Your Password Complexity Requirements are Worthless

Presented at AppSec USA 2014, Sept. 18, 2014, 2 p.m. (45 minutes).

If you think password hashes are safe in a database, you are wrong. If you think users choose good passwords, you are wrong. If you think you KNOW what makes up a good password, you are wrong. If you think that password complexity allows forces users to create stronger passwords, you are wrong. If you think password strength meters force users to create strong passwords, you are wrong. If you think I don't already know your password, you are wrong. Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that? Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool. 1) Presentation Overview: - Show the "old" way of password cracking. Older methods using markov. wordlists and rules - Show the "new" way of password cracking. Based on "pattern" or "topologies" - Ask "why is this important to be as a developer?" - Show current password strength meters - Discussing the types of passwords it causes users to create - Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter - Prove this with REAL world examples (at least four). - Compare password strength meters to password "complexity" requirements. - Show how we SHOULD be implementing password strength meters. - Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.

Presenters:

  • Rick Redman / Minga - Senior Security Consultant - KoreLogic   as Rick Redman
    Rick, aka Minga, has over 16 years of experience as a penetration tester, and runs KoreLogic's Password Recovery Service. He also runs the annual "Crack Me If You Can" contest at DEF CON. He has provided numerous contributions to the password-cracking community, and has previously presented at DEF CON, DerbyCon, ShmooCon, PasswordsCon, Bsides, OWASP, ISSA, and ISSW.

Links:

Similar Presentations: