Abstract:PathWell is a novel approach to enforcing password complexity, designed to thwart modern cracking tools and approaches while retaining compatibility with existing enterprise authentication systems and password stores. Recent trends in password cracking, such as the Hashcat suite's mask modes, focus on common password ""shapes"" or topologies, such as ""start with an uppercase letter, then several lowercase letters, then several digits"" -> ""?u?l?l?l?l?l?d?d"". We find that topology use is so skewed, that by exhausting the 1-5 most common topologies (out of tens of thousands to millions of possible topologies) will result in 25+% of all passwords cracking for a typical enterprise network. PathWell is a way to audit and/or enforce topology uniqueness across an enterprise. This greatly reduces the attacker's success rate when cracking passwords, and increases their work factor to crack any sizable percentage. The concepts apply to both medium-weak hash types, extending the effective lifespan of deployed systems, and also to systems using stronger hash types, making them even more resistant to cracking.

Bio:Rick Redman (Minga) has been performing penetration tests for 14 years. Additionally, he is a password researcher and is a ""well known"" public speaker on public leaks, password cracking, etc. Additionally, Rick runs the ""Crack Me If You Can"" password cracking contest at DEFCON every year.

Back to Passwords Con 2014 video list