Your organization probably has a written password policy. Accordingly you also have different technical implementations of that policy across your various systems. Most of the implementations does not match the exact requirements or guidelines given in the written policy, because they cannot be technically implemented.
We are glad to announce that we have a new contributor to our blog and we would like to introduce him to you.
Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com.
ElcomSoft always have yet another pair of eyes for your privacy… 
About a month ago, a SQL Injection flaw was found in the database of RockYou.com, a website dealing with social networking applications. The Tech Herald reports that 32.6 million passwords were exposed and posted online due to the flaw. The complete examination of the passwords from the list showed that the passwords in question are not only short as RockYou.com allows creating 5-character-passwords but also alphanumeric only.
A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.
Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.
As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.
The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.
Related articles and publications:
So, they are back from CCFC (Beijing) where Vladimir, Andrew, and Dmitry made their speeches and listened to those given by other reps. Here is a follow-up of the conference with nice shots kindly taken by a keen “shooter” Dmitry Sklyarov ;) But first of all, we’d like to thank Sprite Guo for taking care of all preparations and perfect managing throughout the whole conference – our BIG thank you!
Remarkably, on guys’ returning there was no need to ask them about their trip, it was clearly seen on their fresh faces they are full of new ideas which is the most intrinsic value of all.
So, here is a photo-reportage…
Andrew Belenko is making his speech on the opening day
Vladimir, Dmitry, Andrew and Yurii at Tian’anmen
Dmitry Sklyarov is lecturing… as always 
Andrew, Vladimir and Sprite, cigarette-break
Guess what?
CCFC photo session 
Sometimes it is like in a fairy tale
Dmitry, Vladimir and Andrew and the Great Wall of China
Would you like centipede?… 
Wires again…
In the period from 27 to 30 October 2009 in Moscow the XIII International exhibition of security facilities of the State "INTERPOLITEX – 2009" took place.
Our team was lucky to participate in this great event organized by the Government of Russia. It was the first time that we had the opportunity to take part in this exhibition, hope not the last one I’d like to share my opinion and overall impression of this event.
Actually, from the very beginning things went on smoothly, we were supplied with everything that was ordered (pleasant surprise for this country). Though we didn’t have much space at our stand, we were supposed to organize our booth very nicely, thanks to my colleagues, of course so our booth, compared to all those enormous, two-storeyed stands, managed to attract the attention not only of gapers, but of security specialists and/or our potential clients as well. Here are some pics from the show:
Our booth. Looks nice, doesn't it?!
Alexander Shplatov (Elcom’s senior programmer ) with our collection of awards and letters of thanks:
Hard working process =)
The entire view of the exhibition:
All in all, the show was really great, including the demonstration of military high-tech special technical equipment and weapons
Thanks to everybody who took interest in our soft and visited us at INTERPOLITEX 2009!
Hope we will reap the benefits of our participation in this show in the near future!
IT-SA-Expo goes on very well and our presentation at the Technical Forum (Forum Blau) was a success – thanks to Rene Mathes who gave out the presentation and 8com GmbH. The talk was about how one speeds up the hash recovery process with the parallelizing CUDA technology. If you happen to be in Nuremberg, Germany, visit our booth at Hall 6 (Stand 542).
Our it-friends from Ukraine (KARPOLAN and Dmitry) highly optimized our developing processes and helped us finalize long-awaited Password Recovery KIT. We won’t go deep into technical details, just have a look at rough visualization.
Back from summer holidays? Suntanned, full of energy, had a good time? And worried about your bank account balance? Don’t strain your nerves unnecessarily, rather keep your business flourishing. We say that your money will return like a homing pigeon back to you! Keep your windows wide open 
ElcomSoft prepared yet another pleasant and valuable surprise for you – money certificates up to $100 that you can spend in on-line shops (viz. Amazon and iTunes) on anything you want: music, books, video, software – anything!! 
Lightning never strikes in the same place, so, drop everything and buy now, because you’ll get back your money.
ATTN: This offer is not for long! So, stay tuned and keep your ears cocked for our news and other special offers.
Please learn terms and conditions to get your Amazon and iTunes gift certificate.
Guys,
it is SysAdminDay today. We wish you to have thankful colleagues that will respect your time and show gratitude each time you print a test page. Let accountants brew you hot tea. We wish you tolerance each time users forget their passwords (passwords can always be recovered with our tools). Keep your networks safe and sound.
To celebrate SysAdminDay we are eating real salo in the office and singing this sysadmin song
Believe me, it’s tasty.