['password'] is in these articles:
- The NTLM
Authorization Proxy Server. The Wikipedia article on NTLM. An article called NTLM
Authentication Scheme for HTTP. This posting: External Authentication
(NTLM) in Python contains some calls to the win32security module
(such as LogonUser) which might do the trick, though this would need
the password to arrive in plain text so the call can be made.
Changing a NT password
just don't work well.
of keyboards can be recorded and used to crack passwords
- OpenID is a decentralized
identity system, it is discussed here
on Slashdot. In Feb'07 Bill Gates
announced that Microsoft will support it too. More discussion on OpenID, Yahoo, IBM, Microsoft, VeriSign and Google have all joined its board and there are now 250M OpenIDs in use. Here is a brief description of the process of getting an OpenID. MySpace has joined the OpenID coalition, adding a few more users. OpenID gets mentioned here in reference to attempts to move away from passwords to other means of authentication. Ned Batchelder found OpenID hard to get started in and dug up these discussions: OpenID is Why I Hate The Internet and The problem(s) with OpenID that talk about the difficulty of using OpenID and the apparent flaws in it. Microsoft has added support for OpenID to Windows Live, discussed here on Slashdot. OpenID for non-SuperUsers talks about setting up OpenID to use delegation. Not to be left out, Google is also supporting OpenID, but they have decided to fork development to address some of their concerns. More on Google's OpenID project here. Some sites are dropping support for OpenID. 
- TOR, The Onion Router, is an
project that seeks to prevent web traffic analysis. There is a FAQ on it
here. The authors warn that a possible exploit of TOR (since the
final connection from the exit node to the site you are trying to reach
is not encrypted) would be for the owner of an exit node to sniff all
the outbound traffic looking for passwords etc., well someone did
this and collected embassy-related passwords. There is more concern about abuse of TOR exit sites.
alternatives to embedding passwords into source code.
A Slashdot discussion
of Ophcrack, a Windows password cracking tool, there's plenty of
additional material in the comments. KB299656 applies to
this issue of the weak hash algorithm used in LAN Manager.
- py-bcrypt is a python wrapper for OpenBSD's Blowfish password hashing code. bcryptWrap is another wrapper for bcrypt. 
the street, June 2004
the encryption from the key files for Apache SSL certificates so
the server will start without prompting for a password.
Kingston has a secure flash drive that will automatically
erase your data after 25 failed password attempts.
an encrypted data storage folder by MSB Software Engineering
for your Palm device, to view the contents you must enter a password,
if you switch applications or turn off your Palm it automatically locks
up. When it syncs to your PC its backup database is encrypted, a
second tool (Yaps
Viewer) is available that lets you view the database on the PC. I
highly recommend Yaps.
- A discussion of using Google as an MD5 cracker tool (discussed here on Slashdot), entering an MD5 hash code and finding a word that it is the hash for. There is some interesting discussion of salting and other approaches to hash reversal, including sites that specialize in just this problem.  
- TrueCrypt 5.0 has been released, this version includes full drive encryption that will prompt the user for the password at system boot. Discussed here on Slashdot. 
- Bruce Schneier writes about choosing secure passwords and taking your laptop through US customs. Discussed here on Slashdot. 
- The ThinkPad USB Portable Secure hard drive is a USB drive with a built in keypad for entry of a password to unlock it. This is supposed to have 128-bit AES full disk encryption. 
- The Linksys WRT54GL is a Linux-based wireless router (the wireless section can be disabled if you just want a wired router) that is well supported by a number of open source projects:
Tomato the manual is here. This installs very easily over the original Linksys firmware, just download and unpack one file then go into the administration section of the interface and upload the new firmware.
A Botnet Worm has been identified that targets modems and MIPS-processor routers based on Linux (such as the OpenWRT, DD-WRT or Tomato firmware). Discussed here on Slashdot. It looks like power cycling the device will clean it, but then you should also change passwords and disable any administrative access from the WAN (which is how it gets infected - though presumably if you have WiFi enabled it could get infected from that network too). 
- fhsp - Fairly Secure Hashed Password - is an implementation of the PBKDF1 specification from RFC 2898. 
- Full disk encryption is expected to drop in price (to near zero) and become available on most new drives, but when? With this approach a drive must receive the appropriate password before it will load any data, so you end up entering the password before the computer starts to boot. But what happens if you forget the password? Will you be able to overwrite the old disk with a new data set using a new password, or is the drive rendered inoperative to protect the encrypted data on it? Or, is there an administrative password you can enter to reset the user password? Or do you have to ship it back to the manufacturer to be unlocked? Or is there even a secret back door - say for customs to use? This gets discussed here on Engadget and here on Slashdot.  
- The PyMOTW takes a look at the pwd module which is used for reading user data from the UNIX password database.  
- The Amazon EC2 cloud computing service has been used to crack PGP passwords through brute force key searching. This article describes the general process and some details of how to setup the EC2 machine images. A followup article examines the cost to crack passwords of different sizes (and complexities) using this technique. Based on an opponent spending a few thousand dollars a password of 8 characters or less is not safe unless it uses more than just upper and lower case letters and numbers. The good thing is that a password using only lower case letters and numbers would cost $75M to crack this way if it was 12 characters long (and this rises massively with just one more character), so passwords still don't have to be massively long. This gets further discussion here on Slashdot. 
- cryptacular is hashed password management module for use in web servers. 
- Slashdot discusses tools for helping you remember your passwords. 
- A number of "secure flash drives" that claim NIST certification to the FIPS 140-2 standard have been found to be easily cracked. Turns out that while they may actually use AES 256 bit encryption inside the way the password authentication is done can be trivially bypassed so that any of these drives can be unlocked without the correct password. Schneier discusses it here. NIST is investigating this issue. The known vulnerable drives are:
- Kingston DataTraveler BlackBox
- SanDisk Cruzer Enterprise FIPS Edition
- Verbatim Corporate Secure FIPS Edition
- The joy of securing your passwords if you let programs remember them for you. This contains a number of suggestions for password storage programs and for configuring common applications like Firefox. 
- The Chuck Norris botnet is attacking weakly secured routers, DSL modems and even satellite TV receivers. Given that devices like DSL modems and cable modems are often only configured by the ISP there's a good chance for poor practices on the ISP's part (like using one user name and password on all of the modems it controls) to lead to massive hacks. Even though this attack is only against the router or modem, there is a nasty issue here in that a compromised router could be set to divert DNS look-ups to a bad DNS server which could serve up the wrong IPs for the some common internet services (like Facebook or some of the advertising suppliers) which could divert the user's browser to sites that try to install malware. 
- Tabnapping is a new (for 2010) approach to scamming the web browser user into revealing IDs and passwords. Be on the look out for tabs that contained some content to be replaced by authentic looking login pages when they are re-exposed. Perhaps this will be combined with exploits that grab your browsing history so that the attacker can present you with a login page you are likely to have used. 
- The world is full of unsecured security cameras, perhaps your neighbor is watching you? And perhaps Google's facilitation of this constitutes another embarrassing privacy breach in the same vein as ,a href="http://yro.slashdot.org/story/10/06/18/1720244/Google-Street-View-Wi-Fi-Data-Includes-Passwords-Email-Content?art_pos=20">drive-by packet sniffing?  
- CUDA graphics engines have been used to accelerate the calculation of MD5 hashes to speed up password cracking attempts. Based on the timings that are published here a password length of 10 characters is getting to be pretty weak - that would take a single machine 50 years to search, so a project that combined these machines in a distributed fashion could easily crack 10 character passwords in days or less.  
- Another hack has been found that allows for an attack from the local network side of a wireless router, so if the router has a weak admin password it is at risk even though no administration is allowed from the regular WAN. This gets further discussion here on Slashdot, with most taking the position that so long as you are using a good password there is no significant threat here. 
- Sometime security is just about the bleeding obvious, screen smudges on your cell phone display could give away your unlock pattern or code, just as wear patterns on your alarm system touch pad could make cracking your PIN easier.  
['password'] is in these pages: