What’s special about EINPB? Let’s have a quick jog through some of its features. Our new tool instantly reveals cached passwords to Web sites in Microsoft Internet Explorer, mailbox & identity passwords in lots of Microsoft versions. It as well supports the new security model employed by Microsoft Internet Explorer 7 and 8.

Think it can be of any interest for you, please visit our site http://www.elcomsoft.com & learn more about EINPB at http://einpb.elcomsoft.com.

iOS 4 comes packed with a lot of nice features (long-awaited multitasking, background location services, iBooks and much improved Mail app  just to name a few) and we are very pleased to announce today the release of the new version of Elcomsoft iPhone Password Breaker with support for iTunes 9.2 and iOS 4.

Elcomsoft iPhone Password Breaker (or EPPB for short) is a utility to recover passwords for encrypted and password-protected iPhone/iPod/iPad backups created with iTunes (please note that it’s not meant to recover or remove passcode lock on the device).

With iOS 4 Apple has completely changed the way backups are encrypted and stored. Backup and restore processes are way much faster now. Apple have also improved protection against password recovery attacks, thus making our job harder (password recovery is about 5x slower for new backups than for older ones).

We at Elcomsoft try our best to keep up with the times, so most of our tools & programs are adjusted to the latest technologically advanced features. The EPPB is not an exception, new version of EPPB fully supports both old and new backup formats. It also supports hardware acceleration using NVIDIA and ATI GPUs and Tableau TACC1441.

As our previous survey went like a breeze (you will find the report in our archives), it is a logical next step that we decide to try one more time. From the very first survey we gained curious info, which was also interesting to publicity. Naturally questions about password protection are numerous and some of them remain dark, possibly a little too much so, that is why we are tempted to undertake one more “investigation”.

This time we expanded on questions and made some of them hypothetical, where you are put into a situation to find a way out. It is interesting to trace your way of thinking on both hypothetical and actual matters, so other questions are suggested to understand your attitude to real everyday situations you have to deal with.

As usually, survey completion will be finalized by a report.

We tried not to inundate our questionnaire with baffling questions, but if you still consider it time-consuming, you are welcome to answer one absurdly simple question on home page of ElcomSoft website.

C’mon you are within an ace of getting 10% discount for all our software; just find a little will-power to put a couple of ticks. Again, thank you for taking time from your busy day and completing our questionnaire.  And feel free to channel this survey to your friends and colleagues.

Best of luck!

The city gave us a warm and sunny welcome, regarding its weather, so since the arrival we were filled with positive energy & cheerful mood. We were not only exhibiting, but delivering a presentation as well (however it had been cut in time because of the previous speaker). The exhibition/conference took part in the Military Museum of Istanbul, highly-protected military zone, so that to enter the exhibition area one should have all his belongings scanned. But it wasn’t that annoying, we respected local rules & policies (obedient guys).

Now, a few words about the conference itself. We arrived in Istanbul the day before the event in order to have time to see the city a bit and to organize our booth, want to notice that we were one of the first exhibitors to have our stand constructed in time, can’t resist praising ourselves in this respect .

The first day of the exhibition was busy: hundreds of visitors, most of them were really interested and were in the topic of the show, which was actually a surprising fact for us. The rest two days were not that lively, to say the least of it, only the most forensics-obsessed people sacrificed their weekend to visit the exhibition, hope, it came up to their expectations .

On the whole, it was worthwhile experiments for us, next year we think of having another go at it. Want to thank everybody who visited our booth & took interest in our software.

Below there are some photo materials from the show…

Me at the booth…

Guys saying "cheese " at the camera

Have add this pic at multiple requests…

Just a beautiful view of the city

Your organization probably has a written password policy. Accordingly you also have different technical implementations of that policy across your various systems. Most of the implementations does not match the exact requirements or guidelines given in the written policy, because they cannot be technically implemented.

Requirements that cannot be implemented can be anything from minimum/maximum length and complexity settings to non-measurable requirements such as "never use the same password at work as you use at home" or "do not use any word from any existing language today as whole or part of your password".

In almost any case, there will be differences between the written policy, and the technical implementation of the policy, in any system. Obviously, this really doesn't aid end users in choosing and maintaining good passwords, as there will be various settings forcing them to have different passwords and different change frequencies from system to system.

Most auditors will conduct random samples to verify if the technical implementation equals the written policy. Unfortunately they will usually accept most deviations based on technical issues, as explained by system maintainers. Some auditors may check random accounts for "password last set" and "last logon" information, in order to get a quick impression of the overall account maintenance status, eventually mixing that with at list of ex-employees to verify if their accounts has been disabled and/or removed.

What they won't do is any type of password cracking to sample the compliance of passwords against the technical or the written password policy. From my point of view the results from the audit performed will be pretty close to worthless. You really will have no idea about the real risk level you are facing.

Consider this: If the written and/or technical implementation of a password policy gets changed, it may take months, years and even decades before all accounts has their passwords changed in accordance to the new policy. This is especially true for environments where software for complete account management are not in use. (This is true for most environments i have ever audited through 13+ years).

This is a major reason for why you should do proactive password audits. Doing password audits on your own systems will effectively help you with verifying password compliance against the written password policy. This is the best way of finding the weak spots, such as accounts where the password equals the username (a very common finding everywhere actually). You are simply blind to the risk of bad passwords as long as you don't audit them properly.

In fact, i would say that any auditor that is not capable of performing such an audit upon request is simply not good enough. Their audit will not provide the necessary input needed for you to make real-life risk assessments and perform the necessary steps to reduce the risk accordingly.

Good luck with your next password audit!

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://Twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com. Comments and questions are of course welcome!

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com.

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

Remarkably, on guys’ returning there was no need to ask them about their trip, it was clearly seen on their fresh faces they are full of new ideas which is the most intrinsic value of all.

So, here is a photo-reportage…

Andrew Belenko is making his speech on the opening day

Vladimir, Dmitry, Andrew and Yurii at Tian’anmen

Dmitry Sklyarov is lecturing… as always

Andrew, Vladimir and Sprite, cigarette-break

Guess what?

CCFC photo session

Sometimes it is like in a fairy tale

Dmitry, Vladimir and Andrew and the Great Wall of China

Would you like centipede?…

Wires again…