All posts by Katerina Korolkova, PR Director

Although it is widely known that authentication via ‘secret’ questions is not secure, now we finally have statistical evidence to prove it. Microsoft Research and Carnegie Mellon University have conducted a study that measures how guessable answers to ‘secret’ questions are. The researchers looked at the questions used by AOL, Google, Microsoft, and Yahoo! in order to authenticate users who need to reset their forgotten passwords. The ability of users to memorize their answers was also questioned. (more…)

This week has witnessed several scams involving social sites. On Tuesday Twitter users posted answers to their online security questions for everyone to see. On Wednesday Twitter account of the New York Times was hacked, and on Thursday we witnessed a phishing attack on Facebook. (more…)

Last week a colleague of mine, Andrey Belenko, gave a speech at the Troopers conference in Munich. Olga wrote about it in this blog. All the talks at Troopers were awesome. Soon the videos and slide shows will be available for downloading on Troopers website.

If you have an opportunity, visit Andrey’s talk about green password recovery at Infosec, London. It’s on Wednesday, April 29th, at 15:20, at the Technical Theare. Also visit our booth K35 at Earls Court for free software trials.

 

 

There’s a great post in Hans Anderson’s blog on secure password patterns and how you can create one. There are at least two things I like about this entry. The first one is the statement that "No password you can remember is unbreakable", this means sooner or later it is broken. The second one is that Hans points out, you should never disclose your password pattern to anyone. I agree that password patterns are awesome but they are still vulnerable to social-engineering-based attacks. By the way, why not share your password pattern ideas in the comments? 😉

Strong passwords are mutated passwords. Everyone who publishes recommendations on creating secure password says that you have to use both upper- and lower-case letters and inject some tricky special characters. Such recommendations may result in p@$$words and pAsswOrds, and p_a_s_s_w_o_r_d_s. The fact is that modern password recovery software uses dictionary attack to get one’s password back. Dictionary attack means searching lists of dictionary words and common phrases that can be found on the Internet or delivered with the software. It is easy to grab that dictionary words and word phrases make bad passwords, but one has to understand that adding special characters to these words and phrases does’t do them any good. Such password can be easily cracked when smart mutations option is on. 

We give you a tip on word mutations implemented by modern password cracking tools, so that you can create really strong passwords for your files and accounts.

Here are the benchmarks for WPA recovery; we’ve run tests on one of the most powerful modern CPUs and a bunch of GPUs. Even GTX 280 outperformed Core 2 Quad Q6600:

Today morning ElcomSoft announced a new tool for password recovery. This one is a hardware, a supernatural amulet of Siberian shamans. Password Recovery Tambourine appears in 4 editions: Pentagon, Glamourous, Russian and Open Source. This hardware requires a special 15-month training with authentic Yakutsk shaman guild. However, if you are patient enough to spend a year and a half in Siberia and not afraid of permanent frost there, then after the training no password would be strong enough for you. You’ll crack it in seconds with your preferable edition of Password Recovery Tambourine. Cultural note The idea of creating Password Recovery Tambourine grew out of the popular belief between Russian system administrators that when nothing else helps you have to rest your hopes on dancing with a ‘BU-BEN (Russian for ‘tambourine’). They say, dancing with a tambourine helps to reanimate one’s server, find bugs, set up operational system and what not. Implementation of this belief to password recovery was not easy, at least 200 ritual dances have been performed during the development stage. Finally,

ElcomSoft is proud to announce that the ultimate tool to recover lost passwords that cannot be recovered it in a traditional way has emerged.

The Encrypting File System (EFS) was first introduced in Windows 2000 and, as Microsoft claims, is an excellent encryption system with no back door.

However, the most secure encryption can be ambiguous. It would efficiently prevent hackers and other illegal intruders from breaking into your system and getting access to your well-encrypted data. The other side of the coin is that both a regular user and a seasoned administrator can lose important data due to unforeseen circumstances. It is also the case with EFS.

Check out the success story on how EFS-encrypted data can be recovered (the PDF is 81 Kbyte) with Advanced EFS Data Recovery.

lifehacker has started a series of posts on choosing and using secure passwords. Few days ago they published a list of handy tips from their readers on how to create passwords you can rely on. One of the readers admitted that in a company he works for IT administrators require password change every 30 days and

it just results in workers picking the easiest password that meets the requirements – as in a MM/YYYY-style password.

Sounds like it’s time to rethink password policies. What are your ideas?

The German c’t magazine (issue 06/09) has published an article about cracking of NTLM-hashes with graphic cards. In this article pen test experts from SySS GmbH bring up a touchy question of how fast an intruder can break into your system. How long should your Windows logon password be, so that you could keep having your beauty sleep?

Elcomsoft Distributed Password Recovery was run on dual-core AMD Athlon X2 4850e, 2.5 GHz, with Nvidia GeForce 9800 GTX installed. The cost of the test system is worth the effort. One can fetch it for only $1K.

Now, what is the outcome?
(more…)