Password services
Alaskan password auditing - with a global reach
Password cracking is a rapidly changing field. The only way to validate your password policies is with a direct audit. I can help.
Benefits for you
- Know the real-world risk. I use the same tools and computational power available to many threat actors. As a member of Team Hashcat (as TychoTithonus) and other collaborations, I work with some of the best password crackers in the world. This experience can give you a true picture of how your hashes would hold up against a focused, real-world attack.
- Keep your passwords confidential. I strictly manage your hashes during the audit, and purge them afterwards. If you choose an on-premise audit, your hashed passwords never leave your environment. You control all media used. At the end of the engagement, just wipe or destroy all media, using your own approved procedures.
- Stay on the cutting edge. Benefit from my ongoing research - hardware, drivers, password dictionaries, rulesets, masks, and custom scripts.
- Save money. You get dedicated access to a preconfigured, customized, six-GPU high-performance password-cracking Linux system. Avoid spending $4000 or more (and build and maintenance time) for a system that often sits idle - and will be obsolete in a year.
Setting up the engagement
To get ready, we'll clarify:
- Provenance. Be prepared to reasonably attest both to your identity and to how you are authorized to recover the passwords
- Sensitivity. I will also ask questions about how sensitive the hashes and cracks are, to gauge what level of handling is required (including transfer and storage)
- Depth. We will also agree on depth of effort - "best effort" vs moderate custom analysis vs full manual, context aware cracking - and associated expected timeframe
- Deliverables. Please specify if only the cracks are needed, or if you want a report of password characteristics / quality / recommendations
- Retention. I store all material in a separate encrypted volume, which is purged after 30 days (unless requested otherwise)
- Governance. Please also let me know about any applicable regulatory requirements (HIPAA, PCI, FFIEC, FDIC, NCUA, etc.).
- Context. You can decide whether to supply any additional context that might shape the psychology of your passwords (or none at all)
On-site options
If you're in or near Anchorage, I can provide a unique service - world-class, high-performance password auditing on site, using specialized tools and a custom hardware build - and entirely under your control.
Additional requirements for on-site auditing:
- A physically secure location on premise
- The hashes
- A 120G or larger SATA drive - HDD (recommended) or SSD
- Two 1000W power receptacles (though I only need about 1200W total)
- A target timeframe (for scheduling and reservation of resources)
Next steps
Contact me to schedule an engagement. I enjoy my work and will attack your hashes with enthusiasm. :D
Please do not send unsolicited hashes, especially in plain text. We will arrange logistics in advance.
My profile on Upwork includes some portfolio examples.
General password recommendations
- For passwords that have to be memorized, use a randomly-generated passphrase using five or more words drawn from a dictionary of at least 20 thousand words. Lower word counts accompanied by larger dictionaries can be substituted.
- If a password policy requires mixed case, digits, special characters: apply them in an easily remembered way (I cap the first letter of the passphrase, and then add a digit and a simple special (like an underscore) to the passphrase. This is only safe because the strength comes from the passphrase itself.
- Some implementations (rempe.us/diceware/, ae7.st/g, etc.) run entirely in the browser (so the server has no access to the passphrase).
-
For all other passwords, generate them randomly and store them with a password manager.
Offline, KeePass is supported on multiple platforms and can detect when the underlying database has been synchronized from another location.
Online, 1Password (they support hard tokens!) and
Lastpass are good choices. I do not recommend Dashlane.
-
For
all platforms that support two-factor authentication, enable it.
SMS and email tokens are better than nothing, but can still be phished.
Offline-ready authenticator apps (like Google Authenticator, Authy) are much better, but even these can be phished.
Hard tokens (like the YubiKey family) are best, because they are strongly phishing-resistant. And with
this browser extension, you can be alerted when a site you use is capable of 2FA.
-
Remember: your passwords are only as secure as your password resets.
It is crucial to enable hard 2FA on the email account that's used to reset your passwords.
Use an email provider that supports hard tokens
(Gmail, Yahoo/AOL, Fastmail, Hey, mail.de, Tutanota)
or mandates strong second factors for new logins
(Apple).
If using Google or Gmail, I strongly recommend Google's Advanced Protection Program.
Password projects, research, references, and commentary
Want to talk about password stuff (or something else)? Contact me!
NOTE: Work outside of my day job is governed by certain
restrictions.