Rethinking P@ssw0rd Strength Beyond Brute-force Entropy

Presented at BSidesLV 2017, July 26, 2017, noon (25 minutes).

Everywhere you need a password, the requirements follow a basic pattern: X length; must contain (or not contain?!?) lowercase, uppercase, digits, and symbols; must be rotated every Y days. But is that enough? This talk rethinks how we approach password strength, or "entropy", in the real world. There are many people who create passwords nonrandomly and think they're making their passwords look random, but many common "clever" tricks aren't so, and in fact are very guessable. Rather than calculating entropy as if the passwords were created randomly, we can find new and clever ways of calculating entropy given this knowledge.

Presenters:

  • Ross Dickey - Senior Software Engineer - Rapid7
    I am a SysAdmin turned Software Engineer turned DevOp turned security-minded DevOp. I have been in the industry for 14 years but strong into security for over three. Starting around the time of the Ashley Madison hack I've had a passion for passwords, and their use and misuse by amateurs and pros alike.

Links:

Similar Presentations: