We are working with a security policy that treats two passwords of equivalent strength: 8 character password with two character sets represented (pick two of upper/lower/number/symbol) 6 character password with three character sets represented (pick three of upper/lower/number/symbol) The question arises, how equivalent (or not) are they? Well, it’s time to do some math. Total Possible Passwords One way to measure password strength is in the total number of passwords that one might be able to generate that meet that criteria. More would be better. There are 26 uppercase, 26 lowercase, 10 digit, and 33 ASCII-printable symbols available on the average keyboard (totaling 95 options). If we simply asked how many possible 6 character passwords are there, you can multiply 95 for[…]

In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media. Enjoy:

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights: -30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords. -Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution. On the surface, these[…]

A couple years ago, Facebook.com revealed just how much information is shared on social networking sites when they introduced news feeds to the home page and user profile pages. These feeds made users nervous perhaps because they had thought that their personal information was safe as long as it was not broadcast to everyone on their friend lists. In reality, it was a new way of distributing information that had always been available to them. Since then, Facebook has added a wide array of privacy options, yet we still find stories of people being fired because of something they said online. How do you prevent this from happening to you? I guess one option could be to start removing Facebook[…]

This from BetaNews (link opens in new window): Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings. Fortunately for my own sanity, I haven’t had to jump through any hoops with UAC to get my code working, but that’s mostly because I deal with server-side code now.  While the developer perspective is interesting, it’s really the user perspective that’s important to me, as someone who is concerned with the overall state of desktop security.  Developers are not only in the minority, we also don’t have[…]