Password Review and Recovery

Password Review and Recovery

Confidential intellectual property, networks, and systems depend on passwords chosen by end users. As managers, you must rely on your users to not place company assets at risk.  At the same time, business functions are increasingly relying on password protected documents as a means to secure sensitive data, yet there are virtually no controls in place to ensure that the passwords used to protect those documents are adequate.

In many cases, little is done to enforce password standards beyond basic complexity controls built into authentication mechanisms.  Your firm can have strong security controls, but all it takes to open up your intellectual property to an intruder is one weak user/administrator password.

To manage the risks associated with both of these scenarios, you need insight into how passwords are being chosen. Our Password Recovery Service was established to help quantify the risk for your organization and help you address these gaps as well as:

  • Provide a secure method of outsourcing password audits providing a baseline of password strength and analysis of complexity;
  • Equip security departments with the information needed to train end users on how to create stronger, more complex passwords;
  • Equip security departments with the information needed to evaluate risks associated with the company's current password policy;
  • Recover plaintext passwords for any number of possible legitimate uses such as auditing password complexity, identifying end users for additional training, supporting internal investigations, obtaining credentials for users who are no longer with the company, etc.; and
  • Recover plaintext passwords for encrypted documents (e.g., PDF) and/or archives (e.g., ZIP) for any number of possible legitimate uses such as restoring access to password protected documents containing critical information, supporting internal investigations and/or eDiscovery requests, etc.

Why Our Password Recovery Service?

Until now, there have been three basic options when it comes to password security:

  • Establish password complexity requirements, perform no audits, and hope for the best;
  • Purchase hardware/software and perform the audit yourself. This approach will likely recover the short and common hashes, but fail to crack the longer, more complex passwords. The typical recovery rate for this approach is around 10-20%; and
  • Use an untrusted third party and/or cloud-based provider who cannot guarantee control of your intellectual property.

Why take those chances?

John Reed Stark Consulting, together with longtime partner KoreLogic Security, conducts their password recovery service in a highly secure manner by experts who are well known in the industry, published and trusted by the password cracking community for a wealth and diversity of knowledge. KoreLogic Security has been collecting patterns and developing custom rules/wordlists to maximize cracking results for nearly a decade.

Additionally, KoreLogic Security has been funded by the Defense Advanced Research Projects Agency (DARPA) to conduct research and build innovative solutions aimed at reducing and/or eliminating the security risks mentioned above. You can trust that KoreLogic will keep your data safe and deliver a quality product with expected results.

Confidentiality and Security

All of our systems used to distribute and/or crack any password hashes are:

  • Owned, hardened and operated by KoreLogic (cloud-based or third party systems are never used).
  • Deployed in physically secured environments with 24/7/365 surveillance requiring badge access and/or biometric authentication. Also, digitally monitored 24/7/365 by KoreLogic engineers.
  • Protected using encrypted protocols (e.g., SSL, SSH, etc.) and media (e.g., AES-encrypted drives).

Additionally, candidate hashes, documents, and any other client-supplied data are only stored within our proprietary cracking grid for the duration of the work order. These items are explicitly purged once the work order has ended.

What does our Password Recovery Service provide and not provide?

The service provides the following outputs:

  • A delimited text file containing the cracking results;
  • A formal findings report (if one was purchased); and
  • A balance statement (indicating the number of cracking units and support hours expended/remaining).

Below are some examples of what the service cannot provide:

  • Brute forcing incredibly long passphrases with certainty in a short period of time;
  • Guarantee any percentage for password or document recovery;
  • Support for all possible hash types used by operating systems or
    software applications;
  • Support for all possible password-protected file formats; or
  • Use of unsecured or shared (e.g., cloud-based) computing resources.

This Service will not support any potentially illegal or unethical activities.

About John Reed Stark

John Reed Stark's Profile Image John Reed Stark President of John Reed Consulting LLC. Served for 15 years as an SEC enforcement attorney leading cyber-related projects, investigations and enforcement actions; for 11 years as Founder and Chief of the SEC Office of Internet Enforcement; for 15 years as an Adjunct Professor at Georgetown University Law School teaching a law and technology course; for 10 years as a Guest Instructor teaching law enforcement and technology training sessions at the FBI Academy. Worked for over five years as Managing Director (three as head of the Washington, D.C. office) of a global digital risk management firm, leading cybersecurity, incident response and digital compliance engagements for corporations and regulated entities. Author of The Cybersecurity Due Diligence Handbook.