About Us
PasswordTotal is a security company, created by security professionals and researchers focused on solving weaknesses in corporate password strategies, through routine auditing and real time validation controls to minimize an organizations weakness in how employees and customers choose passwords.
PasswordTotal Audit is our first product to offer as a simple turn key, secure auditing infrastructure. Utilizing our solution allows organizations to avoid any costly investment in large GPU password cracking rigs, time-consuming development and research, while providing a complete password auditing solution to accurately understand the risk an organization has in relation to the real-world threats that affect all organizations today.
PasswordTotal gatekeeper is the evolution of our security offerings which allows for a real time validation of users passwords during the actual password change process to mitigate the risky human behavior of choosing a weak password during the password change process. This validation process can be done either within your organizations Active Directory environment, or integrated into just about any web or eCommerce platform on the market today.
PasswordTotal Audit
The PasswordTotal Audit solution is an easy way for any organization to evaluate their existing password hashes in the most secure means without having to deploy any complicated software, expensive GPU hardware infrastructure, or intrusive hacking tools.
Our turn key process will amaze the most seasoned auditor, and make your most seasoned penetration tester sit in frustration as we unlock your understanding of the risks that hide inside your infrastructure behind complex cryptography and tight security controls.
We do all of this through an intensive testing process which is outlined in NIST 800-118 which states:
Attackers attempt to determine weak passwords and to recover passwords from password hashes through two types of techniques: guessing and cracking.
Guessing involves repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords.
Cracking is the process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of these hashes, thereby being the equivalent of the password to the targeted system.
There are several forms of guessing. In a brute force attack, the attacker attempts to guess the password using all possible combinations of characters from a given character set and for passwords up to a given length. This method is likely to take an extensive amount of time if there are many combinations to be tested.
In a dictionary attack, the attacker attempts to guess the password using a list of possible passwords. The list may contain numbers, letters, and symbols, but is not an exhaustive list of all possible passwords or combinations that could create a password.
In a hybrid attack, the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.
Best of all, PasswordTotal Audit does all of these tests in a simple process to give you the most complete understanding of your password risk for your organization.
PasswordTotal 's Audit Process
Common Password Audit
With the increased number of breaches, many passwords and their hashes are now published and known to our adversaries. PasswordTotal helps by identifying which users within your organization are using these commonly known passwords. We do this by having our security researchers maintain an updated list of the published passwords, and trying them against your corporate hashes. Should one of your users use one of these weak or known passwords, you will have the ability to inform those users, and force a change, to better protect your organization.
Easily Guessed Passwords (Hybrid Audit)
Beyond just testing for already exploited passwords. PasswordTotal implements intelligent hybrid testing mechanisms to evaluate your password hashes against multiple variants of common passwords to see if your users are choosing passwords that may still put your organization at risk and may only be slightly modified from the commonly exploited passwords.
Brute Force Audit
As organizations grow, they inadvertently will create system accounts or accounts that just don't meet the minimum security requirements. So to make sure organizations don’t use very short passwords for any of their accounts, PasswordTotal runs a brute force attack against your company hashes, looking for all short passwords so they can be identified, and changed to better protect your organization.
Simplified Process
If you have ever looking into the science of password cracking, you will find that although there is a lot of material available to read, it is not always straight forward on how to implement the process to actually test the strength of your organization. PasswordTotal has dedicated security researchers who have decades of experience in cracking passwords, and have made the process, simple, repeatable, and optimized to give you and your organization the best turn key solution for the problem.
PasswordTotal Gatekeeper
PasswordTotal Gatekeeper is the evolution of our security offerings which allows for a real time validation of user’s passwords during the actual password change process to mitigate the risky human behavior of choosing a weak password during the password change process.
The PasswordTotal Gatekeeper product is offered in three general forms, a Windows password filter for your Active Directory domain, a Linux PAM plug-in, or a programmatic API interface to be integrated into your existing application.
PasswordTotal Gatekeeper Active Directory is an application that is installed in your corporate environment to validate the user’s passwords during the normal user password change. This process utilizes the standard Microsoft password filter API to perform an additional check at the Domain Controller, and does not require any changes to the end users’ systems.
PasswordTotal Gatekeeper PAM is a plug-in for Linux utilizing the Pluggable Authentication Module during any password change under Linux that utilizes the standard PAM framework.
PasswordTotal Gatekeeper API is for any custom application that does not fit into the first two categories where you still wish to implement the solution utilizing any custom code, in any modern programming language.
The way the Gatekeeper product functions, is during any password change, a hashed version of the user’s clear text password is generated and is sent securely to the gateway’s API servers for validation.
Based on the finding and configuration of the API request, the user will either be allowed to use their requested new password, or it would be found that the requested password is one of the weak passwords that would have been flagged during a normal audit, and the user is denied.
PasswordTotal Gatekeeper also allows your company to specify a custom list of passwords that you choose to deny outside the normal audit set maintained by PasswordTotal.
This allows for companies to include things like custom company names, or common passwords used by the helpdesk when provisioning systems, or even a password used by the training department, or an employee that has left the organization.
Services
PasswordTotal simplifies your password auditing process
Simplified Process
PasswordTotal uses industry accepted methods for testing password hashes and providing clear results
International Support
We support many different languages to support the many International companies that have folks from around the world.
Encryption
All data shared with PasswordTotal is encrypted using industry accepted encryption algorithms.
Password Research
We do the work for you, there are thousands of sites on the Internet that provide many lists of compromised passwords, instead of you having to collect, sort, organize, and optimize these lists for testing, we do this process for you.
Data Minimization
PasswordTotal does it best to keep the absolute minimum amount of information necessary to provide the answers you need to protect your organization.
Clear Reports
As part of the service, we will provide you with an Executive summary of the results of the Audit, along with all the details necessary to determine what users have the weak passwords.
Executive Team
PasswordTotal
Dr. Jeffery A Martin, PHD
Chief Executive Officer