Thursday, January 28, 2010

A password to remember - forever?

As part of my ongoing personal research into passwords, i do see lots of passwords that are bad, satisfactory, good or just incredibly impressive. However, the question "It is so hard to remember my password. What can i do to make it easier to remember?" comes from friends and colleagues from time to time.

Well, of course there's the simple trick of writing it down instead, as I've written before and many before me. In fact it's a recommendation from Bruce Schneier and Jesper Johansson as well (although i don't know if any of them had the original idea for this...).

Once a friend of mine told me that he had now created a password he just could not forget, and it was long and complex. I just had to ask "Ok, so what is it then?". A really high level of trust here, so he told me his password (or passphrase to be exact) was "I have forgotten my password". Impossible to forget. :-)

Today i checked the statistics at Freerainbowtables, one of many sites where I am actively participating. I couldn't help noticing the latest cracked password in the right column, which immediately reminded me about the old password story from my friend. Possibly a bit obscene to some people, so I'll leave it to you for translation from Norwegian to the language of your choice, but there are 2 words to translate, first 5 characters, then the next 4 characters. You can see a screenshot here:

Arguably a password that somebody may never forget as well?

Sunday, January 24, 2010

Yet another opinion on the RockYou case

The recent break-in at RockYou, where a massive 32 million accounts were compromised (e-mail addresses, account names and passwords), has been thoroughly debated online since it became publicly known. They still have an "Important security notice" link from their homepage, admitting the compromise and stating the (obvious) actions they will take to ensure the safety for their users. I presume some information/marketing people has also been involved in that statement.

Wednesday, January 20, 2010

Socialcast password security

I'm happy to see that people seems to be interested in the issues I'm blogging about, i really appreciate that.  So here the other day i saw that someone working for Socialcast  started to follow me on Twitter, which reminded me that i have signed up for a free account there as well, in order to have a look at their password policy.

Monday, January 18, 2010

Yammering - a reply to @henriksen

This is a reply to @henriksen, as he asked me whether i had tested the paid version of Yammer, based on my blogpost "YAMMERing about security" earlier. No, i have not tested the paid version.

Tuesday, January 12, 2010

Guest post on

I have a guest post on Kai Roer's blog, with my opinions on the apparent failure of Bitlocker published in 2009, including the report from Fraunhofer in December. You can read it here.

Monday, January 04, 2010

Facebook - Policy inconsistency

Pointing fingers at Yammer in a previous blog post, it's time to take a look at Facebook and their password policy.

I'm on Facebook. I've got more colleagues there as "friends" than i have family and friends from my personal life. Yes, i do draw a very clear line between colleague and friend. Colleague =! friend, period.

Sunday, January 03, 2010

Password policy insanity

I'm a realist. I prefer written password policies that can be technically implemented, and at a level which doesn't make most of my colleagues *hate* me.

The Norwegian Post and Telecommunications Authority (NPT) in Norway is the only government authority in Norway that has published a publicly available recommendation for a password policy targeted towards organizations. Among many other recommendations for end-users and organizations, they can be found (in Norwegian only) at their portal named "Nettvett". Being the only recommendation publicly available from the Norwegian government, some might consider this as a "best practice" recommendation.