Sunday, December 20, 2009

Real-life password complexity

Take a look at your organizations written password policy. I won't be surprised if there's a complexity requirement, enforcing you to use at least 3 of these four character groups in your password: UPPERCASE, lowercase, digits (0-9), special characters (§!"#¤%&/€()=?`\,;.:-_*¨^<>) and so on.

Adding a complexity requirement to people's passwords makes it much more difficult to crack, the experts say. (Of course, you will find lots of people saying that it also makes it difficult, if not impossible to remember them, but that's another story). One of the things I was curious about many years ago when i started to do my "research" into passwords was a simple hypothesis: Will user passwords actually increase much in complexity when adding the "standard" complexity requirement which almost everyone uses?

Sunday, December 13, 2009

YAMMERing about security

Recently some colleagues signed up for using Yammer (
Perhaps a little paranoid i decided to register myself, in order to have a look at the security they provide. After all i'm supposed to do some sort of monitoring, control and provide reasonable advice on security issues affecting me, colleagues, friends, customers as well as providers of various services.

Tuesday, December 08, 2009

Password recovery performance

Ok, here's just a quick posting to show off performance numbers when using a single cpu or a Nvidia GTX295 graphics card to recover passwords that has been stored using various hashing functions (recovery here is commonly referred to as "password cracking"). I requested this information from my contact Andrey Belenko at Elcomsoft, based on their product "EDPR - Elcomsoft Distribued Password Recovery", which i am the happy owner of for a 20-client license. (A big "thank you" to Andrey for providing the statistics!). All this as part of my ongoing "research" into passwords.