PATHWELL – PASSWORD TOPOLOGY HISTOGRAM WEAR-LEVELING presented at BsidesAsheville 2014

by Hank Leininger,

Summary : The tl;dr of my talk is: Make enterprise passwords 5-6 orders of magnitude harder to crack. PathWell is both a new way of looking at password complexity, and the name of some tools we developed to audit and enforce passwords that are more difficult to crack.
First I will give some high-level overviews to give the audience some common ground and context: review traditional password cracking techniques (wordlists, mangling), and traditional enterprise defenses (length, complexity rules, rotation). However, those defense approaches have led users to predictable behavior, to which attackers have adapted. Meanwhile the rise of GPU power and slow adoption of stronger hash types have provided attackers with substantial advantages. I will then go through some case studies of enterprises where KoreLogic has cracked 95+% of all password hashes, and show how these trends are borne out in real-world examples.
Next I will introduce several new defensive techniques that would deprive attackers of these advantages, and then show how we have implemented each of them in the PathWell proof-of-concept. (This will actually be the longest single section of te talk.) KoreLogic runs the Crack Me If You Can password-cracking contest at DEFCON. In 2013′s contest, we included some password sets that implemented some of the PathWell enforcement options. I will review that data to show how effective they were. Lastly, I will discuss the next steps for the PathWell project.