as I am firing up my PC, I
> find it embarrassing, trying to supply my POWER ON password without
> them seeing it.
>
> I thought it would be nice if there was another way of providing this.
>
> For example CTRL SHFT 64927 would be much harder for a stranger to
> remember then lets say BARNEY.

You can use ASCII codes:
http://www.asciitable.com/

Hold down the "Alt" key, then type the decimal number code using the
right-hand numeric keypad, then release Alt.

For your example, "BARNEY":
Alt+66
Alt+65
Alt+82
Alt+78
Alt+69
Alt+89

You can mix and match ASCII codes with typing normally, for example:
BA(Alt+82)N(Alt+69)Y

You can greatly improve the strength of your password by throwing in
some non-typable characters, such as ƒ (Alt+159) On the web page I
linked to above, these are in the "Extended ASCII Code" table.

Most clipboard extender & all macro languages (AutoIt, Basic,) can do
this. I have Keytext which is cross of both

HTH-Larry is ctl+sft+H

On 5 Apr 2007 01:32:35 -0700, "Alabastar" <(E-Mail Removed)>
wrote:

>Hi.
>
>Sometimes if a strange customer is with me as I am firing up my PC, I
>find it embarrassing, trying to supply my POWER ON password without
>them seeing it.
>
>I thought it would be nice if there was another way of providing this.
>
>For example CTRL SHFT 64927 would be much harder for a stranger to
>remember then lets say BARNEY.
>
>I presume this is easier once Windows has fired up, but is there
>anyway to have it active, even at the POWER ON stage?
>
>By the way, is it possible to do it when Windows is running?
>
>I don't mean within a specific software application, but globally
>throughout all Windows applications?
>
>i.e. if I type CTRL SHFT 669, for example, while even running Wordpad,
>that BARNEY will appear on the screen, or even while using third party
>software, not only Microsoft programs.
>
>Thanks

Any advice is my attempt to contribute more than I have received but I can only assure you that it works on my PC. GOOD LUCK.

On Thu, 05 Apr 2007 05:09:56 -0500, Mike Meyer <(E-Mail Removed)> wrote:

>You can greatly improve the strength of your password by throwing in
>some non-typable characters, such as ƒ (Alt+159)

Site may only allow subset of char map.

what is 'password strength " & why is it better?

Thanks- bye- Larry


Any advice is my attempt to contribute more than I have received but I can only assure you that it works on my PC. GOOD LUCK.

On 5 Apr, 16:15, "Larry(LJL269)" <N...@EMAIL.COM> wrote:
> Most clipboard extender & all macro languages (AutoIt, Basic,) can do
> this. I have Keytext which is cross of both
>
> HTH-Larry is ctl+sft+H
>
> On 5 Apr 2007 01:32:35 -0700, "Alabastar" <nmorel...@uko2.co.uk>
> wrote:
>
>
>
>
>
> >Hi.
>
> >Sometimes if a strange customer is with me as I am firing up my PC, I
> >find it embarrassing, trying to supply my POWER ON password without
> >them seeing it.
>
> >I thought it would be nice if there was another way of providing this.
>
> >For example CTRL SHFT 64927 would be much harder for a stranger to
> >remember then lets say BARNEY.
>
> >I presume this is easier once Windows has fired up, but is there
> >anyway to have it active, even at the POWER ON stage?
>
> >By the way, is it possible to do it when Windows is running?
>
> >I don't mean within a specific software application, but globally
> >throughout all Windows applications?
>
> >i.e. if I type CTRL SHFT 669, for example, while even running Wordpad,
> >that BARNEY will appear on the screen, or even while using third party
> >software, not only Microsoft programs.
>
> >Thanks
>
> Any advice is my attempt to contribute more than I have received but I can only assure you that it works on my PC. GOOD LUCK.- Hide quoted text -
>
> - Show quoted text -

Thanks for all those suggestions.

I reckon theres more than enough there for me to chew on.

I must admit, I do think Mr Morse does demands some respect when it
comes to coding messages.

Thanks again.

Larry(LJL269) wrote:
> what is 'password strength " & why is it better?

Imagine your password is only 1 letter long, and it's a lowercase
letter. It would take a maximum of 26 guesses to find out what your
password is.

Now suppose your password is 2 letters long, and lowercase. Now it
would take a maximum of 26^2 guesses (676 guesses).

Now suppose your password is 7 letters long, and included lowercase and
numbers. It would take a maximum of (26+10)^7 -- over 78 billion
guesses. That sounds like a lot, but any modern computer is capable of
attempting to crack millions of passwords per second. 78 billion is not
a lot. In fact, there are programs now that, thanks to pre-computed
passwords, can crack this almost instantly. Even without pre-computed
passwords, it will only take a couple hours or less to crack.

Now suppose your password is 7 letters long, and includes all possible
ASCII characters (which is impossible, because some characters aren't
allowed, but just bear with me). Now it would take a maximum of 256^7
-- over 74 quadrillion. That's a bit better. You've ruled out anyone
looking for an "easy victim."

Now suppose your password is 9 letters long, all possible ASCII
characters. That's 256^9 = over 4 million quadrillion. At this point
it's infeasible to attempt to crack your password. If somebody is "out
to get you" they would most likely resort to easier methods--exploiting
vulnerabilities, send you a virus/trojan, etc.

In addition to the exponentially higher numbers, using non-typable ASCII
also forces Windows to use a more secure method of storing your
encrypted password (three other ways to accomplish this is by setting a
certain registry value, using a password 15 characters or longer, or
using Windows Vista). Due to "backwards compatibility" Windows XP will
by default encrypt passwords in a very insecure, and easily-reversible
way (known as "LM hashes") unless you take steps to prevent it, as I
described above. Details here, if you're interested:
http://en.wikipedia.org/wiki/LM_hash
http://support.microsoft.com/kb/299656
http://en.wikipedia.org/wiki/Password_strength

Greetings Mike & thank you for your response.

'You can greatly improve the strength of your password by throwing in
some non-typable characters' is not true since what u use doesnt
affect # permutations. It is affected by chars allowed by app that
stores password. Whether u use them or not is not relevant.

Any rule such as use min 1 numeric,.. weakens password since it
defines the structure of password unnecessarily. Codebreakers
decrypted Enigma traffic in WWII using such hints plus operators used
familiar words 4 seed of rendom # generator. (berlin, hitler, wife's
name) Most codes r broken thru such user errors.

The language the original traffic is in is a BIG help since it defines
frequecy distribution of decrypted letters.

There r several password generators on net. For most sensitive
sites(banks), I let them generate both ID & password.

Comments/suggestions/corrections appreciated.
Just my 2¢ worth. Larry

On Fri, 06 Apr 2007 05:31:41 -0500, Mike Meyer <(E-Mail Removed)> wrote:

>Larry(LJL269) wrote:
>> what is 'password strength " & why is it better?
>
>Imagine your password is only 1 letter long, and it's a lowercase
>letter. It would take a maximum of 26 guesses to find out what your
>password is.
>
>Now suppose your password is 2 letters long, and lowercase. Now it
>would take a maximum of 26^2 guesses (676 guesses).
>
>Now suppose your password is 7 letters long, and included lowercase and
>numbers. It would take a maximum of (26+10)^7 -- over 78 billion
>guesses. That sounds like a lot, but any modern computer is capable of
>attempting to crack millions of passwords per second. 78 billion is not
>a lot. In fact, there are programs now that, thanks to pre-computed
>passwords, can crack this almost instantly. Even without pre-computed
>passwords, it will only take a couple hours or less to crack.
>
>Now suppose your password is 7 letters long, and includes all possible
>ASCII characters (which is impossible, because some characters aren't
>allowed, but just bear with me). Now it would take a maximum of 256^7
>-- over 74 quadrillion. That's a bit better. You've ruled out anyone
>looking for an "easy victim."
>
>Now suppose your password is 9 letters long, all possible ASCII
>characters. That's 256^9 = over 4 million quadrillion. At this point
>it's infeasible to attempt to crack your password. If somebody is "out
>to get you" they would most likely resort to easier methods--exploiting
>vulnerabilities, send you a virus/trojan, etc.
>
>In addition to the exponentially higher numbers, using non-typable ASCII
>also forces Windows to use a more secure method of storing your
>encrypted password (three other ways to accomplish this is by setting a
>certain registry value, using a password 15 characters or longer, or
>using Windows Vista). Due to "backwards compatibility" Windows XP will
>by default encrypt passwords in a very insecure, and easily-reversible
>way (known as "LM hashes") unless you take steps to prevent it, as I
>described above. Details here, if you're interested:
>http://en.wikipedia.org/wiki/LM_hash
>http://support.microsoft.com/kb/299656
>http://en.wikipedia.org/wiki/Password_strength

Any advice is my attempt to contribute more than I have received but I can only assure you that it works on my PC. GOOD LUCK.

Larry(LJL269) wrote:
> Greetings Mike & thank you for your response.
>
> 'You can greatly improve the strength of your password by throwing in
> some non-typable characters' is not true since what u use doesnt
> affect # permutations. It is affected by chars allowed by app that
> stores password. Whether u use them or not is not relevant.
>
> Any rule such as use min 1 numeric,.. weakens password since it
> defines the structure of password unnecessarily.

Even if you know that my password is:
* At least 9 characters
* Contains at least one lowercase
* Contains at least one uppercase
* Contains at least one number
* Contains at least one typable symbol
* Is not a dictionary word (or any permutation of a dictionary word)

That doesn't significantly reduce the complexity.

26 uppercase + 26 lowercase + 10 digits + 32 symbols = character set of 94

94^9 = 572 quadrillion possibilities. But as you pointed out, not all
of those permutations will fulfill the requirements. However, I still
don't think you'll know enough about my password to significantly cut
the amount of time it takes to crack it. By stipulating the
requirements, that reduces the password from its ideal entropy. By how
much, I don't know. That math is over my head. A pessimistic estimate
could be that it cuts the number of possibilities in half (I don't think
it's THAT bad, but...) 286 quadrillion still ain't too shabby. It'd be
a different story if you knew that:

* My password is exactly 9 characters
* The last character is a number
* The first character is a capital G
* At least one of the other characters is a symbol
* At least one of the other characters is a lowercase i


However, there is a huge, HUGE difference between the security of a LM
hash (Windows' default) and an NTLM hash. First of all, LM converts
everything to uppercase, so you lose a significant chunk of the
character set. Second, it breaks the password into two 7-character
passwords and hashes each one separately. So a 14-character password is
no more secure than a 7-character password. That is just stupid, and
makes LM a joke. Cracking two 7-character passwords is trivial;
cracking a single 14-character password is not. By using a 15-character
password, a non-typable character, or setting the "NoLMHash" registry
value, you avoid the nightmare that is LM. Vista users need not worry
about LM--Microsoft finally had the sense to dispose of it completely.

> There r several password generators on net. For most sensitive
> sites(banks), I let them generate both ID & password.

That's good, as long as:
1. The HTTP connection is secured (HTTPS/SSL/TLS)
2. You don't use the password verbatim--otherwise the password generator
knows your password! It's better to generate a couple passwords, then
take bits and pieces of them and combine them into a different password,
reverse them, skip every 3 characters, etc. -- Doesn't matter exactly
what you do, just do something so the password you choose doesn't match
the password given to you by the generator. This website is a good
example of a "good" generator and gives good instructions on how to mix
it up a bit: https://grc.com/pass

Greetings again Mike & thank you for your response.

On Fri, 06 Apr 2007 09:17:48 -0500, Mike Meyer <(E-Mail Removed)> wrote:

>Even if you know that my password is:
>* At least 9 characters
>* Contains at least one lowercase
>* Contains at least one uppercase
>* Contains at least one number
>* Contains at least one typable symbol
>* Is not a dictionary word (or any permutation of a dictionary word)
>
>That doesn't significantly reduce the complexity.
>
>26 uppercase + 26 lowercase + 10 digits + 32 symbols = character set of 94
>
>94^9 = 572 quadrillion possibilities. But as you pointed out, not all
>of those permutations will fulfill the requirements. However, I still
>don't think you'll know enough about my password to significantly cut
>the amount of time it takes to crack it. By stipulating the
>requirements, that reduces the password from its ideal entropy. By how
>much, I don't know.
My bad- I was thinking of decryption of text not 1 word. I do know
that increasing by 10% number of allowable chars in each of 8 char
password doubles the number of possable permutations.

> That math is over my head. A pessimistic estimate
>could be that it cuts the number of possibilities in half (I don't think
>it's THAT bad, but...) 286 quadrillion still ain't too shabby. It'd be
>a different story if you knew that:
>
>* My password is exactly 9 characters
>* The last character is a number
>* The first character is a capital G
>* At least one of the other characters is a symbol
>* At least one of the other characters is a lowercase i
>
>
>However, there is a huge, HUGE difference between the security of a LM
>hash (Windows' default) and an NTLM hash. First of all, LM converts
>everything to uppercase, so you lose a significant chunk of the
>character set. Second, it breaks the password into two 7-character
>passwords and hashes each one separately. So a 14-character password is
>no more secure than a 7-character password. That is just stupid, and
>makes LM a joke. Cracking two 7-character passwords is trivial;
>cracking a single 14-character password is not. By using a 15-character
>password, a non-typable character, or setting the "NoLMHash" registry
>value, you avoid the nightmare that is LM. Vista users need not worry
>about LM--Microsoft finally had the sense to dispose of it completely.
>
>> There r several password generators on net. For most sensitive
>> sites(banks), I let them generate both ID & password.
>
>That's good, as long as:
>1. The HTTP connection is secured (HTTPS/SSL/TLS)
>2. You don't use the password verbatim--otherwise the password generator
>knows your password! It's better to generate a couple passwords, then
>take bits and pieces of them and combine them into a different password,
>reverse them, skip every 3 characters, etc. -- Doesn't matter exactly
>what you do, just do something so the password you choose doesn't match
>the password given to you by the generator. This website is a good
>example of a "good" generator and gives good instructions on how to mix
>it up a bit: https://grc.com/pass

Neither 1 or 2 makes any difference if u generate password independent
of site its used at unless they can monitor what sites u visit over
time. Dont know if that's possable.

"pseudo-random" numbers r all reproducable on demand- just tell me
algorithm(only a few-they r recursive: f(n)=f(n-1)) used & seed. For
the seed he may have used date-time, contents of X1 register, ur
IP,... I use them all the time in simulations. '1 time pad' is
completely random & can NOT be broken unless user reuses it.
I like GRC & 'shut down XP' using his instructions.

Comments/suggestions/corrections appreciated.
Just my 2¢ worth. Larry

Any advice is my attempt to contribute more than I have received but I can only assure you that it works on my PC. GOOD LUCK.