p@ssw0rd
passwords: you can't do it right

some say you’re doing it wrong. i argue you can’t do it right (but some do it better than others). see how ineffective passwords are at protecting your accounts and ways of decreasing the chance of anyone using your passwords to achieve total domination.
joshua smith
what/who is the problem? 

WE ARE
why are we talking about this?

establishing the problem:
hb gary
diginotar
morto
hb gary
started with sql injection
md5 passwords
kibafo33
diginotar
bad domain admin password
Pr0d@dm1n
morto
rdp worm
common username/passwords
password complexity
(or a lack thereof)

many passwords can be cracked/guessed because we choose weak passwords
gawker example
gawker analysis

the vast majority (99.45%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols
of the passwords that were alphanumeric, about 61% were composed of strictly lowercase alphabetic characters

topics:
password complexity
password reuse
two factor authentication
how to do it better

end goal
but i use a 1337 p@ssw0rd that is twenty characters long

maybe, but you use it *everywhere*
sony stored all their passwords in clear text
hbgary pivoting
sony/gawker reuse
diginotar on domain
real world examples
DVWA
pastebin leaks
challenges
memory protection vs. passwords
different apps/sites have differerent requirements
convenience
lack of understanding/support

password management mostly comes down to the convience vs security tradeoff
what are ways to remedy the problem? 
complex, long, and unique passwords
two factor authentication

how do i manage my passwords? 
thanks for listening!

questions? 

joshua smith
josh@toastresearch.com
references:

http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
http://blog.duosecurity.com/2010/12/brief-analysis-of-the-gawker-password-dump/
http://pastebin.com/1AxH30em - comodo hacker post
http://securityxploded.com/passwordsecrets.php
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3AWin32%2FMorto.A
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
http://www.golubev.com/hashgpu.htm
http://www.tmto.org/pages/passwordtools/hashcracker/
http://www.freerainbowtables.com/en/tables/
http://www.skullsecurity.org/blog/2010/the-ultimate-faceoff-between-password-lists