SlideShare una empresa de Scribd logo

Password policies

Descargar como PPTX, PDF
Ari Elias-Bachrach
Ari Elias-Bachrach
1 de 16
Ari Elias-Bachrach Defensium LLC http://www.defensium.com Ari@defensium.com @angelofsecurity November 2012 Measuring Password Complexity
2 This talk discusses the problems with our current methods of measuring password strength and proposes alternatives. What this can give us A better alternative What’s wrong with password complexity? P@ssw0rd!
3 • 4 digits • 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) We usually calculate password complexity based on the total number of possible passwords 1 2 3 4 410 = 10000
4 • 6 digits • 36 possibilities for each digit (0-9, A-Z) We usually calculate password complexity based on the total number of possible passwords A 1 2 3 4 B 636 =~ 1027
5 We usually calculate password complexity based on the total number of possible passwords 636 =~ 1027 • Assuming X attempts per minute • Calculate expected time to check all passwords • Mean time for a single password • Time to exhaust entire space
6 This only works if people are computers Note: people are not computers Password Letmein Voldemort 5ga9n2kfb b29cmna0 9h8g2bgun Password Password # #
7 Human nature defeats complexity # of occurrences Passwords, sorted by commonality password bdsjgganqvoldemort password1 bdsjgganq1voldemort1
8 How wrong are our assumptions? 10 codes = 1/1000th of total passwords Top 10 codes =~ 15% of all passcodes in use
9 We need a new way of measuring complexity # of occurrences Passwords, sorted by commonality Nth Password password H6#a*b7Ke
10 We need a new way of measuring complexity # of occurrences Passwords, sorted by commonality Nth Password password H6#a*b7Ke
11 What’s needed now: analysis of password policies # of occurrences Passwords, sorted by commonality Policy 1 Policy 2 Policy 3
12 What’s needed now: analysis of password policies 1. Get password dumps 2. Crack them ALL (if hashed) 3. Run through previous metric 4. Correlate with applied policy
13 We can actually quantify the risk of a given password policy! What this gives us: the ability to quantify password policies Which is better:Which is better: Insisting on use of numbers Insisting on the use of special characters
14 We can actually quantify the risk of a given password policy! What this gives us: the ability to quantify password policies Which is better: 6 characters, must use 1 number and 1 letter 8 characters
15 Questions? Quantify the strength of a password policy Compare policies State with some confidence how many weak passwords people will generate with any given policy In summary, a true measure of password policy complexity will allow us to make informed decisions on password policies HUGE, when talking to business people
16 About me Ari Elias-Bachrach Defensium LLC http://www.defensium.com Ari@defensium.com @angelofsecurity

Recomendados

Traditional symmetric-key cipher
Traditional symmetric-key cipherTraditional symmetric-key cipher
Traditional symmetric-key cipherVasuki Ramasamy
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Hash Function
Hash FunctionHash Function
Hash Functionstalin rijal
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
Deceptive spam
Deceptive spamDeceptive spam
Deceptive spamTarek Amr
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Cryptography by Durlab Kumbhakar
Cryptography by Durlab KumbhakarCryptography by Durlab Kumbhakar
Cryptography by Durlab KumbhakarDurlove Kumbhakar
 
Network Security
Network SecurityNetwork Security
Network Securitybhupathiraju durga adithya varma
 

Recomendados

Traditional symmetric-key cipher
Traditional symmetric-key cipherTraditional symmetric-key cipher
Traditional symmetric-key cipherVasuki Ramasamy
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Hash Function
Hash FunctionHash Function
Hash Functionstalin rijal
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
Deceptive spam
Deceptive spamDeceptive spam
Deceptive spamTarek Amr
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Cryptography by Durlab Kumbhakar
Cryptography by Durlab KumbhakarCryptography by Durlab Kumbhakar
Cryptography by Durlab KumbhakarDurlove Kumbhakar
 
Network Security
Network SecurityNetwork Security
Network Securitybhupathiraju durga adithya varma
 
Cryptography
CryptographyCryptography
CryptographyShivshankar Prajapati
 
Using Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query ExpansionUsing Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query ExpansionDwaipayan Roy
 
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & CryptographyDr. Himanshu Gupta
 
Encryption
EncryptionEncryption
EncryptionSyed Taimoor Hussain Shah
 
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp AlgorithmK-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp AlgorithmUniversitas Pembangunan Panca Budi
 
Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )Anas Rock
 
Knowledge base completion presentation
Knowledge base completion presentationKnowledge base completion presentation
Knowledge base completion presentationDemai Ni
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordAlimasmali3
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable passwordSafeSpaceOnline
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rdsWill Alexander
 
Password Policies
Password PoliciesPassword Policies
Password Policiesallengalvan
 
ZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersAdam Englander
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1Sumit Bajaj
 
Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An AnalysisDr. Emin İslam Tatlı
 
CJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment InstructionCJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment InstructionVinaOconner450
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptographyIshraq Al Fataftah
 

Más contenido relacionado

La actualidad más candente

Using Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query ExpansionUsing Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query ExpansionDwaipayan Roy
 
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & CryptographyDr. Himanshu Gupta
 
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp AlgorithmK-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp AlgorithmUniversitas Pembangunan Panca Budi
 
Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )Anas Rock
 
Knowledge base completion presentation
Knowledge base completion presentationKnowledge base completion presentation
Knowledge base completion presentationDemai Ni
 

La actualidad más candente (7)

Cryptography
CryptographyCryptography
Cryptography
 
Using Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query ExpansionUsing Word Embedding for Automatic Query Expansion
Using Word Embedding for Automatic Query Expansion
 
Network Security & Cryptography
Network Security & CryptographyNetwork Security & Cryptography
Network Security & Cryptography
 
Encryption
EncryptionEncryption
Encryption
 
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp AlgorithmK-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
K-Gram as a Determinant of Plagiarism Level in Rabin-Karp Algorithm
 
Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )Information Security Cryptography ( L01- introduction )
Information Security Cryptography ( L01- introduction )
 
Knowledge base completion presentation
Knowledge base completion presentationKnowledge base completion presentation
Knowledge base completion presentation
 

Similar a Password policies

The strategies of password
The strategies of passwordThe strategies of password
The strategies of passwordAlimasmali3
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxAllanGuevarra1
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable passwordSafeSpaceOnline
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Password Policies
Password PoliciesPassword Policies
Password Policiesallengalvan
 
ZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersAdam Englander
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingShakar Bhattarai
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1Sumit Bajaj
 
CJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment InstructionCJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment InstructionVinaOconner450
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Passwords, Passwords and more Passwords
Passwords, Passwords and more PasswordsPasswords, Passwords and more Passwords
Passwords, Passwords and more Passwordsclcewing
 
7-cryptography.ppt
7-cryptography.ppt7-cryptography.ppt
7-cryptography.pptGhamdan5
 

Similar a Password policies (20)

The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Lesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptxLesson Presentation Powerful Passwords.pptx
Lesson Presentation Powerful Passwords.pptx
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable password
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Password Policies
Password PoliciesPassword Policies
Password Policies
 
ZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for BeginnersZendCon 2017 - Cryptography for Beginners
ZendCon 2017 - Cryptography for Beginners
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
 
Wordlist Generation and Wifi Cracking
Wordlist Generation and Wifi CrackingWordlist Generation and Wifi Cracking
Wordlist Generation and Wifi Cracking
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
researchpaperfinal1
researchpaperfinal1researchpaperfinal1
researchpaperfinal1
 
Password Patterns- An Analysis
Password Patterns- An AnalysisPassword Patterns- An Analysis
Password Patterns- An Analysis
 
CJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment InstructionCJUS 703Biblical Worldview of Corrections Assignment Instruction
CJUS 703Biblical Worldview of Corrections Assignment Instruction
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Passwords, Passwords and more Passwords
Passwords, Passwords and more PasswordsPasswords, Passwords and more Passwords
Passwords, Passwords and more Passwords
 
7-cryptography.ppt
7-cryptography.ppt7-cryptography.ppt
7-cryptography.ppt
 

Password policies

  • 2. 2 This talk discusses the problems with our current methods of measuring password strength and proposes alternatives. What this can give us A better alternative What’s wrong with password complexity? P@ssw0rd!
  • 3. 3 • 4 digits • 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) We usually calculate password complexity based on the total number of possible passwords 1 2 3 4 410 = 10000
  • 4. 4 • 6 digits • 36 possibilities for each digit (0-9, A-Z) We usually calculate password complexity based on the total number of possible passwords A 1 2 3 4 B 636 =~ 1027
  • 5. 5 We usually calculate password complexity based on the total number of possible passwords 636 =~ 1027 • Assuming X attempts per minute • Calculate expected time to check all passwords • Mean time for a single password • Time to exhaust entire space
  • 6. 6 This only works if people are computers Note: people are not computers Password Letmein Voldemort 5ga9n2kfb b29cmna0 9h8g2bgun Password Password # #
  • 7. 7 Human nature defeats complexity # of occurrences Passwords, sorted by commonality password bdsjgganqvoldemort password1 bdsjgganq1voldemort1
  • 8. 8 How wrong are our assumptions? 10 codes = 1/1000th of total passwords Top 10 codes =~ 15% of all passcodes in use
  • 9. 9 We need a new way of measuring complexity # of occurrences Passwords, sorted by commonality Nth Password password H6#a*b7Ke
  • 10. 10 We need a new way of measuring complexity # of occurrences Passwords, sorted by commonality Nth Password password H6#a*b7Ke
  • 11. 11 What’s needed now: analysis of password policies # of occurrences Passwords, sorted by commonality Policy 1 Policy 2 Policy 3
  • 12. 12 What’s needed now: analysis of password policies 1. Get password dumps 2. Crack them ALL (if hashed) 3. Run through previous metric 4. Correlate with applied policy
  • 13. 13 We can actually quantify the risk of a given password policy! What this gives us: the ability to quantify password policies Which is better:Which is better: Insisting on use of numbers Insisting on the use of special characters
  • 14. 14 We can actually quantify the risk of a given password policy! What this gives us: the ability to quantify password policies Which is better: 6 characters, must use 1 number and 1 letter 8 characters
  • 15. 15 Questions? Quantify the strength of a password policy Compare policies State with some confidence how many weak passwords people will generate with any given policy In summary, a true measure of password policy complexity will allow us to make informed decisions on password policies HUGE, when talking to business people
  • 16. 16 About me Ari Elias-Bachrach Defensium LLC http://www.defensium.com Ari@defensium.com @angelofsecurity