Improving Password Meters

I've cried and cursed over password meters earlier. Twice actually. I've been planning to do it again too, just haven't found the time yet. (Volunteers?)

Then this site appeared in my Twitter stream - HowSecureIsMyPassword.Net, and I soon got in contact with Mark (@smallhadron). A bit of e-mails, broken promises from my side supplying some constructive criticism etc, and here I am. Sorry Mark, but finally I couldn't keep these ideas in my head any longer, so here you are. I still hope and believe this can be of interest to you, as well as anyone else considering making their own password metering software. :-)

It all started with a hash

[ Lots of clipart available. I did my own this time. ]

This is a "Thank you all!" blog post, that will also provide something useful. At least; I hope so.

Not long ago, I found myself involved in a penetration test against an episerver installation. Working with my security colleagues @jabjorkhaug and @KluZz, we got access to some password hashes and their respective salts. Unfortunately the hash and salt values didn't look like those shown in the episerver patch for JtR by Johannes Gumbel in 2008. And here our quest began.... :-)

Viktig oppdatering - Adobe Flash Player

Adobe har kommet med en kritisk oppdatering som anbefales installert snarest, da den fikser kritiske sikkerhetssvakheter, og kommer i tillegg med en opsjon for automatisk oppdatering.

På mer forståelig norsk: Det har kommet en viktig oppdatering til et lite tilleggsprogram på datamaskinen din som bør installeres så fort som mulig. Dette tilleggsprogrammet er det som gjør at du kan se f.eks. reklame og videoer på en lang rekke nettsider, og brukes nesten over alt. I denne oppdateringen er det også kommet en funksjon som gjør at du heretter ikke trenger å tenke mer på å oppdatere den manuelt; det vil skje automatisk og uten at du legger merke til det.

PS: på jobben din ordner antagelig IT-avdelingen dette for deg automatisk!

Her er steg-for-steg guiden for hvordan du installerer oppdateringen:

Note to self: Ubuntu 11.10x64 + Nvidia

Install Ubuntu 11.10 x64 with all updates
sudo apt-get install gnome-panel (Unity be gone!)
Logout and pick gnome on login
Add https://launchpad.net/~ubuntu-x-swat/+archive/x-updates to software sources
sudo apt-get update
enable Nvidia hardware driver in hardware drivers
reboot
Install Virtualbox 4.1.x (problems with the guide at virtualbox.org on adding repository)
Go cudaHashcat*, Multiforcer & John.
Restore normal room temperature.

BYOD - har du lest den lille skriften?

Dette er en spennende bloggpost om Datatilsynets merknader til personopplysningsforskriften kapittel 9.

På et tidspunkt tilbake i tid satt jeg på en høgskole sammen med staute grønnkledde mennesker,  og der leste jeg blant annet sikkerhetsloven og utvalgte høydepunkter fra straffeloven. Lesingen sluttet ikke der, og for å bruke et ofte brukt uttrykk: Djevelen ligger i detaljene.

Pwnd. Again. And again.

[My colleague Jørgen, putting up his best smile after a successful PWN of me]

This short notice is to acknowledge the fact that I got Pwnd. Again. I'm experiencing that at a rate of <=2 per year. Not good, but then again; I don't think that's too bad, considering the fact I'm actually inviting people to test me. You can see my previous blog posts "Can you see my password?" and "Pwnd. Again." for more information about previous (successful) attempts, as well as competition rules. :-)

Activesync and FIPS 140-2 part 1

Perhaps the best Dilbert/Mordac ever...?

I am not Mordac. I can admit being a bit similar to Mordac once upon time, but that is a looong time ago. I'll bet I can get somebody to confirm it, at least if I get to "talk" to them a little bit before you do. ;-)

Seriously, I've been doing some testing with Microsoft Activesync in order to find some common ground across iOS & Android for setting a "good practice" password policy level. After spending some time on this, I think Mordacs work at Apple & Google. I also think that Mordac was involved in the creation of FIPS 140-2, at least when somebody thought it would be a good idea for mobile devices.

I'll explain that later on, but first 2 simple things to remember here:
1. A default policy, no matter which product, should never be considered "secure" or "good enough".
2. I say Good Practice. "Best practice" cannot be proven legally, period. There is a legal difference here.

STARTTLS & the Police

[Kids say the darndest things...]

The FBI got "hacked" by Anonymous (NYTimes), eavesdropping an international telephone conference regarding criminal activities by Anonymous. The hack wasn't all that sophisticated (...), since they probably got access to the meeting invitation sent by e-mail (pastebin), which contained all the necessary info. Just a few tips here for those interested:

Simple Security Usability part 1

[Grabbed from Microsoft. Too lazy to make my own. Sorry.]

Try searching Google for pictures related to "security usability". You will find quite a few pictures similar to the above.

Is that really the simple - and stupid - truth? Does it always have to be like that? I'd like to fight against some misconceptions in the area of security vs usability. Here's a very simple example; improving security by simplifying usability.

Minimum Password Length POO

(Picture from fileformat.info, showing U+1F4A9]

Looking at the wonderful new character named "Pile of Poo" in Unicode 6.0 (not 6.1, as re-tweeted by many...), I think my spontaneous competition on Twitter Jan 31 became even more fun to write about now. While I still owe you to write loads of opinions for/against periodic password changes, I'll drop this one as an input to the "minimum length" discussions as well.