The Past, Present, And Future Of Something You Know presented at ShmooCon 2011

by Rick Redman, Martin Bos, Robert Imhoff, David Schuetz (Intrepidus Group),

Tags: Security Panel


Summary : Passwords are great authentication credentials. They're portable, they're well structured, and they're nearly universally available in all modern software. However, passwords are often the one part of a system that lead to a complete breakdown of security. The loss of the hashed credential store for a website can lead to the compromise of thousands of accounts both on the local site as well as any site the user shared the same username and password. Advances in password cracking technology have made even relatively complex passwords easy to defeat.

This panel will try to get to the bottom of the password problem. Passwords are still necessary, but how effective are they really? Through the demonstration of new tools, hard data about password complexity in modern enterprises, and new techniques for hashing and protecting passwords, this panel of experts may just change your opinion on passwords. Or they may scare you in to two factor auth...

Rick Redman: During his 12 years as a security practitioner, Rick has delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. He serves as KoreLogic's subject matter expert in advanced password cracking systems and coordinated the "Crack Me if You Can" Contest at DEFCON 2010. Additionally, Rick presents at a variety of security forums such as the Techno-Security Conference, ISSA Chapters, BSides, and AHA (Austin Hackers Anonymous). Rick's john.pot file is 10 million lines long, with 1.15 million unique NTLM passes from Fortune 500 internal active directories, and over 750,000 UNIX DES passwords (not including Gawker).

Martin Bos: Martin (purehate) Bos works as a penetration tester for a well known security company. He resides in Louisville,KY with his wife and child. Martin is also one of the core developers for Backtrack-Linux and has been with the project since its early days. Martin also is a Co-Founder of which is a website dedicated to answering technical questions daily and also has the largest online WPA Cracking service on the web. In addition to these things, Martin is also one on the main founders of Derbycon which is a new technology convention help in Louisville, KY

Robert Imhoff: Robert has been working in Information Security for over 12 years. In his travels he was one of the first to publicly demonstrate the downfalls of credit card security in merchant environments. Next, after 2 1?2 years of research, he demonstrated “whitelist” based IDPS technology embedded in within web based code to protect against and detect XSS and Injection Attacks in real-time. Later, he developed and implemented highly customized DNS logging integrated with real-time IDPS technology for protection against 0-day malware threats. He currently is working on a SV Hacker Space and various WiFi security shenanigans.