This should be pretty obvious, but a lot of people don’t seem to be aware of this old trick. Normally, if you try to guess another user’s password and it fails, the attempt will show up in the event viewer of the domain controller. However, there is a way you can try to guess an account’s password without the attempts ever being logged.

It’s actually pretty simple: just unplug your network cable. Read the rest of this entry »

http://www.nurs.co.uk/news/specials/cms/1171535504212694732419_1.htm

I was playing around with the cool new Yahoo! Pipes site and built myself a feed on password topics. I’m sure I will be tweaking it some as I learn how to use pipes, but I thought I’d pass my pipe around to others who are interested in passwords. You can view my password topics pipe here:

http://pipes.yahoo.com/pipes/iLQCZHG42xG0wG8iXqIxGw

You can also subscribe to the feed using RSS, JSON, e-mail or phone.

I am now making available a freeware desktop version of Pafwert, a strong password generator. Although it looks simple on the surface, Pafwert is a complex software application I built based on years of research on passwords and password security.

Larger Screen Shot

Read the rest of this entry »

See it here.

I noticed that Schneier wrote a bit on choosing passwords and gets into some detail on how to secure a password based on some of the techniques used to crack passwords.

His specific advice is:

“…if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.”

While I certainly do agree with the validity of this advice, if you are an administrator, I wouldn’t recommend telling users to “drop their appendages in the middle of their roots.” Here’s some more practical advice: tell them to choose long passwords. Read the rest of this entry »

I recently did an analysis of my password list to see which letters users most commonly used as the first password character. To put it into perspective, I also ran the same statistics on a wordlist of 250,000 English words. The results were not quite as I expected (click for a larger graph):

It is interesting that while some first characters go right along with general English word usage, there are some significant differences in the graphs. Read the rest of this entry »

In my last post I mentioned that few passwords contain uppercase letters. I also did some further study to see exactly how people use uppercase letters in passwords.

Read the rest of this entry »

I thought I would start sharing some of the statistics I have gathered over the last five years researching passwords. One area I found interesting was the use of character sets. I have long said that password length is the single most important factor in password security, but character diversity certainly does play an important role.

Read the rest of this entry »

I finally finished my Perfect Passwords book. In this book I attack much of the conventional wisdom about password policies and present new techniques for building strong passwords. For example, I think that passwords as a technology aren’t obsolete yet, I don’t think that changing a password every 2 months makes it more secure, and you can compensate for almost any other policy by increasing the length of your password.More about the book here