Many people tell me they are surprised with how much effort I put into hardening Windows Server 2003–the last hardening document I wrote for a client was 112 pages long. That’s not 112 pages of writing, policy, and how-to’s, that’s 112 pages of nothing but settings. The process itself involves the modification, removal, or locking down of over 5,000 Registry keys and system files. Read the rest of this entry »

I am now making available a freeware desktop version of Pafwert, a strong password generator. Although it looks simple on the surface, Pafwert is a complex software application I built based on years of research on passwords and password security.

Larger Screen Shot

Read the rest of this entry »

Fyodor got annoyed enough with his MySpace/GoDaddy incident that he decided to start his own GoDaddy-bashing web site. Although there certainly is not enough time in the world to create web sites to vent our frustrations with every business, the free speech issues here are enough to give his effort some kind of recognition, even if its a quick look at the site :)

A couple years ago I thought a pond would be a nice addition to an empty space on the side of my old house. I didn’t know anything about constructing ponds at the time but I thought that actually doing it would be a good way to learn. After reading a few web articles on the subject I got out the shovel and started digging. The pond came together very quickly but it turned out I was kind of naive and bit too impatient in pond v1.0.

Read the rest of this entry »

See it here.

I noticed that Schneier wrote a bit on choosing passwords and gets into some detail on how to secure a password based on some of the techniques used to crack passwords.

His specific advice is:

“…if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.”

While I certainly do agree with the validity of this advice, if you are an administrator, I wouldn’t recommend telling users to “drop their appendages in the middle of their roots.” Here’s some more practical advice: tell them to choose long passwords. Read the rest of this entry »

I recently did an analysis of my password list to see which letters users most commonly used as the first password character. To put it into perspective, I also ran the same statistics on a wordlist of 250,000 English words. The results were not quite as I expected (click for a larger graph):

It is interesting that while some first characters go right along with general English word usage, there are some significant differences in the graphs. Read the rest of this entry »

Microsoft has released v1.2 of the Windows Vista Security Guide:

 http://go.microsoft.com/?linkid=5639874

One thing I have always liked about NTFS security is the fine-grained control you have over file permissions. But this power comes at a price—you must understand a whole new world of acronyms, confusing metaphors, and expanded definition of words such as principal, trustee, and inheritance. To fully take advantage of file permissions you need to understand how the whole thing works and delve into the lower levels where there is no pretty user interface and no cushion between you and the inner working of windows. You know you are close to understanding NTFS file permissions when you stop talking about files and folders and instead refer to objects and containers. Read the rest of this entry »