Tech Solvency: Password auditing and research


Password services

On-site password auditing in Anchorage, Alaska

Password cracking is a rapidly changing field. The only way to validate your password policies is with a direct audit.

I provide a unique service in Anchorage - high-performance password auditing on site, using specialized tools and a custom hardware build.

Advantages:

Requirements:

Contact me to schedule a session. In your message, briefly outline any applicable external regulatory requirements (HIPAA, PCI, FFIEC, FDIC, NCUA, etc.)

Password recommendations

For passwords that have to be memorized, use a randomly-generated passphrase using five or more words drawn from a dictionary of at least 20 thousand words. Lower word counts accompanied by larger dictionaries can be substituted. If the applicable password policy requires mixed case, letters, and/or special characters, apply them in an easily remembered way. Some implementations (rempe.us/diceware/, ae7.st/g, etc.) are explicitly designed to run entirely in the browser as JavaScript, so the server has no access to the passphrases generated.

For all other passwords, generate them randomly and store them with a password manager. KeePass is supported on multiple platforms and can detect when the underlying database has been synchronized from another location.

For all plantforms that support two-factor authentication, enable it. SMS and email tokens are better than nothing. Offline-ready authenticator apps (like Google Authenticator, Authy) are much better. Hard tokens (like Yubikey FIDO U2F) are best.

Remember: your passwords are only as secure as your password reset mechanisms. Enabling 2FA on your email that's used to reset passwords is very important.

Password research

Forthcoming.