Eldar Marcussen: January 2011 Archives

In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead. When it comes to user education things are often hard to quantify, but looking at the recent password breaches the message doesn't seem to register.
The issue is compounded by a users habit of having a single password and using it everywhere. As their password is used and re-used all over work, home and the internet it needs to meet the password criteria of several "password policies". Luckily for us that means that most users have a password of 6-8 characters, usually containing one or more numbers.

I won't go too much into detail about password length, but suffice to say that you should ditch your password and go for a passphrase instead. I would also recommend that you don't make it a simple sentence, but rather something obscure like your grandfathers address combined with the name of your cousins pet rabbit. That should ensure it's not too easy to crack using a dictionary attack.

This months password tool is lensort.pl. It will split a dictionary file into several smaller files based on number of characters in the file;

root@bt:~/Jason# ./lensort.pl /mnt/hgfs/Tools/wordlists/Trek
Sorting 530 passwords by length
Finished 6.txt
Finished 11.txt
Finished 3.txt
Finished 7.txt
Finished 9.txt
Finished 12.txt
Finished 15.txt
Finished 14.txt
Finished 8.txt
Finished 4.txt
Finished 13.txt
Finished 10.txt
Finished 5.txt

You can download the script from https://github.com/wireghoul/Jason

A belated new years post. I have resisted the temptation to make "predictions" about what the year will bring. I have however decided to stick with some simple blogging guidelines that should keep the blog relatively active throughout the year. There will be two regular posts each month, one tutorial style post on whatever subject I feel like, (January will obviously be winter-een-mas related) and one post will relate to passwords. Passwords have always been one of the basic security mechanism applied throughout almost every enterprise. With all the focus on passwords lately (gawker, trapster, vodaphone, mozilla and more) it is clear that users (and organizations?) aren't getting the message. And there will off course be the usual release updates and rant, so stay tuned and I hope 2011 will be a good year for us all.

The next graudit version is already out! There were some serious issues with the 1.8 release that needed fixing.

• Fixed php (php/xss.db) database which had a blank line at the end, causing everything to match. (Thx @jodymelbourne)
• Added test case for blank lines in signature scripts
• Added database validating aux script
• Updated Makefile file manifest
• Fixed bug in test script template (t/blank-test.sh)

Big thanks to the people who contributed with patches, bug reports and feedback. Keep them coming!

You can download the latest version from the graudit download page.