Tuesday, February 22, 2011

Far Out Dude!

This is a blog post specifically for Davey Winder (@happygeek), after I read your article "The password cracking software enigma". I came across the article through @WeldPond, who retweeted a message from @L0phtCrackLLC saying "so why is exposing weak passwords and weak hashing bad again?"

You must be joking.

You are referring to Passware Kit Enterprise, any person capable of doing copy & paste from your article into their Google search bar can figure that out. You almost make it sound like this is nothing more than a commercialized "hacking" application, bashing their marketing of this as a forensic toolkit. There are others like them, but you could easily have contacted them to give them a fair opportunity to explain their product, pricing and target audience for their products. You probably didn't, and I guess you didn't inform them about your article afterwards either. At least according to Norwegian press standards, that's not a nice thing to do.

Just like you can use ANY car to drive from A to B or to kill people, you can use this software for doing good (legal forensics, exposing bad passwords), or doing bad (Cracking other peoples passwords unlawfully, with malicious intent). This really is legal software, and their latest version actually got released during Passwords^10, a 2-day conference ONLY about passwords in December 2010. We did discuss password cracking, and we also discussed the ethics on doing exactly that. You should have been there.

I'm not going to make a long list of situations where such software can be very useful, you've already mentioned law enforcement agencies. If an employee dies suddenly, and his laptop holding valuable business data is using Bitlocker FDE, we might need this. To analyze our true risk exposure, cracking our passwords is a good idea.

I am very well aware about the dangers of letting anyone purchase this software, as it may be used for illegal activity. That doesn't mean that all of us purchasing this type of software intend to do so. On the contrary in fact.

To finish off, you wrote: "But surely most enterprises have a proper password management system up and running, a system which enforces enterprise password policy and manages identity without fuss and which therefore means there is no problem in recovering ‘lost’ passwords in the first place."

Uh... No. Sorry, you're wrong. Nice assumption, but you are wrong. Ask any IT security auditor that have been working with this stuff for at least a couple of years, they should be able to confirm that BAD passwords are everywhere. Password auditing/forensic software will help to find, document and FIX such weaknesses. Just as it helps law enforcement agencies and others to do proper forensics even on data where others have tried to hide their illegal activity using seemingly strong passwords.

Let me repeat myself: I do understand your concern. Don't take it out on the vendors or those of us who actually use this type of software for good purposes. What do you know, I've even used such software to uncover ILLEGAL use of similar types of software!

No comments:

Post a Comment

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.