Password Security Research

The password security research team aims are:

1. Documentation of existing, and development of new, authentication systems, including both theoretical and practical aspects. While most of the current authentication systems are sufficiently documented, the main goal would be to prepare a unified documentation, focusing on the advantages and disadvantages of each one.

2. Password complexity guidelines/best-practices and automatic password generation algorithms. This could not only be used as a basis for a password complexity policy, but also for the implementation of different password enumeration methods (see below), which could take advantage of the limitations/constraints of the most common password policies.

3. Documentation and development of different password enumeration methods (eg. dictionary, incremental, reg-ex, substitutions, etc.)

4. Documentation of existing password encryption/hashing algorithms, including vendor-specific ones. That is, a good explanation of LM, NTLM, etc. and if possible work on other proprietary algorithms, such as the Oracle hash and new Domino hash.

5. Development of password cracking/auditing tools. This would include the development of a strong/generic engine, using the different enumeration methods, as well as the development of specific algorithms that the engine could use.

6. Documentation of existing and new password auditing tools, classified by implemented algorithms, enumeration methods, license/availability. This would just be a review for quick reference, though we could make it as complete as possible.

7. Tutorials, how-to etc. on password auditing using the documented methods and tools

We are considering committed people who would love to learn in this field. If you are interested in joining our team send a mail to password oissg org with [Join Password Research Team] in the subject line along with your skill set.