Archive for the ‘Tips & Tricks’ Category

NIST drafts new enterprise password management (open to publication, distribution and adaptation!)

Wednesday, May 13th, 2009

Probably you’ve already heard about this vicious circle thousand times:

Requiring that passwords be long and complex makes it less likely that attackers will guess or crack them, but it also makes the passwords harder for users to remember, and thus more likely to be stored insecurely. This increases the likelihood that users will store their passwords insecurely and expose them to attackers.

So, how to work out an appropriate password policy? Need help? Find some tips in NIST (The National Institute of Standards and Technology) study, GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT), which “has been prepared for use by Federal agencies”, but also “may be used by nongovernmental organizations on a voluntary basis”.

Here are some nuggets from the paper: 

• Organizations should review their password policies periodically, particularly as major technology changes occur (e.g., new operating system) that may affect password management.

Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers, and shoulder surfing, and how they should respond when they suspect an attack may be occurring.

• Organizations should consider having different policies for password expiration for different types of systems, operating systems, and applications, to reflect their varying security needs and usability requirements.

Do you have something to add? So, review and revise it freely – the paper is not subject to copyright. ;) 

 

Green password policy? No re-use!

Sunday, May 10th, 2009

Do you still reuse passwords? The recent study from University of California shows again that such a bad habit continues to exist. The worst thing about reusing passwords is that it doesn’t require being a technically skilled hacker to guess your password for this or that document.  

NVIDIA about Intel

Tuesday, April 28th, 2009

Considering Intel Core i7? Read Nvidia Says Core i7 Isn’t Worth It and nVidia calls Core i7 a waste of money first. We’d agree that investing into GPU(s) is really a good idea, especially if you need to crack passwords.

How to grow your graphics card effectiveness

Friday, April 17th, 2009

Water cooling, liquid nitrogen, and dry ice  – which gets the most of your  ATI Radeon HD 4890 graphics card? Learn it  from Zac O’Vadka today’s post

Smart Password Mutations Explained

Wednesday, April 15th, 2009

Strong passwords are mutated passwords. Everyone who publishes recommendations on creating secure password says that you have to use both upper- and lower-case letters and inject some tricky special characters. Such recommendations may result in p@$$words and pAsswOrds, and p_a_s_s_w_o_r_d_s. The fact is that modern password recovery software uses dictionary attack to get one’s password back. Dictionary attack means searching lists of dictionary words and common phrases that can be found on the Internet or delivered with the software. It is easy to grab that dictionary words and word phrases make bad passwords, but one has to understand that adding special characters to these words and phrases does’t do them any good. Such password can be easily cracked when smart mutations option is on. 

We give you a tip on word mutations implemented by modern password cracking tools, so that you can create really strong passwords for your files and accounts.

Surveillance Self-Defense Project fills the gaps in your security policy

Monday, April 13th, 2009

Michael Kassner placed an article about Surveillance Self-Defense in the TechRepublic, where he gives brief outline of the SSD website. Though some can endlessly brood over the grounds for the project foundation, for me one is clear that this site can be very much helpful to put all principal computer security guidelines together and close the gaps in your own security.
(more…)

ATI, NVIDIA and WPA/WPA2 passwords

Friday, April 10th, 2009

In case if you missed it: new ATI Catalyst drivers (9.4) now available (you can read the release notes for details). For some reason, some driver files have been renamed (well, not in 9.4, but in 9.3 released a bit earlier, though that version was really buggy and we cannot recommend to use it anyway), and our WPA password recovery (audit) software was not able to recognize Radeon cards anymore.

Well, to make the long story short: simply download the latest ATI Catalyst drivers and updated Elcomsoft Wireless Security Auditor :). Just note that this (new) version of EWSA will not work with drivers version 9.1 or older.

In the meantime, NVIDIA CUDA 2.2 (beta) released. Does that actually matter? Yes, because NVIDIA Tesla C1060 and S1070 are now officially supported on Windows. Besides, we need to have a look at Zero-copy support for direct access to system memory, because it may speed-up the GPU-enabled password cracking on some particular algorithms.

Remember Password On This Computer? – Never more!!

Wednesday, April 1st, 2009

Fresh life experience…A very good friend of mine told me a story I would like to share with you with her kind permission. Recently she has found a new job in a medium size company. She was perfectly satisfied with her new position and new tasks. She also got a well equipped working place including her principal tool for work – computer, which actually she inherited from an ex-employee who lately moved to another company. The company could have bought her a new computer, but what for, if there was working one absolutely ownerless. Windows XP already installed along with numerous useful applications, even her favorite Safari was there.

Inspired by favorable circumstances she got down to her duties with enthusiasm and…practically in a couple of minutes she easily found out whom exactly that very computer belonged earlier. Guess how?
(more…)

EFS-Encrypted Data Recovery

Tuesday, March 31st, 2009

The Encrypting File System (EFS) was first introduced in Windows 2000 and, as Microsoft claims, is an excellent encryption system with no back door.

However, the most secure encryption can be ambiguous. It would efficiently prevent hackers and other illegal intruders from breaking into your system and getting access to your well-encrypted data. The other side of the coin is that both a regular user and a seasoned administrator can lose important data due to unforeseen circumstances. It is also the case with EFS.

Check out the success story on how EFS-encrypted data can be recovered (the PDF is 81 Kbyte) with Advanced EFS Data Recovery.

Teach Yourself Secure Passwords

Monday, March 30th, 2009

lifehacker has started a series of posts on choosing and using secure passwords. Few days ago they published a list of handy tips from their readers on how to create passwords you can rely on. One of the readers admitted that in a company he works for IT administrators require password change every 30 days and

it just results in workers picking the easiest password that meets the requirements – as in a MM/YYYY-style password.

Sounds like it’s time to rethink password policies. What are your ideas?