Monday, April 23, 2012

Note to self: Google Authenticator + oneiric

install Google-Authenticator app on whatever device you prefer

Then you do this on Ubuntu 11.10 (oneric):
git clone

install libqrencode library
install libpam0g-dev

cd google-authenticator
sudo make install

run google-authenticator
Time-based tokens: Y
Scan the QR code you get up on screen with your authenticator app
Update .google-authenticator file: Y
Disallow use of same authentication token: Y
Increase window for time-skew: N
Rate-limiting: Y

insert auth required pam_google_authenticator-so into your /etc/pam.d/sshd file
sudo restart ssh


Tuesday, April 10, 2012

Passwords^12 : Call for Presentations

[Still haven't asked anyone to make a  logo...]


For the third year running, I am happy to once again announce a Call for Presentations for Passwords^12.

Passwords^12 will be held at the University of Oslo (Norway) on December 3-5, 2012. The 2-day conference will be free and open for anyone to attend. Please do note that our primary audience will be academics and security professionals with deep technical knowledge. This is a conference with international speakers and participants, presenting fresh ideas and innovative research in an area that affects us all.

Saturday, April 07, 2012

Improving Password Meters

I've cried and cursed over password meters earlier. Twice actually. I've been planning to do it again too, just haven't found the time yet. (Volunteers?)

Then this site appeared in my Twitter stream - HowSecureIsMyPassword.Net, and I soon got in contact with Mark (@smallhadron). A bit of e-mails, broken promises from my side supplying some constructive criticism etc, and here I am. Sorry Mark, but finally I couldn't keep these ideas in my head any longer, so here you are. I still hope and believe this can be of interest to you, as well as anyone else considering making their own password metering software. :-)

Thursday, April 05, 2012

It all started with a hash

[ Lots of clipart available. I did my own this time. ]

This is a "Thank you all!" blog post, that will also provide something useful. At least; I hope so.

Not long ago, I found myself involved in a penetration test against an episerver installation. Working with my security colleagues @jabjorkhaug and @KluZz, we got access to some password hashes and their respective salts. Unfortunately the hash and salt values didn't look like those shown in the episerver patch for JtR by Johannes Gumbel in 2008. And here our quest began.... :-)