Upcoming SlideShare
×

283 views

Published on

• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here
• Be the first to comment

• Be the first to like this

1. 1. Ari Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurityNovember 2012Measuring Password Complexity
2. 2. 2This talk discusses the problems with our current methodsof measuring password strength and proposes alternatives.What this can give usA better alternativeWhat’s wrong with password complexity?P@ssw0rd!
3. 3. 3• 4 digits• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)We usually calculate password complexity based on thetotal number of possible passwords1 2 3 4410 = 10000
4. 4. 4• 6 digits• 36 possibilities for each digit (0-9, A-Z)We usually calculate password complexity based on thetotal number of possible passwordsA 1 2 3 4 B636 =~ 1027
5. 5. 5We usually calculate password complexity based on thetotal number of possible passwords636 =~ 1027• Assuming X attempts per minute• Calculate expected time to check allpasswords• Mean time for a single password• Time to exhaust entire space
6. 6. 6This only works if people are computersNote: people are not computersPasswordLetmeinVoldemort5ga9n2kfbb29cmna09h8g2bgunPasswordPassword##
7. 7. 7Human nature defeats complexity# ofoccurrencesPasswords, sorted by commonalitypasswordbdsjgganqvoldemortpassword1bdsjgganq1voldemort1
8. 8. 8How wrong are our assumptions?10 codes = 1/1000th of total passwordsTop 10 codes =~ 15% of all passcodes in use
9. 9. 9We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
10. 10. 10We need a new way of measuring complexity# ofoccurrencesPasswords, sorted by commonalityNthPasswordpasswordH6#a*b7Ke
11. 11. 11What’s needed now: analysis of password policies# ofoccurrencesPasswords, sorted by commonalityPolicy 1Policy 2Policy 3
12. 12. 12What’s needed now: analysis of password policies1. Get password dumps2. Crack them ALL (ifhashed)3. Run through previousmetric4. Correlate withapplied policy
13. 13. 13We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policiesWhich is better:Which is better:Insisting on use ofnumbersInsisting on the use ofspecial characters
14. 14. 14We can actually quantify therisk of a given passwordpolicy!What this gives us: the ability to quantify password policiesWhich is better:6 characters, must use 1number and 1 letter8 characters
15. 15. 15 Questions?Quantify the strength of apassword policyCompare policiesState with some confidencehow many weak passwordspeople will generate withany given policyIn summary, a true measure of password policy complexitywill allow us to make informed decisions on passwordpoliciesHUGE, when talking to business people
16. 16. 16About meAri Elias-BachrachDefensium LLChttp://www.defensium.comAri@defensium.com@angelofsecurity