Tech Solvency / Passwords

Password services

Alaskan password auditing with a global reach

Password cracking is a rapidly changing field. The only way to validate your password policies is with a direct audit.

If you're in Anchorage, I can provide a unique service in Anchorage - world-class, high-performance password auditing on site, using specialized tools and a custom hardware build.


Requirements for local auditing:

Contact me to schedule a session. In your message, briefly outline any applicable external regulatory requirements (HIPAA, PCI, FFIEC, FDIC, NCUA, etc.). Once engaged, I'll ask about any additional context that might shape the psychology of password selection for your target accounts.

General password recommendations

For passwords that have to be memorized, use a randomly-generated passphrase using five or more words drawn from a dictionary of at least 20 thousand words. Lower word counts accompanied by larger dictionaries can be substituted. If the applicable password policy requires mixed case, letters, and/or special characters, apply them in an easily remembered way. Some implementations (,, etc.) are explicitly designed to run entirely in the browser as JavaScript, so the server has no access to the passphrases generated.

For all other passwords, generate them randomly and store them with a password manager. KeePass is supported on multiple platforms and can detect when the underlying database has been synchronized from another location.

For all platforms that support two-factor authentication, enable it. SMS and email tokens are better than nothing. Offline-ready authenticator apps (like Google Authenticator, Authy) are much better. Hard tokens (like Yubikey FIDO U2F) are best. And with this browser extension, you can be alerted when a site you use is capable of 2FA.

Remember: your passwords are only as secure as your password reset mechanisms. Enabling 2FA on the email account that's used to reset your passwords is crucial.

Password research


Talk(s) that I've given.

Some of my publications are password-related.

Systems that I use in my password research include 'irongiant' (hashcat benchmark, personal blog post) and a ZTEX 1.15y cluster running John the Ripper.

Should you use the terms "dehashing", "reversing", or "decrypting" when talking about password cracking? No - no, you shouldn't.


Want to talk about password stuff (or something else)? Ping me!

NOTE: Work outside of my day job is governed by certain restrictions.