Cracking Corporate Passwords – Exploiting Password Policy Weaknesses presented at DerbyCon 2013

by Rick Redman, Minga ,

Summary : “Cracking corporate passwords is no different than cracking public MD5
leaks off of pastebin. Except, it totally is. Corporate passwords are
not in the same formats you are used to, they require capital letters,
numbers and/or special characters.
- How can we use this knowledge to our advantage?
- What sort of tricks are users doing when they think no one is looking?
- What other types of vulnerabilities is Password policy introducing?
- What patterns is password rotation policy creating?
You want raw data? Ive got raw data!
You want to see some stats? Ive got those too.
You want hints/tips/tricks? Yup. That too.
Lastly, Rick will tell about how KoreLogic implements/manages
large-scale cracking jobs on a diverse set of CPUs/GPUs located
nation-wide against corporate password lists.”

Rick Redman: During his 12 years as a security practitioner, Rick has delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. He serves as KoreLogic's subject matter expert in advanced password cracking systems and coordinated the "Crack Me if You Can" Contest at DEFCON 2010. Additionally, Rick presents at a variety of security forums such as the Techno-Security Conference, ISSA Chapters, BSides, and AHA (Austin Hackers Anonymous). Rick's john.pot file is 10 million lines long, with 1.15 million unique NTLM passes from Fortune 500 internal active directories, and over 750,000 UNIX DES passwords (not including Gawker).