Your Password Complexity Requirements are Worthless
Rick Redman at AppSec USA 2014
If you think password hashes are safe in a database, you are wrong.
If you think users choose good passwords, you are wrong.
If you think you KNOW what makes up a good password, you are wrong.
If you think that password complexity allows forces users to create stronger passwords, you are wrong.
If you think password strength meters force users to create strong passwords, you are wrong.
If you think I don't already know your password, you are wrong.
Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that?
Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool.
1) Presentation Overview:
- Show the "old" way of password cracking. Older methods using markov. wordlists and rules
- Show the "new" way of password cracking. Based on "pattern" or "topologies"
- Ask "why is this important to be as a developer?"
- Show current password strength meters
- Discussing the types of passwords it causes users to create
- Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter
- Prove this with REAL world examples (at least four).
- Compare password strength meters to password "complexity" requirements.
- Show how we SHOULD be implementing password strength meters.
- Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.
Speaker
Rick Redman
Senior Security Consultant, KoreLogic
Rick Redman (Minga) has been performing penetration tests for 14 years. Additionally, he is a password researcher and is a well known public speaker on password leaks, password cracking, password recovery and auditing. Additionally, Rick runs the “Crack Me If You Can” password cracking contest at DEFCON every year.
If you think users choose good passwords, you are wrong.
If you think you KNOW what makes up a good password, you are wrong.
If you think that password complexity allows forces users to create stronger passwords, you are wrong.
If you think password strength meters force users to create strong passwords, you are wrong.
If you think I don't already know your password, you are wrong.
Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that?
Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool.
1) Presentation Overview:
- Show the "old" way of password cracking. Older methods using markov. wordlists and rules
- Show the "new" way of password cracking. Based on "pattern" or "topologies"
- Ask "why is this important to be as a developer?"
- Show current password strength meters
- Discussing the types of passwords it causes users to create
- Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter
- Prove this with REAL world examples (at least four).
- Compare password strength meters to password "complexity" requirements.
- Show how we SHOULD be implementing password strength meters.
- Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.
Speaker
Rick Redman
Senior Security Consultant, KoreLogic
Rick Redman (Minga) has been performing penetration tests for 14 years. Additionally, he is a password researcher and is a well known public speaker on password leaks, password cracking, password recovery and auditing. Additionally, Rick runs the “Crack Me If You Can” password cracking contest at DEFCON every year.