As our previous survey went like a breeze (you will find the report in our archives), it is a logical next step that we decide to try one more time. From the very first survey we gained curious info, which was also interesting to publicity. Naturally questions about password protection are numerous and some of them remain dark, possibly a little too much so, that is why we are tempted to undertake one more “investigation”.

This time we expanded on questions and made some of them hypothetical, where you are put into a situation to find a way out. It is interesting to trace your way of thinking on both hypothetical and actual matters, so other questions are suggested to understand your attitude to real everyday situations you have to deal with.

As usually, survey completion will be finalized by a report.

We tried not to inundate our questionnaire with baffling questions, but if you still consider it time-consuming, you are welcome to answer one absurdly simple question on home page of ElcomSoft website.

C’mon you are within an ace of getting 10% discount for all our software; just find a little will-power to put a couple of ticks. Again, thank you for taking time from your busy day and completing our questionnaire.  And feel free to channel this survey to your friends and colleagues.

Best of luck!

However, there is no order that users have to change their Wi-Fi passwords regularly, the only requirement being to set up a password on the initial stage of wireless access installation and configuration.

I’ve conducted a mini-research here in Russia. There are 5 wireless networks in range that my computer finds when at home. Although all of the networks have rather bizarre names, they are all WPA- or WPA2-protected. My guess is that people do not install wireless access at home by themselves or browse the Internet for instructions and find some on protection and passwords. At the same time, I often come across unprotected networks in Moscow and I do use them to check my Twitter account. It is obvious that to make any conclusions, one has to dive into this topic much more deeply.

What I learnt working for ElcomSoft – the company that recovers passwords and does it very well – is the following: sometimes a password is not enough. You need a good password to make sure your data is protected. WPA requires using passwords that are at least 8 characters long. Such length guarantees quite good protection. The problem as usual is the human factor. We still use admin123 and the like to protect our networks.

Fortunately, there are tools that can help you check how strong your WPA/WPA2-password is. One of such tools is Wireless Security Auditor. It makes use of various hardware for password recovery acceleration and a set of customizable dictionary attacks. The idea is simple: if this monster does not find your WPA/WPA2-password, then it is secure 

Nice weekend to all.

Your organization probably has a written password policy. Accordingly you also have different technical implementations of that policy across your various systems. Most of the implementations does not match the exact requirements or guidelines given in the written policy, because they cannot be technically implemented.

Requirements that cannot be implemented can be anything from minimum/maximum length and complexity settings to non-measurable requirements such as "never use the same password at work as you use at home" or "do not use any word from any existing language today as whole or part of your password".

In almost any case, there will be differences between the written policy, and the technical implementation of the policy, in any system. Obviously, this really doesn't aid end users in choosing and maintaining good passwords, as there will be various settings forcing them to have different passwords and different change frequencies from system to system.

Most auditors will conduct random samples to verify if the technical implementation equals the written policy. Unfortunately they will usually accept most deviations based on technical issues, as explained by system maintainers. Some auditors may check random accounts for "password last set" and "last logon" information, in order to get a quick impression of the overall account maintenance status, eventually mixing that with at list of ex-employees to verify if their accounts has been disabled and/or removed.

What they won't do is any type of password cracking to sample the compliance of passwords against the technical or the written password policy. From my point of view the results from the audit performed will be pretty close to worthless. You really will have no idea about the real risk level you are facing.

Consider this: If the written and/or technical implementation of a password policy gets changed, it may take months, years and even decades before all accounts has their passwords changed in accordance to the new policy. This is especially true for environments where software for complete account management are not in use. (This is true for most environments i have ever audited through 13+ years).

This is a major reason for why you should do proactive password audits. Doing password audits on your own systems will effectively help you with verifying password compliance against the written password policy. This is the best way of finding the weak spots, such as accounts where the password equals the username (a very common finding everywhere actually). You are simply blind to the risk of bad passwords as long as you don't audit them properly.

In fact, i would say that any auditor that is not capable of performing such an audit upon request is simply not good enough. Their audit will not provide the necessary input needed for you to make real-life risk assessments and perform the necessary steps to reduce the risk accordingly.

Good luck with your next password audit!

Per Thorsheim is a security professional living and working in Bergen, Norway. He is currently certified CISA and CISM from isaca.org, and CISSP-ISSAP from isc2.org. You can follow him on http://Twitter.com/thorsheim and read his personal blog at http://securitynirvana.blogspot.com. Comments and questions are of course welcome!

A half of the passwords from the list contained names, slang and dictionary words, or word combinations. The Tech Herald enumerates the most common passwords: “123456″, followed by “12345″, “123456789″, “Password”, “iloveyou”, “princess”, “rockyou”, “1234567″, “12345678″, and “abc123″ to round out the top 10. Other passwords included common names such as “Jessica”, “Ashley”, or patterns like “Qwerty”.

Although the findings of the survey are deplorable, most sites do nothing to improve password security. At the same time some websites block special characters and do not allow users to choose them for passwords making user accounts vulnerable to malicious attacks.

As a part of problem solution, the Tech Herald sees sites enforcing users a hard rule of character length. We at ElcomSoft share the opinion that a password must be at least 9 characters long, consisting of upper and lowercase letters, numbers, and – preferably – special characters.

The article also highlights greater risks for the companies as attackers are using more advanced brute force attacks. According to the Tech Herald, “if an attacker would’ve used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou.com users, it would take only one attempt (per account) to guess 0.9-percent of the user’s passwords, or a rate of one success per 111 attempts”.

Related articles and publications:

A list of passwords used by the Conficker Worm Daniel V. Klein, ”Foiling the Cracker”: A Survey of, and Improvements to, Password Security,” 1990.

Well, that reminded me of a very funny stupid CAPSoff Campaign…

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

An implementation is really simple: all you have to do is set the ES_PASSWORD style for the given Edit control.

Does that feature add some security? Yes, I think so. Though it does not protect from keyloggers. Besides, the content of the masked edit control (i.e. the password) can be easily read by other software: e.g. look at Behind asterisks feature available in Proactive System Password Recovery – with it, you can "unmask" all controls in all programs currently running, and even enable disabled (grayed out) buttons and menu items.

However, Nielsen says that password masking causes more errors, and second, even reduces the security. I can see the first point: yes, if you don’t see what you type, it is easier to make a typo. But all well-designed programs (like PGP) have an option to [un]mask the password field, or at least ask you to enter the password twice (I doubt you can make exactly the same typo two times).

The second point is much harder to understand:

"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security."

True? Yes, definitely. But no connection to password masking. I don’t feel uncertain when entering something into the masked box, really. And most users select short/simple passwords anyway, and/or write them down – regardless the usability issues discussed here

I see another problem, though – related to non-US keyboards. You may have the keyboard layout switched to other (than default) language… Or the CapsLock switched on. However, well-designed systems will bring your attention about layout and CapsLock (e.g.: Windows logon prompt).

And finally… Most (if not all) email clients and instant messengers have an option to "remember" the passwords (and yes, it is convenient – you don’t have to enter it every time when you connect). And if the password is saved, you can see the asterisks only (in program options, or in ‘connection’ window), so you feel secure – someone who get the physical access to your computer will be able to get your mail and connect to your IM account, but cannot get your password. Right? Wrong. Unfortunately, most programs save the plaintext passwords, or use ‘snake-oil’ encryption, and so can be easily extracted by programs like Advanced Mailbox Password Recovery and Advanced IM Password Recovery. The only (good) exceptions are ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype – they save not the password itself, but its hash (which is really hard – and sometimes impossible – to recover the plaintext from). This (stroring the passwords) IS the real security problem. Password masking is NOT.

If we turn to corporate wireless security, this fence is a must, as it is public data and corporate confidential information that are at risk. Unfortunately, AirTight study shows that 57% of surveyed companies from 6 US districts and London still have to sort out their priorities in terms of data security. In my opinion, if protecting home wireless network can be a dark horse requiring scrupulous examination, nonexistence of corporate wireless security should have relevant decision in court.

The questionnaire is well designed and if you have no time you can simply tick the matching answers which are prepared for your convenience. If you have a special experience to share or lots of thoughts on passwords, please take a while and use empty spaces provided for your own answers.

The survey is set to run for several weeks in order to cover more people, for we understand that summer is the best season for vacations. After the survey is completed and results calculated, we will release a full report with facts and figures. We tried to put sensible questions in the belief that results’ analysis will help us find out which questions should be better and more deeply highlighted in our articles, whitepapers, as well as in our blog.

This is the first our empirical research and we hope you will find it interesting and enjoyable. You definitely have your own opinion on passwords, and as you understand this survey is a perfect way for you to share that opinion. So what do you think? Be frank and open, take the questionnaire, and help us let others know about it.

Sharing of passwords was identified as one of the main reasons of unauthorized access and information leakage. According to CBEC representative, officers who share their passwords with others should “be regarded as being in collusion in the fraud that results”. To prevent insecure use of passwords CBEC plans to introduce a set of measures, including disciplinary action and even dismissal from the Government service.   

Penalty threat may not be the most effective solution. In case of password breach, complex countermeasures are required, and regular password audit is a significant part of it. If it is required that users change their passwords every 30 days, then system administrators have to perform password audits with the same regularity. There is a lot of both free and commercial auditing tools that allow to check password security.

Source: Business Line

I bet it was more than once that you had to fill out a sort of name-company-position-email-telephone-whatever form when registering or subscribing to something. Do you think about preserving privacy of your information when leaving such data on someone’s website? It is a common experience which gradually became an axiom that anything you leave in the Internet sooner or later becomes public. Hopefully you do not try your fortune and do not use your registration data anywhere in your passwords. Besides, when registering please be careful about your “secret questions” and your secret answers, because most of your answers (like mother’s maiden name, favorite football team…) can be guessed in different ways. 

The term phishing must be familiar to you as it became sort of buzz word, but still the meaning is that fake websites (usually copies of some popular existing ones) are being created to gather personal data like names, telephone numbers, e-mail addresses and sensitive information like passwords or credit card numbers. But they are not necessarily site-duplicates; it can be an absolutely new and original website which gathers users’ info under color of download resource or any service opportunity. 

There is no such term as overcautiousness regarding user authentication. A password like GxOxD#P$@$w0rD may be good enough for a PDF file with 128-bit encryption, but bad for an online account for several reasons: first, an online account password can be tried for any other your accounts and/or protected files (what if you used the same one?); second, you can easily forget such a difficult password yourself, while there is no need to make it so complex because there are no programs for online passwords’ recovery (provided they are not captured by the turned-on AutoComplete of your web browser, in this case our AIEPR easily finds it). Thus, a normal password for an online account could be like PisO’Kake!

What’s worth remembering is that in particular Internet systems (fortunately, their number seems to decrease, but still they are) your password is being sent through the Internet totally unprotected, which means it is not a problem to capture it. In such cases passwords’ managers like KeePass (keepass.info) can help – they keep passwords in an encrypted file, which opens only if you know master password and this one (contrary to online passwords) must be highly secure. 

Please be careful with your online passwords and make them different from those that you use for protecting your files. Again, remember everything you leave in the Internet is no longer yours, at least not only yours, this is the sad truth. 

To sum up, I’ve outlined some basic tips for online passwords: 

• They do not have to be as strong as offline passwords 
• They should not coincide with any other your passwords used in the Internet or elsewhere
• They should not be guessable after gathering info about you:
  1. never equal your personal info (name, birthday, car number, postal address…)
  2. never equal any general info about you (your likes/dislikes, haves/have nots…)

According to Finnish security company F-Secure, patching 48.9% of all targeted attacks conducted this year involved a malicious PDF file attached to a legitimate-looking e-mail, a huge change from 2008, when PDFs made up just 28.6% of targeted attacks.

But security model of PDF encryption/protection is not going to change, [un]fortunately. It is still very easy to remove restrictions (from printing, copying etc) from PDF files. Moreover, Advanced PDF Password Recovery can clean PDF files from Form elements, digital signatures and JavaScript code (the last item is the most important, because the scripts inside PDFs may contain malicious code). The open password is harder to break: only if 40-bit encryption is used (obsolete, but still popular due to compatibility reasons), such protection can be removed almost instantly, thanks to Thunder Tables.

Better/improved encryption (128-bit RC4) has been introduced in Acrobat 5 a long time ago; in next version, AES encryption has been added — so only brute-force and dictionary attacks were applicable, and recovery speed was low. However, we have found that Adobe Acrobat 9 Is a Hundred Times Less Secure compared to version 8). Moreover, GPU acceleration is now possible, so achieving even better recovery speed.

Surprisingly, Adobe has responded in their blog: see Acrobat 9 and password encryption. Here is what they said:

The current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.

First, that’s not true (if you don’t trust me, make some bench. Second, the encryption (of the file’s data) is not related to password verification routine. You can use the strongest zillion-bit algorithm, but simple and fast password checking function, and so passwords can be effectively cracked (well, recovered ) in a reasonable time.

Last but not least (also from Adobe’s blog):

256-bit AES encryption is widely known to be stronger than 128-bit AES.

Of course it is. But first, it’s a pure marketing issue: 128 bit is more than enough (well, for next dozen years). Second, the password is still the weakest link.