Cracking Corporate Passwords - Why Your Password Policy Sucks presented at InfoSec SouthWest 2013

by Rick Redman,

Tags: Security

Summary : In the past, Rick has talked about public password leaks of Internet facing applications/websites. This is a treasure trove of knowledge for password crackers about password selection in non-corporate environments.
And then, LinkedIn hashes got leaked (6 months after being hacked no less!). This was one of the first large lists of passwords chosen specifically by users who are "more likely" to choose passwords that would meet password complexity rules. But are they better passwords?
But the information gained from the LinkedIn passwords was nothing new to professional penetration testers. Inside corporate networks, they are complexity rules that users have to meet when choosing passwords, and there is password rotation as well. It is common knowledge that these policies make the passwords "stronger" - but is it a correct statement? (Hint: Its not.)
Join Rick, and lets laugh at what people are doing when they think no one is looking. Guess what? Spring2013 is a crappy password. And you know what? Three months ago, Winter2012 wasnt a great password either.
We need to change our ideas about password policy. It is making our networks LESS insecure. And you need to do something about it.

Rick Redman: During his 12 years as a security practitioner, Rick has delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. He serves as KoreLogic's subject matter expert in advanced password cracking systems and coordinated the "Crack Me if You Can" Contest at DEFCON 2010. Additionally, Rick presents at a variety of security forums such as the Techno-Security Conference, ISSA Chapters, BSides, and AHA (Austin Hackers Anonymous). Rick's john.pot file is 10 million lines long, with 1.15 million unique NTLM passes from Fortune 500 internal active directories, and over 750,000 UNIX DES passwords (not including Gawker).