Your Password Complexity Requirements are Worthless presented at AppSecUSA 2014

by Rick Redman,


Summary : If you think password hashes are safe in a database, you are wrong.
If you think users choose good passwords, you are wrong.
If you think you KNOW what makes up a good password, you are wrong.
If you think that password complexity allows forces users to create stronger passwords, you are wrong.
If you think password strength meters force users to create strong passwords, you are wrong.
If you think I don't already know your password, you are wrong.
Let an actual password cracker prove this to you. Using real world examples from large enterprises. If you don't know how the password crackers are cracking 95% of site's passwords, how can you protect your users against that?
Finally, let me show you how to prevent your users from creating horrible passwords with a new Open Source tool.
1) Presentation Overview:
- Show the "old" way of password cracking. Older methods using markov. wordlists and rules
- Show the "new" way of password cracking. Based on "pattern" or "topologies"
- Ask "why is this important to be as a developer?"
- Show current password strength meters
- Discussing the types of passwords it causes users to create
- Prove that these passwords are NOT safer than the passwords they would create with out the password strength meter
- Prove this with REAL world examples (at least four).
- Compare password strength meters to password "complexity" requirements.
- Show how we SHOULD be implementing password strength meters.
- Demo new Open Source tool to prevent the types of problems introduced with password complexity requirements and/or password strength meters.

Rick Redman: During his 12 years as a security practitioner, Rick has delivered numerous application and network penetration tests for a wide range of Fortune 500 and government clients. He serves as KoreLogic's subject matter expert in advanced password cracking systems and coordinated the "Crack Me if You Can" Contest at DEFCON 2010. Additionally, Rick presents at a variety of security forums such as the Techno-Security Conference, ISSA Chapters, BSides, and AHA (Austin Hackers Anonymous). Rick's john.pot file is 10 million lines long, with 1.15 million unique NTLM passes from Fortune 500 internal active directories, and over 750,000 UNIX DES passwords (not including Gawker).