Ari Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurityNovember 2012Measuring Password Co...
2This talk discusses the problems with our current methodsof measuring password strength and proposes alternatives.What th...
3• 4 digits• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)We usually calculate password complexity based ...
4• 6 digits• 36 possibilities for each digit (0-9, A-Z)We usually calculate password complexity based on thetotal number o...
5We usually calculate password complexity based on thetotal number of possible passwords636 =~ 1027• Assuming X attempts p...
6This only works if people are computersNote: people are not computersPasswordLetmeinVoldemort5ga9n2kfbb29cmna09h8g2bgunPa...
7Human nature defeats complexity# ofoccurrencesPasswords, sorted by commonalitypasswordbdsjgganqvoldemortpassword1bdsjggan...
8How wrong are our assumptions?10 codes = 1/1000th of total passwordsTop 10 codes =~ 15% of all passcodes in use
9We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
10We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
11What’s needed now: analysis of password policies# ofoccurrencesPasswords, sorted by commonalityPolicy 1Policy 2Policy 3
12What’s needed now: analysis of password policies1. Get password dumps2. Crack them ALL (ifhashed)3. Run through previous...
13We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policies...
14We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policies...
15 Questions?Quantify the strength of apassword policyCompare policiesState with some confidencehow many weak passwordspeo...
16About meAri Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurity
Upcoming SlideShare
Loading in …5
×

Password policies

283 views

Published on

  • Be the first to comment

  • Be the first to like this

Password policies

  1. 1. Ari Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurityNovember 2012Measuring Password Complexity
  2. 2. 2This talk discusses the problems with our current methodsof measuring password strength and proposes alternatives.What this can give usA better alternativeWhat’s wrong with password complexity?P@ssw0rd!
  3. 3. 3• 4 digits• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)We usually calculate password complexity based on thetotal number of possible passwords1 2 3 4410 = 10000
  4. 4. 4• 6 digits• 36 possibilities for each digit (0-9, A-Z)We usually calculate password complexity based on thetotal number of possible passwordsA 1 2 3 4 B636 =~ 1027
  5. 5. 5We usually calculate password complexity based on thetotal number of possible passwords636 =~ 1027• Assuming X attempts per minute• Calculate expected time to check allpasswords• Mean time for a single password• Time to exhaust entire space
  6. 6. 6This only works if people are computersNote: people are not computersPasswordLetmeinVoldemort5ga9n2kfbb29cmna09h8g2bgunPasswordPassword##
  7. 7. 7Human nature defeats complexity# ofoccurrencesPasswords, sorted by commonalitypasswordbdsjgganqvoldemortpassword1bdsjgganq1voldemort1
  8. 8. 8How wrong are our assumptions?10 codes = 1/1000th of total passwordsTop 10 codes =~ 15% of all passcodes in use
  9. 9. 9We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
  10. 10. 10We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
  11. 11. 11What’s needed now: analysis of password policies# ofoccurrencesPasswords, sorted by commonalityPolicy 1Policy 2Policy 3
  12. 12. 12What’s needed now: analysis of password policies1. Get password dumps2. Crack them ALL (ifhashed)3. Run through previousmetric4. Correlate withapplied policy
  13. 13. 13We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policiesWhich is better:Which is better:Insisting on use ofnumbersInsisting on the use ofspecial characters
  14. 14. 14We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policiesWhich is better:6 characters, must use 1number and 1 letter8 characters
  15. 15. 15 Questions?Quantify the strength of apassword policyCompare policiesState with some confidencehow many weak passwordspeople will generate withany given policyIn summary, a true measure of password policy complexitywill allow us to make informed decisions on passwordpoliciesHUGE, when talking to business people
  16. 16. 16About meAri Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurity

×