Back To Schedule
Thursday, September 18 • 2:00pm - 2:45pm
Your Password Complexity Requirements are Worthless

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

If you think password hashes are safe in a database, you are wrong.
If you think users choose good passwords, you are wrong.
If you think you KNOW what makes up a good password, you are wrong.
If you think that password complexity allows forces users to create stronger passwords, you are wrong.
If you think password strength meters force users to create strong passwords, you are wrong.
If you think I don't already know your password, you are wrong.

Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that?

Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool.

1) Presentation Overview:
- Show the "old" way of password cracking. Older methods using markov. wordlists and rules
- Show the "new" way of password cracking. Based on "pattern" or "topologies"
- Ask "why is this important to be as a developer?"
- Show current password strength meters
- Discussing the types of passwords it causes users to create
- Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter
- Prove this with REAL world examples (at least four).
- Compare password strength meters to password "complexity" requirements.

- Show how we SHOULD be implementing password strength meters.
- Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.

avatar for Rick Redman

Rick Redman

Senior Security Consultant, KoreLogic
Rick, aka Minga, has over 16 years of experience as a penetration tester, and runs KoreLogic's Password Recovery Service. He also runs the annual "Crack Me If You Can" contest at DEF CON. He has provided numerous contributions to the password-cracking community, and has previously... Read More →

Thursday September 18, 2014 2:00pm - 2:45pm MDT
Colorado Ballroom G-J [Builders] Denver Marriott City Center