I ran into a problem a few weeks ago with my Linux system. After performing a kernel update and rebooting, I couldn’t remember the disk encryption password. I tried for an hour or more, running through all of the passwords I could think of, including with new combinations and possible miskeys, but nothing worked. Finally, I shut it off in frustration.
Last night, I figured I’d take another crack at it. After nearly 30 minutes, I finally stumbled across the right password, and it was something that I’d tried before several times both last night and during the previous failure but apparently managed to miskey it a few dozen times. Success!
Until I tried to log in.
Password for my account? Wasn’t happening. Couldn’t remember what it was. Worse, I couldn’t remember the root password, either. OK, I figure. I’ll just reboot into single-user mode and reset the password.
It wasn’t quite that simple.
Continue reading “Recovering root password on Fedora 19”
One of the things that I do as a penetration tester is crack passwords. It’s usually not difficult, but this post isn’t about that anyway. What this post is about concerns the contents of the passwords and what it might suggest about the users.
Continue reading “Passwords and Reverse Information Guessing”
What if I told you that my shortest important passwords are in the neighborhood of 20-25 characters? Would you think to yourself, “You’re insane!” Some of you would, because some have said it out loud to me when they see me typing in my passwords. My secret for many of them is to use a pass phrase. This is easy for me to remember and so complex that it’s almost impossible for a computer, or even a lot of computers, to get through it.
Continue reading “Password Complexity: Easier for you, harder for bad guys with passphrases”
Over the last year, we’ve seen news stories of sites getting hacked and passwords getting stolen and we’ll doubtless see more in the future. These range from the relatively irritating to the level of possible identity theft. In every case, especially when the passwords have been published, we see the usual advice from the experts: use complex passwords, don’t share your passwords, don’t use the same password on multiple sites… It’s basically the same list trotted out all the time, but I see few explanations of why people should do these things. It’s not bad advice at one level, but doing something out of blind obedience has actually made security worse on occasion, and passwords are part of that mess.
Continue reading “Password Complexity: Hows and Whys Explained”