Pushing on String: Adventures in the 'Don't Care' Regions of Password Strength

Presented at BSidesLV 2015, Aug. 4, 2015, 2 p.m. (55 minutes)

The gap between the effort needed to withstand online and offline password guessing attacks is enormous, and there's a large gap where increasing cracking resistance leads to no change in outcomes. On many networks there's also a snowball effect, where an attacker with x% of credentials controls much more than x% of network resources; this also gives a large region where increasing cracking resistance accomplishes nothing. This talk examines the administrator's task of defending a population of users from password cracking, what does and doesn't make sense, and where we are wasting our time (spoiler alert: almost everywhere.)

Presenters:

• Cormac Herley - Principal Researcher - Microsoft
  Cormac is a Principal Researcher at Microsoft Research, where he has been since 1999. He has published widely in information theory,and networking and security. He is an inventor of 70+ US patents, and has shipped technologies used by hundreds of millions of users. He holds a PhD from Columbia University, an MSEE from Georgia Tech, and a BE from the National University of Ireland.

Links:

• https://bsideslv2015.sched.com/event/3uiU/pushing-on-string-adventures-in-the-dont-care-regions-of-password-strength
• https://infocon.org/cons/Security BSides/BSides Las Vegas/BSides Las Vegas 2015/PW02-Pushing-on-String-Adventures-in-the-Dont-Care-Regions-of-Password-Strength-Cormac-Herley.mp4

Similar Presentations:

• BSidesLV 2023 / Got Hashes. Need Plains | Hands-on Password Cracking
• HOPE Number Six (2006) / Password Cracking and Time-Memory Tradeoff
• BSidesLV 2017 / Password Cracking 201: Beyond the Basics