Strong passwords and Unicode. Can we use Unicode characters to strengthen our passwords. Yes... er no... er maybe. It depends

No ratings

Presented at BSidesManchester 2014 by

Pedro Venda

Unicode has been around for ages, it has been created as a solution to the problem of managing input from many languages around the world with limited physical keyboard layouts. However just like IPv6, unicode is complex, generally poorly supported and definitely ubiquitous. In the western world, there is little incentive in using unicode given that standard keyboards and the ASCII character set mostly does the job. Similarly hash cracking software suffers from the same faults. * Recent high profile hacks against web applications * A number of local and network based attacks consist of extracting password hashes with the purpose of cracking them. * Password cracking hardware and software is improving but some tools nearly don't handle unicode at all and the vast majority of dictionaries available on the Internet are purely ASCII. Consequently a password hash generated with unicode characters would be very difficult to crack using typical techniques, especially if the attacker is not explicitly considering the unicode character set. Even if it did, the character set is so large that a straight brute force attack would increase in complexity by a few orders of magnitude. The question that we seek to address is whether or not it is possible to use unicode characters in today's software to strengthen password hashes. We will present our research in to the handling of Unicode by several operating systems, browsers and application frameworks. Can you use Unicode to increase password security? Yes and no. Use it in the wrong place and you run the risk of locking yourself out! We will also demonstrate the challenges of cracking hashes including Unicode characters - it's harder than you might expect. We also show how Unicode is not interpreted correctly in some cases, causing unexpected problems.