You did what with SHA1 again? presented at shellcon 2017

by David "videoman" Bryan,

Summary : When developing applications for consumers password controls sometimes get forgotten about or altered based on business requirements. In this talk I will show off real-world examples of misuse & abuse and improper data handling of sensitive passwords that happened inside an application. When doing penetration testing we must remember that a breach in one system can lead to a breach in another system because of the implicit trust relationships we build to get the job done.
A toe in the door is all an attacker needs for a complete compromise.
I will talk about our attack, what controls were missed, and how we used Graphic Processing Unit (GPU) video cards to recover hundreds of thousands of passwords in a 24 hour period.