Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in the manual
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.
OWASP Passfault: Better Password Policies
Cam Morrison 3 February 2014
Transcript of OWASP Passfault: Better Password Policies
Passwords Can Be Better
Policies don't measure password strength
They test for compliance
with good advice
You can follow the advice,
and still make weak passwords
Upper and Lower
But still weak
Are passwords policies in your organization effective?
Long! Looks strong
Passes any policy
But very guessable
*Why do companies create yearly training
for passwords if their password policies
How do you measure password strength?
Word with Special
Word with Special
Horizontal Keyboard Sequence
Diagonal Keyboard Sequence
Random Latin Characters
Random Cyrillic Characters
How many passwords fit in the Pattern
Like a needle in a hay stack.
How big is the hay stack*
*Gibson Research Center, "Password Haystacks"
Estimate Time to Crack
Represents current hardware
Communicates the risk
Tie Policy to Strength
Better manage risk
Set the policy to an acceptable level of risk
Identifies more weak passwords, yet allows strong passwords that don't pass traditional policies
Provides detailed analysis of the password so users quickly learn how to create strong passwords without training
Communicates the risk of poor passwords with the "time to crack"
Empowers administrators to know and control the strength of passwords for the organization
Speaker: Cam Morris
Creator and Project Lead
Software Security Specialist
10+ years development+security
Why Not Use Password
Password Policies Stink!
Of People and Passwords:
"successfully creating a password is signficantly more difficult under stricter password policies"
Password length was the only significant predictor of password strength
- Komanduri et. al., Carnegie Mellon & NIST
In the password
Measure Pattern Size
Find Weakest Combination
Combined size of the patterns is the measurement of strength.
Worst Case Scenario:
Hacker knows what
patterns you used.
3500 lines of Code
3000 lines of Unit Tests
Password never leaves the Browser
Easy Platform Independence
Google App Engine
Derived from the Demo Page
Use Applet or JSON service
Current Password Advice
is not wrong...
but it's not exactly right
it encourages one type of pattern
Length is King
12 random characters
4 random words
2 misspelled words
Obscurity Vs. Security
Password Pattern Size
Favors secure patterns
Not obscure patterns.
Backwards Word = Word