Sunday, December 20, 2009

Real-life password complexity

Take a look at your organizations written password policy. I won't be surprised if there's a complexity requirement, enforcing you to use at least 3 of these four character groups in your password: UPPERCASE, lowercase, digits (0-9), special characters (§!"#¤%&/€()=?`\,;.:-_*¨^<>) and so on.

Adding a complexity requirement to people's passwords makes it much more difficult to crack, the experts say. (Of course, you will find lots of people saying that it also makes it difficult, if not impossible to remember them, but that's another story). One of the things I was curious about many years ago when i started to do my "research" into passwords was a simple hypothesis: Will user passwords actually increase much in complexity when adding the "standard" complexity requirement which almost everyone uses?

Sunday, December 13, 2009

YAMMERing about security

Recently some colleagues signed up for using Yammer (
Perhaps a little paranoid i decided to register myself, in order to have a look at the security they provide. After all i'm supposed to do some sort of monitoring, control and provide reasonable advice on security issues affecting me, colleagues, friends, customers as well as providers of various services.

Tuesday, December 08, 2009

Password recovery performance

Ok, here's just a quick posting to show off performance numbers when using a single cpu or a Nvidia GTX295 graphics card to recover passwords that has been stored using various hashing functions (recovery here is commonly referred to as "password cracking"). I requested this information from my contact Andrey Belenko at Elcomsoft, based on their product "EDPR - Elcomsoft Distribued Password Recovery", which i am the happy owner of for a 20-client license. (A big "thank you" to Andrey for providing the statistics!). All this as part of my ongoing "research" into passwords.

Thursday, November 26, 2009

Why history may be bad for you

Search, and you shall find loads of people doing password analysis on the Internet. There's been several high profile attacks against websites, resulting in the compromise and public disclosure of user IDs and password hashes (or worse; passwords in clear-text). I've read many of these, and there are several issues not being addressed or even mentioned in the analysis performed even by people such as Bruce Schneier (whom i really respect, don't get me wrong!).

Saturday, November 21, 2009

Guarding your usernames

Everyone tells you that your password is secret, and that you should never EVER share it with anyone, period. Well, if you're married (like i am), i wouldn't be all to surprised if your other half knows your #PIN (=password) for your VISA/AMEX/Mastercard, and probably a few other cards or online services as well. So much for the recommendation of not sharing your password (a PIN code is a password). Of course you're paranoid about your own security, but what about him/her?

Thursday, November 19, 2009

Welcome / ground rules

Hi, and welcome to my blog. I've set up this blog in order to write about my "current" obsession within security: passwords. I've been doing personal "research" on this for some 8-9 years now, and I've got lots of stuff that i would like to share with the community. Other topics may be discussed as well of course. Just remember this: what i write here is my own opinion, period.