BSides LV 2022 - Wednesday - PasswordsCon

Name: BSides LV 2022 - Wednesday - PasswordsCon
Uploaded: 2022-08-11
Duration: 9 h 41 min 1 s
Description: Focused on the (in)security of passwords and other authentication solutions, bringing together security researchers, password crackers, and experts in password security from around the globe in order to better understand and address the challenges surrounding digital authentication. This track explo

BSides Las Vegas9:41:01705 viewsPublished 2022-08Watch on YouTube ↗

About this talk

Focused on the (in)security of passwords and other authentication solutions, bringing together security researchers, password crackers, and experts in password security from around the globe in order to better understand and address the challenges surrounding digital authentication. This track explores all facets of authentication security, from analysis and education to creating, securing, cracking, and exploiting authentication solutions.

Show transcript [en]

[Music] do

[Music]

[Music] [Music] do [Music]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

[Music] so [Music]

[Music]

[Music] do [Music]

[Music]

do [Music] so

[Music]

[Music] do

[Music]

so [Music]

[Music]

[Music] so

[Music]

[Music] so

[Music]

[Music] do

[Music]

my [Music]

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

[Music] do

[Music]

[Music] so [Music]

so [Music]

[Music]

[Music] so [Music] [Music]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

so [Music]

[Music]

[Music] so [Music]

[Music]

so [Music]

[Music]

[Music] so

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do

[Music]

[Music] [Music]

[Music]

so [Music]

[Music]

so [Music]

bye

[Music]

[Music] so [Music]

[Music] do

[Music]

okay who stayed up until like 2 a.m or even later okay well i i i'm 51 pretty sure i i could never do that anymore okay so we'll get started welcome back to to besides and pastors contract day two uh i'm your whole game host of the day i'm perf the password guy or the crazy password guy um i do have stupid jokes to tell and so on but now i'm again really really proud to introduce a good friend of mine from my home city of bergen on the west coast of norway cecilia she works as a tester software tester tester tester is fair yeah but uh she's she's really good well she's actually awesome at a type of

testing that i'm fascinated about because she looks into how she can abuse whatever kind of app or software you have for purposes like stalking and harassment and other fun things you can do to other people and she's incredibly good at that but today her talk is i know but i have a system and it's about well i will leave that to you cecilia go ahead thank you bed welcome to my talk about password managers and the ones who's not using them now um first password managers i assume you know what they are please not if you know what a password manager is okay i'm just gonna say this anyway password managers are really useful tools to manage passwords uh pass keys

pin codes passwords like all of this i'm going to say passwords but it's going to cover all the other type of secrets as well um it's really useful to do this in businesses as well like it's good for you as a private individual but in businesses you really need to manage a lot of passwords that first some reason or another must be shared like routers don't really care that you have a lot of admins they only have one password all the admins need to know that password and so on but even if you are uh buying the software or tool and rolling out of the company there's a lot of people even though it's useful

they won't be using it it's kind of annoying like this is really good for you why won't you be using this tool and this is what my talk is about um before uh i hope i hope i really hope that you had the opportunity to see me alonseem's talk yesterday about why the kids couldn't care less about your password advice it's really good uh and if you're on youtube now uh go back and see the recording it's it will give more context to this talk in mia's talk she talks about how kids young people are sharing passwords and why it's important for them to share passwords and also she talks about the consequences of sharing passwords and

what's going on and it's important that we who influence policies products and do security training understand the context that the kids are in and the habits that they have because in a few years we're going to hire them and we really need to facilitate and mitigate the risks that their bad habits is bringing with them uh shortly about me i am cecil levion uh if you want to find me on twitter i'm sinobelle i work as a consultant when it comes to testing and security at uh the company called bouvier my specialty is uh usability as per sad uh or um abusability of software how can i how can i be how can i be

bad towards someone with your stuff i have a bachelor degree in educational psychology and i have a master's degree in philosophy of technology so that's what's going on in my head all the time i spent a lot of time thinking about human users what's make them human how do why are they doing things absorb uh observe looking at what they're doing and so on if there's something you don't understand please write it down i'll take questions at the end okay i like humans this is very important to understand i like humans i may sometimes loathe individuals but in general i like humans i find human and people fascinating i love watching people it's kind of rude

but i really like like watching and trying to figure out what is making you tick why are you doing this and so on

now this is a kitten slide it means that i'm this is something very basic that i need to tell you so we're on the same page and you understand me uh but if you're on board what i'm saying already you can just look at this adorable kitten password managers is in a company primarily for managing password passwords related to the company uh as i mentioned the routers the servers the databases the hr systems the banking the alarm system this phone email logging onto your computer opening the doors you know all that stuff but it's also a very good tool for the individual employees to manage the huge amount of passwords a lot of the time that they meet in the

business context i recently changed job it was wonderful that i could just leave all the passwords that i didn't need anymore behind it was oh beautiful uh i didn't have to drag it with me and just you know start pulling it out in between my private passwords because i have different vaults for that um if you want some advice on how to choose an enterprise solution for password and managers uh go see my talk from two years ago at passwordcon in 2019 six minutes in and start watching there okay let's move on i work in norway um norway is a very digital country like digital banking is the norm everybody is using like digital banking

nobody's using cash anymore if you want anything done anywhere you have to take your devices with you because you're going to go through a digital process of some kind it doesn't matter if your legs broken or if you're buying a house or if you're going to pay taxes or stay at a hotel so if you're going to come visit norway make sure that your data plan is in order norwegian businesses is also very digital they do their banking their taxes their reporting their their everything digital this is not only the big businesses and the big industries it's also like the one person plumber company type of things all of them are digital to some degree

that means that uh the maturity level of security between all the different companies are very very different like we have the ones that are really solid have security training everybody is on board on routines and all that but we also have a lot of the middle ground where the i.t people is typically good but then there's the rest of the company of course i do understand spending money and time of mitigating risks in the high risk areas which is the ita department often managed but you need to move at some point you need to move from that um hybrid situation between uh good combined with very bad security into like everybody should be on board on

having like a good security culture in our organization uh and getting a grip of like on this situation password manager is really a good step to do it's very low threshold it doesn't cost a lot by the way keep it that way um it's easy but when rolling out um password managers in a company you're going to discover that there's some mismatch between the amount of employees that you have and the people using it sometimes it's closer sometimes it's worse

of course it's not a surprise like the tech savvy people they when you roll out the password managers and said are we going to start paying for this and this is the tool that you get to use some of them is going to go yes you choose the one that i that's that's my favorite there's going to be like a small crowd of those people and then it's going to be like an early majority that's like okay fine this is a neutral sounds like a good idea i'm just gonna set it up because no um then there's gonna be a huge amount of people that is more like late adopters they're like yeah i didn't get

i did get the email um i didn't have the time at the time but since you have sent me four five six emails now maybe i should do this and then you're gonna have a lot of people who don't just they don't now i don't have numbers for this um but very often the non-users are in administration they are managers or newly employees also people who are suffering a life crisis may also have very difficulty in adopting new habits and starting using like password managers because it takes a lot of thinking or some thinking tech savvy people will set up a password manager enterprise solution within 15 minutes they'll do it before their lunch it's

not a problem for non-technical users the time they need to allocate to start using a password manager is in my experience one hour and a lot of people push like they avoid starting because they're not sure how long it's going to take they just know it's going to take time an hour setting up means installing it on more than one device orientating yourself in what is this software what does it do try out how it's working discover some features that you like or hate and adding enough password for this to be a useful tool for companies um the success rate for non-tech people to start using password monitor is very affected but how much time do they have

to get started if they are squeezed on time or if setting up a password manager is competing with more rewarding tasks also known as my job they're not going to do it a lot of companies think or may think well that's okay we're just going to order them we're just going to tell them to do this and we will write it into our company policy emails will be sent out reminders are being sent sometimes everyone send out threats all right if you don't do this this and this can happen we'll cut your salary in some way and i understand that because employers have the right to instruct their employees it's completely normal but if security

was that easy we could all go home i wouldn't have a job so what happens is that people when you try to order someone to do something that they don't want to do or have conflicting feelings about is that they may do the absolute minimum so they don't get in trouble for instance so they don't get their salary slashed um they will do the registration process but it won't be using the software and you end up in this like the non-tech users or the non-users end up in a hybrid situation where you can see they have installed things and they will show up in your list as installed but this there's no improvement of security at all

so my first advice make sure everybody has enough paid time to set this up at least an hour okay moving on you have to understand people don't like managing not dealing with passwords uh even people like me and bad their their their conflicted feelings uh there's a lot of subconscious processes that go on in a human mind at all times it's not impossible to manipulate people into dealing with password managers but it's not ethical it's incredibly disrespectful and it may have unforeseen spillover effects into other areas of life for instance one of the reasons people hate dealing with passwords is because they feel that uh the rules around password change all the time and um

that it's difficult that is like they have to remember things like there's a lot of when we when we make policies it lasts a long time in people's mind nothing goes really away in addition um when people feel trapped or forced they tend to start behaving slightly irrational and reactive they will do the opposite of what you're telling them to do or a version of opposite for instance if i tell you do not hack the hotel while you're here i'm instructing you and what happens is your beautiful minds were still like well i'm not hacking the hotel or i'm not hacking the ho you start putting effort into both sort of comply with what i said but

also trying to defy me and that is that is the magic of instruction it's terrible so when i do security training uh we have to be very careful in how we instruct people if it feels manipulative or forced it's only human to react that way the i'll defy you some way you insist of me changing my password every other week i'll define that in some way

i like to talk with people and i like to listen to people i like to know what are their thoughts and how do they feel about for instance password managers my goal is to understand them better so that i when you can facilitate both the subconscious decisions that they're going to do all the time that they're not aware of but also be respectful for the reasons that they think they have for doing things people don't really understand themselves well but but we still have to be respectful towards them and if you listen to the reason that people give for not using password manager you start to discover all these irrational thought patterns that they have

so my challenge to you is listen to them in the respectful no sarcasm way so that they can see their own irrational thought patterns and we can change and mitigate the risks associated with them for instance the first one hands up if you ever heard the first one only a few okay when i say um do you have a password manager and they was like oh no no um i have a system well yeah now i can of course i can i can prove why they're wrong why systems are crap but instead of trying to like beat common sense into them with my words i just says that's okay you can have a password manager even though you have a

system and then interesting things start happening because that was sort of like their mental block like don't talk to me like this is my way of rejection or rejecting uh that huge imaginary task that you're giving me another thing that people say is well yes but i don't have access to anything important and that one is real like when i hear that it makes me sad because it means that they don't think what they're doing is important that's terrible why would we hire them and pay them if they're if they wasn't important so i tell them well i think you're important and the things that you do are very important and you have access to a lot of things that are

important please listen to me i work in security i should know and then again interesting things can happen uh i started but something happened i like that one um because it's it's very easy it's usually a technical problem so i said just well oh let me look at that with you so we can resolve that with you not let me do that for you uh the i used it but then is harder because that means is a technical issue but they have lost faith in the product and the tool so i have to re like motivate them again before i can solve their technical issues like it's worth the time it takes to learn this thing

the one it doesn't really work well with things that can happen a lot of the time that means that the password input prompt happens in the wrong type of fields we can't necessarily fix it it's a whole long thing i can't fix it now um so when that happens i would just have to remote to them and say oh that's normal but you'll be fine you can deal with that you can do this anyway like you're okay um and they um i have it but i can't really understand what happened that's also a technical issue like typically in the first part of the process when they're signing on something got messed up and they're stuck

it's like okay let me look at that with you so that we can figure it out and the last one oh i have it but i don't really use it um that is um human speech for it's boring i don't see a value to this hang on sorry i just need my cursor on the right screen well why do i what can i do about it's being boring well yeah it's boring it's super boring adding a bunch of passwords so um you know what grab a bottle of wine and some friends and set it up you know adding password is boring but you're gonna do it anyways it's good for you anyway do a password and prosecco

so conversations like this are delicate but you do if you get that moment where you catch their interest acknowledge your feelings so that you can change their mind like you can expand that little gap that you get if you mess it up by either like not acknowledging the feelings or if you uh says oh yeah but you have to wait forever ever and ever to have this result or yeah we're going to send somebody who's not going to be able to fix that but sort of like helping you you're going to cement that feeling that they have that this thing this thing is not something i want in my life

learning to use a password manager is learning and a lot of the time we think that okay but you can just learn it no you can't you have to make your mind ready for learning the first step is feeling safe if you're afraid of losing your job while you do something you're not going to learn well or at all you're going to spend all your energy on trying to get out of this situation and avoid losing your job that's not the learning that we want

now this is purely speculative from my side but i don't have the numbers for this but my general impression when it comes to issues of the non-users a lot of the managers have this problem they think they should be able to do this um but you know they worry so much they worry about failing because they're well they're a manager one they're supposed to be like the best or better than older people there's a lot of worrying happening so but you need to get your managers on board like it's tempting to ignore that the managers are not using password managers but if you do you're gonna fail managers influence and has a lot to say

about how you prioritize your time if the managers is not on board they cannot help their team they cannot help with recovery which is a big part of an enterprise solution they are not pushing password managers to new hires and they do not show that this is a valuable thing to spend time on and if they don't show that you're not gonna do that you're gonna do your job instead okay that's my second advice get the manager award yes after making sure that people feel safe like there's room for mistakes and so on uh people need to feel that this is something they can actually manage to do and especially the non-tech like the administrative people

they need to feel that this is something that within their reach of like managing to do um so when they ask for help or they're open to get help i will set it up for them while they're with me and then i tell them to add the passwords when they've added a few passwords i say um and now you do this and this to set up the next device i don't go from i set up the first device and now you're going to set up the next device that's too big of a step you need to feel that you can accomplish something in between and adding the passwords are really really easy just yeah gentle carrying attention and

i you can do this you'll be fine

a million years ago when the dinosaurs were young and roamed the earth a man i know was a manager this is not the mana that was a manager you were not a manager there there wasn't actually somebody else who was who is also a dinosaur email wasn't something new [Music] but not everybody was using it and this organization recognized that had a problem they are using email to communicate internally in the organization it's a good efficient tool but so many were not using email they were not plugging on and the problem was that so they didn't get the information that's the first problem and the second problem is that they consumed a huge amount of support

time because they logged on so really they forgot how to do it in between all the times so this manager thought about it for a while uh and it was getting close to summer and in the summer they had a freezer and in that freezer there was ice cream that you can buy so he sent out an email to everyone blind carbon copy not carbon copy so it looks like it comes to you personally and he said you can go and have an ice cream for free if you want just reply to the email and say that you took one so i can keep track of it the important thing is do not tell anyone

of course they told anyone first rule of fight club don't talk about fight club they told they were gossiping did you know you can get ice cream if you read your email once in a while so what happened was that people who didn't like to read their email because they find it difficult but now like maybe i should check them up on my email because i might get a free ice cream you can do this with password managers i highly recommend adding first of all the password for the wi-fi into the password manager in your company so whenever people are asking uh what's the password for the guest network or whatever you say look in the

vault if you have um if you have like discounts or agreements or some kind discount codes or other kind of services that are nice add them as well and then it becomes like the people who are using password managers they get extra perks you can have them as well we're not you know keep there's no like in an out group you can get it you just need to set up a password manager if you need help you can just talk to that person be fine you can also do this by with your parents guess what i'm telling my mom every time she asks what's the weavey password again look in the world mom you just need use

your thumb to log in so yeah this is how i built culture not ordering people this is culture yeah you made your users feel safe you made the humans feel like they can master this now they're ready for learning what are you gonna teach them

this is this text is in norwegian it says do you want to forget all your passwords this summer the second line is get help with setting up your password manager at the 24th of june in the cantina 12 to 15. this is a drop-in situation you can just drop in it's very casual not dangerous at all i have the christie covick who's sitting over there my colleague he helped me out with this and the results were really fun because people were coming in and they were like like you know the shameful pose that is will will i get hurt by doing like coming here and confessing that i hadn't set up my password manager a year ago

like i should or something and i was like no judging here i'm only here to help you i'm not being sarcastic there's no judgment and what happened was that afterwards people were like they feel relieved they were rid of the anxious guilty feelings they were happy so guess what happened they told people so now we have a lot of non-technical security advocates in our organization that is winning that is really winning is fantastic because usually security is like the i.t people is doing that uh and if we're gonna deal with that it's because we like them and do them a favor by dealing with security so yeah but now we have the non-technical people and it's like

you can talk to her she's really nice she will just help you and stuff so yeah to sum it up it is normal that not everybody is ready to use your tool people can change their mind about password managers even if you didn't get like catch them the first time around there's hope but you need to be ready for when that possibility presents itself or you need to facilitate that that happens like we did with the summer promise of you're allowed to forget all your passwords and also make sure that you facilitate growth and learning in general because when they're done learning about password managers they're going to be ready to learn about other security stuff

and then you can be like what do i want to teach them next it's awesome questions

thank you cecilia questions yes

hi thank you you can take down the mask so i can hear you rather it's allowed thank you for the presentation uh have a question in the context of a larger company do you have tips about teaching developers and the id people to actually implement like sso 2fa so that the burden of having to do things and manage security properly is not on the user side but more on the actually having a safe services and users just having to remember one password and this kind of stuff i do uh and that's security training in general yeah just okay so security training you have to start like really low bar like what is the absolute minimum that we need them to know

and start with training that first and then it's like okay what is relevant for your position don't do gen like don't teach everybody the same thing is it relevant for this person's position yes or no if it's not don't don't spend don't insist on they going through all these like security training things if it's not relevant and if it's relevant let people like do it as a group thing if you can um do it physically it's much easier to learn things uh and feel safe when you can see that there's no danger you can see people's faces they're like they're relaxed they're okay i can ask them questions i'll be fine but don't expect that mfa or all the other

things is gonna happen like they probably learned in school no they didn't make sure that they are onboarded properly like and also this is one of my best tricks ever feed them hungry people don't learn so do onboarding with food give them time and be nice you can teach them anything really thanks for your talk um on the subject of feeling safe using a password manager how do you counter the [Music] impression that people have when they're told by their i.t department that they should be using a password manager that the i.t department has some sort of an evil motive around that like oh they want to get all i they know that i'm going to store my bank password in there

and they want to get to my bank account or something like that how do you how do you deal with that impression uh first of all doesn't matter what the question when you meet the user if they have a question or concern take them serious again they're going to have like subconscious uh it's mostly about their feelings they're just worried so just take them serious um show them if they want to use some time because if you reassure them like spend time on them i acknowledge that you're worried uh is there anything i can do to help you understand this better or easier worries and then you have a conversation like do that in the beginning whenever you're

going to do changes to your culture in the beginning it's going to be a lot of noise but after a while when all the other people are starting to use this it's gonna feel safer but in the beginning it's gonna be noisy and a lot of insecurity going on this is why it's very important to have the managers on board if the managers use it probably safe enough for me as well hi um i think we all know these uh i think we know all these uh shared accounts for third-party services that are used across the department uh do those type of accounts make the transition easier because everybody uh needs to use the server the password

manager at the same time when the password changes or do you think this prevents people from moving because it's more scary and harder to implement i'm not sure if i heard all of your question but i'm good i think you asked uh what about shared accounts is it easier and safer or is gonna feel more dangerous because then it's apparent that we're sharing things you in most organizations you need to share passwords that's just the way it is if you do it with within the password manager this is a fantastic trick if you do it within the password manager if i change the password he won't notice because he's so used to just getting like copying the password

out of the password matters he's not going to notice that i changed the password as long as it works and this is one of the things that we don't talk about a lot in businesses and that is unfaithful servants or people who has to leave the company in disgrace we need to change those passwords discreetly because the case may not be settled it may it may be a lot of difficulties around it like legal difficulties so being able to change passwords discreetly is actually very important hi cecile thanks for the talk my question is about those old it guys who will not share the root password for all of the like cisco routers and the guy who will not share

the password for the special safe that we keep the special stuff in like that guy right because he knows if he shares that password yeah we might not need him anymore you know are you telling me they're humans yes with their their fears and feed them i promise you if you're gonna ask something big this is social engineering if you're gonna ask something big or uncomfortable from someone make sure they have a like medium plus blood sugar levels so because then they're more patient with listening to you and your reasons because you may or may not have good reasons for getting that password but you may not get the time to explain why you really need that why they should

trust you because they're hungry me and jim would really like to have a chat with you outside afterwards [Laughter] i'm not sure if you should do this on camera um but my uh a few few others my colleagues know if i show up at work with cake somebody's in trouble it's not because i'm going to be rude or horrible to them it's just that i need them to be able to be open to my what i'm going to tell them that it's going to be demanding that's going to mess with their feelings a bit they're going to feel bad cake helps good trick more questions

so i'm in the compliance and audit space and the shared passwords is always a contention point around maintaining a security controls um how do you deal with knowing who accessed the password and did uh like did a bad uh made a mistake and how how would we audit that you should definitely talk to one password and lastpass because there are two companies that do enterprise and get them to tell you how do you do that because they have functionality for that but since they're not paying me you will have to talk to their salespeople now do we have time like two and a half minutes good i want to show you something because this is um this is my bonus

slide for you uh life changes and when life changes people re-evaluate what's going on and here is some life-changing events these are events that usually trigger large changes in behavior getting married new romantic relationships like if you meet someone or your employees meet somebody they fall in love they're gonna start thinking should i share my netflix with them and so on like what is the sensible level of sharing that we want to do and so on so they start reevaluating their life then they're open to you know what it's really useful to have a password manager in that situation oh in our program you can get one free for your girlfriend or boyfriend kids when people have kids they do the

same they realize the world can be a dangerous place and imagine teenagers wouldn't it be awesome if your teenagers had a password monitor so they don't get hacked imagine how many passwords that teenager is gonna like has in front of them for the rest of their lives but we're talking hundreds of passwords wouldn't it be a good habit to teach your teenager and then you can teach them about mfa later on because it's a super easy thing to have when you already have a password manager life-threatening disease or sudden death what happened we hear the news somebody died or very ill and the second quote like this second thought in our head is what if that happens to me

are all my things in order do i have my affairs in order no maybe how do i share like all our family pictures how do i make sure that my spouse or loved ones get them if i die have you heard about password managers divorce divorce happen and divorce is one of the most common reasons why people send me a message like hi could we talk about the thing because i didn't do it properly and i realized i'm gonna make a lot of new passwords on a very short time and also i know it's about to reuse passwords can we do the thing and i said remember you remember i told you get a bowl of wine and some prosecco and hang

out with friends that's when they call me it's when the divorce happens and again um [Music] yeah are live life-changing events use it for good thank you all for your attention if you have more feedback or comments or anything [Applause] thank you cecilia so there's a 15-minute break before we continue with the next speaker next talk thank you i'm in the halls if you have something you can call me talk to me

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

[Music] do

[Music]

[Music] do

[Music]

[Music] [Music]

[Music]

okay welcome back after a short break so we have with us matthew woodyard from oauth0 first timer pastor has come but he's been to b-sides before not trying to intimidate or scare you or anything i'm really happy to have you here and with this talk protecting against breach credentials in identity workflows so go ahead all right thank you so much for the introduction since it's my first time here i'd like to tell you a little bit about myself so professionally i was in finance for about a decade um and worked through a lot of rotations within security so it could have been compliance fraud uh architecture really anything you can imagine um i probably did it at least

for a little bit of rotation i co-founded a threat intelligence startup called bad packets and currently i research emerging threats at auth0 based a lot on the data that we have i also do some academic research with the university of glasgow mostly on botnet tracking i live in chicago i love to bike i've started gardening but i'm really bad at it mostly it's just weeding i mean honestly like if your partner wants a garden you will weed the garden so that's how it goes um so about us uh auth0 part of octa um we're a customer identity access management platform which means that we focus mostly on things facing customers so you like sneakers you go to site to sell sneakers you hit

that log on box that's what we do and anything past that though completely opaque to us right so we don't know anything about the web apps downstream we don't know about their abstech posture so that gives our intel team the motivation to track botnets track credential leaks aggregate insights from the logs that we get from all of our customers and maintain a robust credential database and integrate it into identity workflows before they hit applications because that's where our control stops all right so that's me i want to talk just a little bit about credential stuffing you know what it is keep things a little bit informal really because i know that a lot of people in

this room may have some background here on what it is already but nevertheless we'll go through it i'll keep things a little bit informal i'll stop for questions like in 3x so if there are any um things that need clarified please definitely do that um so we'll start with the what why and how of credential stuffing the state of affairs and what we're seeing from our log data and controls that we can put in place so what credential stuffing is exactly um essentially it's the reuse of credential leaks and attacks from unrelated leaks to the target account so by credentials here for the scope of this talk i just mean things like usernames email addresses and passwords used in

some combination um or something like this so related attacks like session hijacking other types of force attacks gonna be out of scope for the purposes of this um presentation but i think president um credential stuff he will be with us always because people will continue to reuse passwords sites will continue to leak the passwords that you used on them um so why do threat actors employ this attack in the first place besides just his efficacy like what are they after what are the goals um so a lot of times there's an economic objective so i'm going to give as an example say that an attacker wants to do an account takeover and their goal is to

use a password that you had used before say that it was leaked by ashley madison and you re reuse that password on your favorite sneaker ecommerce site that person wants to get those sneakers resell those sneakers and there you go so a second example of why you would um fall victim to credential stuffing is attackers themselves want the personal data so there's sort of this feedback loop to the attack itself where if you have access to the account you get to learn more about the subject you get access to their sneaker account you find out where they live you can then launch a more targeted attack and similarly from a workforce standpoint homestead among us has not

reused their work email on another service maybe you don't reuse your password as passwords con we don't reuse passwords here but you probably reuse your email and it's really great for lateral movement um if somebody's domain is octa.com that gets leaked i wonder where they work all right so let's put it all together i'm probably going to walk for this one hope that it works okay cool all right so an attacker would start with a list of passwords from the usual sources so you know um dark web uh whatever public leaks and their own previous attacks so this is kind of the feedback loop that i'm talking about here um they would load that into a database and

either through scripted or unscripted means like humans and we'll talk more about that in a little bit typically through a botnet or something to obfuscate them they'll hit your identity workflow and then they'll get to your precious web application so separating out the identity workflow for the purposes of this talk is going to be at least a little bit important because that's the data that we're looking at right so i'm going to take the first break for discussion um if there's anything about that that wasn't clear that you have questions about maybe it went too fast let's go ahead and take a second to talk about that and if any of you want to volunteer kind

of what against your organization attackers are after this is a great time to do that so um is there a mic runner was there a question my money all right your attackers are after money really glad to hear that but is it is it primarily a monetary objective in this room like uh is most of it they're trying to steal some material good or you know take money directly or what

okay yeah so what you're saying is that a lot of the attackers that you see they're kind of getting in dorking around figuring out what's there in the first place and they're not coming into it with like it right yeah so they're not coming into the attack thinking oh man i'm gonna get some sneakers out of this deal right they're just that's what you see a lot of okay great yeah so that gives me an idea a little bit on what to focus on as well um so thanks for your input on that gonna talk a little bit um about how bad things are and how everything you see presented was generated so with only a few exceptions

um all this data is aggregated and generated by the authentication logs that we get as auth0 and the insight that we've gained as practitioners in the threat intel team so will you be targeted uh science point to yes so we did a look at quarter one of this year and saw how many of when i say applications um i mean tenants and we can break down to what that looks like um in the q and a if you like but 48 saw seven or more attempts of credential stuffing against their applications so what will that attack look like to get a feel i'm going to give an example here of a real world credential stuffing

attack so the graph shows a number of authentication attempts before that's in blue during that's uh one where you see the big red bars and then after where we've got blue bars again um of an attack against one of off zero's customers so during this time frame the malicious attack ended up being around um two times the number of median login attempts from the previous i think six months so i mean really depending upon what your identity paradigm looks like it almost looks like an l7 attack against your authentication right so extremely common attacks that's generally what we see how they work so what's the mechanics of how we get there i'm going to go through

a timeline of a story based on a real world attack that we saw and a little bit of insight from verizon's data breach investigations report the dvir so the dbr dvir um showed that over 60 of breaches were actually detected by victims within 24 to 84 hours the bad news of that is that they normally didn't detect it themselves they were disclosed by the attacker by a law enforcement agency an external cert team whatever right so in this attack that we saw first the attacker obviously stole the credentials we can't clearly know this time but the agency that we had worked with had estimated that it probably was about 24 hours between the breach the

confirmation of the breach and the first attack and in the next 24 hours the leaked credentials were um identified by the detection response team of our customers verified by us as well and we were able to put the credentials in our credential stuffing protection workflows and within really just minutes of putting it in there we already saw use of the breach credentials only from that one threat group though we think you can never be sure about these things over the next 72 hours we did ongoing monitoring and really again saw it mostly coming from just one group but once we got to i put 84 hours but it really is 84 plus because it took

about a month for us to see this in the wild just very broadly used so that really i think gives you an idea from the amount of time you would see going from breach to opportunistic so um this leads into specif um sophistication and i kind of want to just really show how low the bar is there's a lot going on this chart i'm gonna walk over there and talk through it so what we see a lot of is like does the attacker even try so these dots down here is just normal um authentication traffic right this up here the size of the dot is um number of ips um in requests and what we're looking at is the number

of unique user agents versus um the number of attempts right so this attacker up here is using a botnet it's not a great botnet they're not even messing with the http headers right this is part of what gives us an idea of whether or not sophisticated group is using breach credentials and here we have one that is at least a little bit more sophisticated because they're trying to use user agents that look like humans right so really this is how low the bar is when it comes to attackers and their sophistication so i kind of break this into two personas here um i think about the opportunistic attacker we'll call him sam skitty and they are

always using the older leaks a lot of times public leaks um very common leaks so if you just do a count of all the times you've seen a email address for example and just do a sort that's what they're going to be using oftentimes they don't even try to rate limit circumvent very common controls and then ada atto we'll call them works on fresh leaks like what i showed before they use bespoke botnets we'll talk a little bit about what that sophistication looks like and they emulate human activity either by being humans or scripting and other a little bit more clever methods so take a break here to pause have you seen credential stuffing attacks in your org what do they look

like do they look like what i just presented do they look totally different obviously i'm giving a very simple picture here because i'd really like um feedback on this topic yeah and if the mic doesn't work i'll just repeat the question hopefully that worked out well got one in the back i've seen it tons of times but i'm not posh you know i'm not neutral in this one

hi yes we've see my employer has seen credential stuffing attacks and actually with a shorter timeline than you're showing here and on the more advanced side of it so yeah it's real so it's real and kind of what i presented matches up with your experience more or less okay um yeah i'm honestly happy to hear that because as a researcher you're never really sure if you're on the right track until everybody else tells you you are or i don't know if you have low self-esteem it kind of works the same way so if there are no other questions i can just move on to talking about controls that might be put in place we are way ahead of time so

this should go pretty well um i want to revisit what i presented for before on what a slightly more sophisticated look from the identity side might look like so you still got the attackers aggregating leaks they're still using a botnet but in the identity workflow we've got the breach credentials detection and that's really what makes the difference right it is so important to have at least some kind of list there do some kind of tracking of the logs and analytics and have some kind of action taken after that so what we have are things like notifying users forcing a password reset sorry forcing a password reset um some people do things like mandatory education right where it's like hey i

see this has been reused this is where it's been reused um you may you may want to look into such and such a thing or try such and such a thing right so i think really the solution here is defense in depth though because just having the protection that i showed before is really not going to be enough so bot detection um i think plays a huge role here so when i was speaking of more sophisticated attackers if somebody knows the area in which their target lives so back to the person attempting to purchase sneakers they would want to err on the side of using a residential botnet that is actually a residential ip in the area of where the target lives

this is a way of circumventing fraud controls downstream and it's a great way of circumventing bot detection controls because often these botnets are ephemeral fairly short-lived take advantage of iot devices or routers and and they just look really really real so i think this is an important control to have in-house to protect your identity workflow um if you don't have it in-house then you might want to buy it just figure out what your budget looks like for that um second is going to be rate limiting i'm always shocked when i see how few attackers even try to circumvent this control i i really am and the linkage to credential stuffing we always see is is

very strong very strong a lot of credential stuffing attacks are people trying very hard very fast but we also see things like people sprinkling in attempts not trying too much again that's the more sophisticated attacker and rate limiting isn't going to work on that neither is something like impossible travel where you might look at the ip of somebody who signed in and see like oh wow you're signed in from norway and las vegas like that's pretty weird we're going to throw up a flag there if you have a more sophisticated attacker not going to work if you have a site where your users care about their privacy generally also not going to work because they're going to

use vpns probably in short amounts of sessions right so i so dislike impossible travel that i did not even put it on the slide but nevertheless it is worth discussing if you're talking about botnets and rate limiting and if you have the capability the next move would be to rule and risk-based pre-login assessment or assessment throughout the process so when you're looking at it at that attacker if you're able to do constant authentication using mouse usage maybe analytics about how they use their keyboards etc that's something that is an extremely effective control that frankly your id provider probably can't give you if it is an external provider right they're not going to see that downstream that's

going to be an application security concern and finally there's a reason i put it to bottom is multi-factor authentication there is a trade-off in this control that really depends on the market power that your company has to be honest with you i use some intuit products i'm not going to call many of them out but every time i log in i need an sms second factor which is a terrible second factor that i never asked for that makes using hey how you hydrated hey you know what i could be more hydrated maybe i should have gone with the stand up routine or improv in chicago

i can't juggle i cannot juggle that [Laughter] i go i go fast i do get through that you know what i probably can't i drink like a diabetic camel you requested you get it i didn't even put that on the request that's your mind reader um a flamingo dance would have been better but i'll take the water yes thank you thank you for the water appreciate it [Laughter] um so multi-factor authentication honestly said don't like it a whole lot really don't but if you're into it and you have markets really cornered okay yeah what's

things like the up second factor there's an option as well which is a little bit lower barrier but you know for obviously like uh sticking your own organization like yeah well that's a okay let me repeat the question if that's okay so the question in essence is why don't i like multi-factor that much and i'm going to put it more generously towards me um because i realize that saying you don't like multi-factor a whole lot can be a real bad look at a security conference but i also look bad so you know i guess they go well together um so i think it comes down to market power um and where you are so with workforce

mfa always do it um if it's not email or sms and something stronger that's great i really think you should do it right and so like the octa part of my brain does not agree with the statement i just made but with workforce you have to ask the question where are my workers going to go i'm not going to lose workers over this right but if you're selling sneakers and somebody closes that tab that is that's why you have workers in the first place so that's i mean i really think that is a core trade-off um i don't know does that make sense and more importantly is that like totally incorrect in your view because i'm open to both

your security problems are very interesting in my research yeah we can um we also have like enough time to keep things online too um that's like exactly we're actually i think maybe one slide away from the last so that is why i'm here in the first place um i really do want it to be discussion i think part of being a researcher is carrying on the conversation right the great conversation that's pretty much what we do like it or not um in service of capital so you know basically though i think that's what it comes down to is a risk-based decision and me as a user what i don't like about sms and email mfa being forced on me at

every login is you've introduced friction with frankly not a huge value add in security and if intuit had any competition they probably wouldn't do it right they would probably lean more on risk-based controls or give me the option of what i want to use like when it comes to mfa they put water so i can't put my laptop up um it's really cool to have something where you can push a button and if you've got workforce and you have a postal service at your disposal you can mail them hardware security devices you can have them enroll that device right so i really think that friction is really important um we talked about market power yeah you gotta ask what's

there to lose what are they after in an enterprise you may have like a whole lot to lose i've worked for really really large organizations and if you're like one of the biggest banks on the planet like what is there at stake like don't want to be too dramatic but the world economy i think we've seen and what's the cost of implementing the control finally i think is really important like it comes down to organization size so show of hands how many work at an organization smaller than 100 workers okay awesome uh you just volunteered yourself to be to have a question asked so from your standpoint of all the controls we've mentioned and maybe others that you

could think of which do you have the budget to implement and how difficult is it if you worked at a company 100 individuals or fewer what you know kind of what would you run up against right like we've talked about what what the highest roi probably is right so what what aligns with your budget uh yeah you're gonna need some friends you have a hundred friends at best

could you give him a mic i'm sorry i yeah when i hear mssp i'm like all right let's get on the record here so uh all right it's working i run an mssp and we run up to accounts not quite under 100 but 500 or less and a lot of them have that question of you know what do we implement what's the best roi um and despite our best efforts not all of them want to do you know risk-based discussions and go through that and really pinpoint so we had to come up with like our essentials package which mfa is on there because in a lot of cases it's free with the tools that they're using um if

not it's cheap through octa or duo or whoever security awareness training endpoint endpoint protection email security um and then if they want to go one step further vulnerability assessments and all that but um that's that's generally those those are the first five controls that people reach for and usually if there's like you know no more than um 500 employees that's usually within their budgetatory grasp i mean at least for your customers right yeah you can see i'm a little you know kind of narrow-minded because of my my topic or my specialty mostly being siam but yeah i think i think that's great insight for workforce and it's good to know what they can afford and i

honestly do agree if you're a smaller org and you're using a lot of cloud-based services it really does often make sense to just outsource that one way or the other right maybe there's this agreement there too but but honestly that's my view is that if you're not an identity company you may not be that great identity so that's just what i've seen

um yeah so i mean really that's it um if you want to talk about whatever protections you have in your workflows what you think works and what doesn't um if you want to get really in-depth because i know there's a lot of password con people uh that are like super duper smart about passwords and cracking them i would really love to hear your views on um did i leave it on i didn't leave it on on this thing right here so managing what's in that database securely actually doing a good job in your identity workflow of taking the credentials that are entered comparing it to what's in the breach credential database insight on that um

of course would be extremely welcome and um does anybody like have any thoughts on that or what they what they do in their own experience i can see you smiling under the mask yeah uh uh out of curiosity uh do you make a difference between credential stuffing and password spraying in this talk no [Laughter] um but do we track that yes right um of course and it's i don't know all the brute force sort of attacks have some kind of commonality um but password sprain is almost closer to um opportunistic botnet activity i think um it's it's not very good it's not usually super targeted um but with credential stuffing like at least you know something

your attacker has a starting point um but definitely tracking that obviously extremely vital in any application i think at least is is looking for breach credentials is that part of your service and is it integrated or is it an option that i can purchase additionally you can give us as much money as you like um i i don't want to plug services too hard because um i don't i want to be asked back but yeah well i'm not asking for a quote here most definitely not i do have an opinion on the use of uh services providing breach credentials information from be it dark web or wherever you find it so yeah okay yes so

i i will say yes to that um i i think i can safely say that you know as you saw from the example we work really closely with our customers and they want that stuff in our breach password protection database too so we get a lot of good stuff from that um you know we buy data from lots of cti vendors as you might imagine when it comes to credentials um honestly we're not running crackers but i would love to hear the roi on that because i know there have been lots of great talks on cracking passwords here but i didn't i don't know if there's been a lot of talk of like okay here's

the buy versus build like here's how much really you want to spend on having a gpu or whatever that could actually crack you know certain passwords hashed a certain way or whatever um that's a discussion super happy to have and this is definitely the venue for it um but yeah i i know that i more than like talked about your question but but i i hope that helps at least and um honestly if if you're not gonna buy it um you really should consider building it like honestly

yeah so maybe i should go back to are controls worth it because like is x worth it is always something of of great interest to me and not just because i'm at like a third party vendor now um part of like if you have principal or staff or director in your title is like being able to bs enough that you can like put that question into your budget ask so yeah i just wanted to ask a question so if you have a bridge credential detection why don't you notify people proactively and using that database to actually you know reset those credentials ahead of the time before the attack is happening i mean i understand that you can

use that database maybe to detect the attack itself and identify the malicious ip but as far as the users are concerned wouldn't it be better to notify them ahead of the time that's that's a good question honestly so for example if we had an email address we know it was associated with a a credential that had been breached wouldn't it make sense to notify that person rather than waiting for them to log on to a downstream service that's really the heart of it right um i think like honestly part of it is is to have it in product um to be super frank but also when people actually try it that's what gives us confirmation that we're onto

something because if you're using that email and password in multiple contacts we don't know if that password's still like relevant you know maybe the leak was from 2019 like a linkedin leak or something like this so that's kind of i hope i hope this answers satisfactory to you but those are really i think the two biggest reasons that we don't proactively notify people who may have been involved in breaches um honestly said i also think that's a responsibility of the company that was supposed to be securing your credentials in the first place [Laughter] no one to scare them off um yeah yeah i suppose that's true

hey i just uh was curious bit about your risk-based decision making in siam um so what kind of practical implementations could somebody look at if they wanted to do risk-based policy for customer identity yeah so i think that it really comes down to where you sit in the flow so i want to say that right out the gate right so are you at the login box and you stop at the log on box or do you have the application but for something wrist-based i would really look at any multiple factor that you may have what risk may be associated with that so if a phone number is you is being used like for passwordless or something um really

really helps to have some intel on that so there are lots of great vendors that provide things like this i would definitely include that as risk space we have internal machine learning models um which you can actually read about tons uh that we have resources that i can give you after this talk um i would recommend that if you have it right but like first step is is having that log data at the ready and if you've got the data um there are lots of predictive tools that would be at your fingertips are you up here because you want me to leave are you just up here to walk it around i have consequences for you i'm just

okay if i should ask them how afterwards i'm here all day and we have i think at least a few minutes and oh yeah yeah i mean i can wait yeah well it's an interesting topic i can tell you that uh we've had several talks at pastorscom before about uh protection against uh uh password spraying financial staffing and so on uh all talks are available online on youtube for free some of these talks were held in europe over the past few years so a certain possibility people in the u.s haven't seen them and vice versa but there's some great stuff in there personally i'm working for financial services company or id provider in norway and when you use us there's a mandatory

2500 indication one of the things that we do that i have pretty much never seen anyone else do in the world and i'm not saying we are amazing we're just incredibly good is the fact that when you log on with us you log on in an order that is different from how much most people do because usually when we two factorication you do username then password and then an otp we ask username and then otp and otp is not a push notification to you it's a hardware device that you have where you get a pin and if you are not able to enter that you will never get to the password prompt so credential stuffing and password

spraying is absolutely pointless towards us it doesn't work it can't because you can't get past the otp without actually coming to norway and stealing a hover device from somebody using bank id and this is something that you can do you know if you have a ubikey social engineering yes i convinced you that i was part of it did i mention fido web authent as part of the flow of this so nope doesn't work but i mean this is something that you can do as easy with you know if you have a hardware key like ubiqui or a google titan key or something and you're using secure shell you can set up a pam module in your

linux box saying that whenever i ssh into my box enter your username and then they will ask you to use your ub key first and if you don't have that or if that doesn't work you don't get access i mean i set this stuff up like 11 years ago on my books at home when i got one of the first ubikeys made more or less and just for the fun i put up a box available on the internet with telnet and ssh available and i said use them first and then you need to authenticate using the otp so i just saw i don't know how many login attempts and all of them fail because you can't get

past the otp that's a brilliant way to solve this well let's solve it but at least you're reducing the uh attack surface by huge amounts so it's a good tip well we i in my case i decided just to go for you know only do the ubiqui so no password at all but again i run passwords con i have a passion for passwords i'm saying they are never going away so i also say that while having a memorized secret in here as well is something they really should have and for those who doesn't remember what happened to rsa and security read up you need a password as well more questions or comments from the audience

oh yep yeah i want to say also i could not agree more um i wish in the us and internationally we had is it is it like a requirement in norway that banks issue that or is it just totally unique oh well that makes it easy yeah yeah your flow your flow is much better yes yes please so this is a not exactly a question more a comment because i didn't come here to represent into it but in fact

so we do have a very intensive monitoring of what's happening with our customers and i can tell you that the thing that you're you're talking about this mfa is something that we are well aware of this morning i just got here late because i was on a call exactly about this issue uh you know we have a lot many threats and many security mechanisms and everything that we essentially know what we have to do but you know everything that we're doing we're doing very slowly in order to not uh damage or open the open the door for for additional fraud so i i'm sorry for what you're experiencing but uh you should know that this is something

that is being handled i accept your apology and i thank you for your service uh yeah i mean that truly i wasn't honestly trying to pick on you there's other large u.s banks that actually do the exact same thing and it really really drives me nuts in fairness this is like in a small business smb context so i can see why they do it right like small business account takeover is a really really big deal and even though intuit like ultimately may not be like responsible or on the hook you still have that duty to your customers and and i appreciate that like i i do right um i was just being a baby about friction and

i think that it's more of like a scion problem honestly so i don't know that's my view i hope that's a little more generous um i have two questions uh one is uh but you said you didn't like the impossible use case or impossible impossible but i didn't um i didn't get uh the reasoning behind or what you don't like about it and then the second is um do you have any good usage use cases for a situation where somebody an organization is using a soft token as their second factor and it's compromised okay um you'll probably have to ask the second one again because by the time i get through the first one i'll probably i

forgot but um what what don't i like about impossible travel um if you are a provider with a lot of different customers and a lot of different places with a lot of different use cases i hate to give as an example but you know web3 companies that are startups really like to outsource their identity because you know they got to move fast and like not all web 3 companies are good at identity but um what talks about impossible travel for them is that a lot of their customers are really concerned on privacy do use vpns and within the same session like very well may change ips throughout countries but if you're doing something like workforce

or finance impossible travel probably makes complete sense honestly so that's that's what it comes down to i think is like what is your use case what are your trade-offs where's your revenue and so the second question ask it one more time um compromise soft tokens do you have like use cases to detect you know credential stuffing plus compromise soft tokens so the question is around like what what situations have arisen or like what how how deal how to deal with it or i'm trying to think as a login box um directly and i wish i had an answer immediately at hand um you uh yeah yeah so my question actually ties into his question but um we use a siam um

provider service called glue glue identity so i was going to ask for your comments on that but to speak to his point um glue is actually java based and you might have heard of something called log4j so um you know there's a tie in there did you want to comment on this question um so commenting on this question i think that um you know ultimately downstream application security is probably where i would see that and i know that's not an answer that probably satisfies anyone but that's the best i can give you yeah yeah so just wondering if you if you had heard of glue identity and if you have any thoughts on open source uh you know

providers to help to solve some of these problems um i don't really have too many thoughts on them so for workforce protection for you have an endpoint that's recognized as a friendly endpoint and so you can enforce that at your organization where you're only allowed to actually authenticate with a work device that's been proven to be a work device yeah right yeah workforce is is very nice in that you have control over the end points or could at least usually though well yeah in this world of remote work control is kind of a weird concept in the first place okay then we're all done thank you for coming to peace rights and pastors come yes thank you for having me it it truly

was a pleasure um i hope that i get some insults from you shortly after that do insults but now it's lunch time and i hope to see you all back at two o'clock thank you

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

[Music] do [Music] do [Music]

[Music]

so [Music]

[Music]

so [Music]

[Music]

[Music] so [Music] [Music]

[Music]

[Music] so

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so [Music]

[Music]

you

[Music]

so [Music]

[Music]

[Music] [Music]

do [Music]

[Music]

so [Music] [Music]

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

do [Music] do [Music]

[Music] do [Music]

[Music]

this

[Music]

do [Music]

[Music]

[Music] so [Music] [Music]

do [Music]

[Music]

so [Music]

[Music]

[Music] do [Music]

[Music]

do [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

you

so [Music]

[Music]

[Music] do

[Music]

[Music] [Music]

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so

[Music]

so [Music] [Music]

channel

i usually don't do pictures but i'll start doing it longer

thank you that's okay he's gonna do it

okay

i haven't either

yeah but black hat's not exactly my speed i think

okay i think we are pretty much on time a few more seconds but uh again i'm perf the founder of passwords con uh really nice to have so many people in the room and back here um whenever i do passwords con and i've been doing this since 2010 in europe and in here in the states um i always look for new talks new speakers new content but i also i am also very interested in having new perspectives on old stuff and also repeating old stuff i don't care if your presentation has been done many times before because with this audience there is always something new to learn both for speakers and for the audience so if you uh if you have

something that you think could be a great idea for a talk uh feel free to reach out to me i really love helping people trying to come up with good talks good content and most probably you are working or you're studying something that i take a keen interest in and i would like to love to hear more about it so please reach out and also when it comes to passwords uh one of the most common uh feedback i get from people whenever they attend is that they never had another any idea that the topic of passwords which sounds so incredibly narrow can actually be so incredibly wide i've had psychologists at passwords.com talking about how your brain works in

terms of short-term mid-term and long-term memory i've had linguists talk about well how languages are constructed and how they work i've had yuan darman the inventor of aes encryption and the sha-3 algorithm explain how that stuff works and i still have absolutely no clue how that works i've had the author of hashcat introduce hashcat and how he optimized the sha-1 function and lots more content but now i will introduce base 16 from twitter talk about secrets of the second factor and i you know no not a scary offer but this is one of those topics that to me is new and that i've been waiting for somebody to submit and i'm looking forward to this one so

take it away all right [Applause] all right thank you this is secrets of the second factor i originally wrote this talk in november 2019 and i'm like hey i'm going to go take it everywhere in 2020. this is going to be a great year for me and then stuff um i did do it a couple of times virtually in 2020 it's kind of smaller conferences i did do it at the diana initiative i have updated the content since then so you're not getting a totally totally recycled talk here but you might have seen it before i'm gonna level set and give you some expectations sometimes when you read an abstract you don't quite get the full idea of what

you're about to get into so first off this is not about installing it this is not saying like hey you should really have a two-factor system i'm kind of already assuming that you've done it already so it's not going to be about that there's plenty of other talks that will explain to you why you need a two-factor system uh this is going to be about organizational security it's not going to be about your personal security it's going to be like are you defending an organization or a large company and then the last piece of those two things aren't super interesting to you it will be about threat modeling and threat hunting so there might be some

tidbits and some techniques that you can pick up there who am i um kind of already mentioned i go by base 16 on on twitter and my day job is a threat hunter and incident response investigator so that's where a lot of these stories come from some of my other stories come for my nights and weekends as a hack coordinator i work on b-sides rdu i work on cackalackycon and i work on uh defcon 9-1-9 all of that is out in the north carolina area really big in the community there and then i say that i'm the expert only in one room so i'm the expert at my company and i always try to go out into a bigger

room so i can meet other experts and teach other people so that we have more than one expert in the room and then i am a certified duo administrator and then i just want to call out that there's no commission i do kind of heavily rely on duo in this talk is the mfa system i have dabbled a little bit into octa and microsoft and some of the other ones but not as heavily as duo so a lot of my examples are with that system and i just use it because it's convenient because that's what i'm able to use on a day-to-day basis so a little bit more about what this talk is about i'm going to very quickly

go over mfa 101 like what is it if you don't know the details of it i'm going to go over what they tell you like when you first get an mfa system or what most of the mfa talks are about or like what sales people will tell you i'm going to get into what they don't tell you and then we're going to go threat hunting and that's the really great part and then i'll give you some conclusions and some actions that you can do if you are with a corporation and if you do have um an mfa system like what you can do on on monday or whenever it is you get back to work and what you can action

so just really briefly mfa 101 for the purpose of this talk we're talking about it after the password is correct so you've entered your username password and then you're presented with a second factor or the multi-factor there are some systems that will allow you to like enter a code in line with a password but that's not in the scope of this and then for the scope of this we're also dealing with phone call sms messages and phone apps we're not dealing with sending an email to a user and giving them a code that way i'm not going to be talking about digi keys or like ub keys or one time passwords very much they do come up but it's not the bulk of

this talk and then i'm gonna give you a minute to look at this diagram while i take a drink kind of the basic flow the first factor and then doing content checks and things like that so diving into what they tell you they for the mfa threat model uh most of what they tell you is that it's gonna be for prevention and mitigation uh prevention uh getting into an account this is a nice chart from from google it's all pretty about all the different ways that like hey mfa will prevent an account from getting taken over based on the different factors and things that you can have and then they also talk about the problems that are mitigated things like

if you have a password policy that isn't great or you have users that maybe do some malicious compliance i was at another conference one time and one of the speakers was talking about they had a policy where you couldn't use the previous 15 passwords every time they changed it so they changed it exactly 16 times to put it back to their original password malicious compliance so two factor might help with that and then things like fishing and credential harvesters and i throw some caveats on there to a certain degree an mfa system will mitigate those problems now let's dive into some of the things that they don't tell you and some of the things that you might not have heard of

before um problems persist things like brute force brute force is still a thing in an mfa system you have the brute force against the password then after you have that continuously sending pushes or continuously attempting uh like the six digit code that would be sent over sms in order to try to brute force uh into an account you still have things like social engineering uh calling somebody up and then with whatever pretext you have requesting that code in order to bypass the mfa and get in that way and then you still have man in the middle and like credential harvesting still like spoofing websites or spoofing permissions and then some of the credential harvesters now are getting a lot better

where they're actually requesting that second factor code as well and then turning around and using it and then one of the other problems that a lot of people don't think about is account recovery so you have a password reset flow what is now your mfa flow if your user loses their phone if they lose their phone number how do you get them back into account recovery um and setting that up another thing is with more factors you also get more problems there's a lot of like false sense of security where hey we have an mfa system we should be fine that lovely chart by google that i showed earlier said that we're cool so you kind of get lulled into

maybe more sense of security than you should have uh it can also be used if a attacker gets a password dump and they get a whole bunch of passwords it can be used for password validation so they enter in the password they get the prompt for the multi-factor now they see that hey that password was correct and if that password was correct is the rest of the dump correct and then they see that that screen for the mfa system they can now go do more recon on that mfa system and try to find bypasses around it build their pretext better another thing is application implementation passwords have been around a lot longer than mfa so hopefully your application

people know how to tie into those systems and have the code and everything to do and set that up correctly some of the mfa systems are a little bit newer and if you don't have very specific code to give to your application developers in order to hook into everything the way that they should be there's always misconfigurations and applications that can kind of bypass or have workarounds in the mfa system so that they can bypass it that way and then i bring up the the human factor and you know humans are bad at passwords um entire conference track dedicated to that but also it's amazing um what i've seen in my research how humans are not

good with multi-factor the oh my gosh i have to get this code and punch it in that's so much extra work um that that psychological acceptability where they will do things maybe not maliciously but just like get their job done and find bypasses and ways around multi-factor so i'm going to get into some of the configuration threats uh when i first started looking into mfa systems and mfa logs i'm a blue teamer i asked some red teamers like hey what what do you do if you're on an engagement and you find an mfa system is set up and they were telling me that they love the engagements where they are just very first rolling out a brand new

mfa system and they have enrollment after the password is correct so you've never used mfa before you enter your username password and it prompts you hey give me your phone so i can set up mfa for you if the red teamer has gone out and gotten the password already they then add their red team phone to that account find the person on vacation who hasn't set it up yet or is a little bit behind they now have their red team phone on that account and just go all the way through the mfa system the other thing with that is open self service device enrollment this is just allowing your users to add any device to

their account like they can free add a um one-time password device or they can add another phone or add another phone number to their account instead of going through something like it that can prove you can also kind of see how that would create problems if you're able to get a push the first time as a red teamer or an attacker and then being able to add your attack phone or your red team phone after the fact without having to go through any sort of checks or balances with it so one of the other things that they don't tell you about an mfa system is basic baselining things so we've talked about how you probably have a very

explicit password policy that says you have to rotate it you know every so many days you have to have so many special characters numbers length and all that do you have an explicit established proc uh policy about your mfa system how are you limiting how many phones they can add what type of phones they can add are you doing byod uh can it only be corporate phones who is issuing that and things of that nature another thing you want to think about is like implicit best practices uh best practices for a password best practices for an mfa system um the other thing that you kind of want to baseline with is your application teams that are going to be helping you set

this up and then your i.t team any sort of tech support that is going to have to go along with a rollout or day-to-day operations of helping users that that are running and using the mfa system and then the other thing that you want to baseline is going out and doing test scenarios in a lab just running through the mfa system yourself through any sort of weird scenarios that you can think of and then taking a look at those logs and establishing those baselines take a minute to drink here real quick

okay so is that is that better okay sorry i wasn't close enough there um so one of the biggest things that they don't tell you is that there are logs these systems log quite a bit of information um and then the other thing that they don't tell you is that you want to bring along more data when you go look at these logs and i love logs i love getting into it and why do i at the logs tell me things i am like the log lady give me all of the logs upgrade the logs just bring them all to me because the logs tell me so much um they've told me lots of things and

now i'm going to tell you what they told me so that now you can go throughout hunt and take a look in your logs so i'm going to break all of this down the first thing that we're going to take a look at is the access device this gives us some interesting information like the client os and the browser that your users are using to log into your system on some of these systems they will also have an endpoint client so you can get some additional endpoint details so here we can see that you know they have firewall enabled hey they don't have java that's great or flash that's also great that they don't have

that installed and they're running windows defender and things like that some of the stuff that you want to bring along to these logs are things like your asset inventory because you have an asset inventory everybody has an asset inventory um those are hard um you you want to bring a list of your approved software you know do you allow users to run firefox do you allow them to run like brave or other different browsers like that and then one of the other things like caveats to this is remember that there is agent string spoofing if they're logging into web apps they can be spoofing those agent strings depending on how the system gathers that data and

then you also have browser-based apps so if you have a user and you're questioning their login they might not understand what it is they were even logging into depending on on how it displays in these logs so the thing that we're going to threat hunt in this is we're going to take a look at non-issued or approved operating systems so you run in all windows shop and you start to see macintosh logins or you start to see linux logins you might want to take a closer look at those um also taking a look at old or end of life os versions uh it was very surprising to me when i went hunting in my own

environment seeing a lot of windows 7 computers i thought we had gotten rid of all of those but they're still logging in and like where are they and what are they doing um and then you want to take a look for like restricted software here we see windows defender but maybe you are maybe you have a corporate license from mcafee or another vendor why are they running windows defender instead of what you rolled out to the whole fleet so take a look at those uh the next thing we're going to look at is the access device ip address like where where are they logging in from so uh ip address of the accessing device the location is based on ip address

lookups uh and then some of the logs will actually give you a dns lookup or the asn so you kind of know what company uh like what isp they're using to log in some of the additional information you want to bring along with that is your known corporate subnets are you taking a look at users that are on site or have vpned into your system and then are going out to the web in order to get their mfa call should they be going through that should it be split tunneling you know where are they allowed to come in through you want a list of acceptable access locations depending on your industry or your or your company there might be certain

locations where you don't want anybody logging in from and then you might also want to have an employee directory employee asset asset inventory again yes you have asset inventory employee location data so you can kind of have an idea of where people should be and then a big caveat here is ip locations can be wrong and it also varies by config and application like i was saying before vpn or coming through like your corporate network and bouncing out the ip locations can be wrong i used to work for an isp i was doing a a packet capture on a firewall that i knew was in new york city for a customer they were complaining that one of the

partners that they were trying to set up a vpn tunnel with was saying that their ips were located in puerto rico a packet capture on a new york city firewall i knew that it wasn't in puerto rico but the ip location service that their third party was was using had some stale data in it they had to go through and like use a different service in order to realize like hey the ip locations uh they can be wrong so you want to cross cross reference if you see scary location go just double check it before you start chasing it too hard so let's go hunting in this and what we're going to take a look at is tour

ips or unapproved vpn ips it's amazing how many people will like go watch go use a personal vpn maybe watch some netflix for a different country or something and then try to log into your corporate network totally forgetting that they're in a country that you don't allow um kind of interesting when you see the tour nodes trying to connect into your corporate stuff and then any sort of asn's that you might have on a list and then here's also where you can use your threat until ioc ips and asns if you're getting any sort of threat until feeds and if other people have seen malicious activity from ip addresses go hunt for those ips if they're trying to log into

your system and then you can also hunt the ip locations with just that caveat that i mentioned before it has a little bit higher rate of false positives or benigns where just know that you have to do a lot of extra or a couple of extra cross checks there before you go chasing that too far uh the next part here is the application logs so we're taking a look at the application name and the application id the other thing you want to bring along is application inventory i'm very big on inventory inventory micro management end game of everything so you also want to bring along the application logs just because a user was able to log in

you know first factor second factor did the application kick them out or do they even have permissions to log into that application uh you want to have those logs to follow up on that and then a lot of these um some of the vendors will have integrations with other major vendors and can like auto detect like oh you're using that application uh other times it's your it or whoever is configuring your mfa system is labeling those so hey you labeled this application website thank you i know exactly what the user got into there to follow up on that you know or application level config i think i mentioned that before that applications can be configured wrong or they're not

actually allowing the user in so just take a look at those what we're going to threat hunt in this data we're going to be taking a look at absence over time keeping an eye on reports how often do people log into certain applications and has that number started to drop off recently or dropped off completely you know is there an application configuration where maybe it's not hitting the mfa system like it should and then uh you also want to do application log follow-up i've mentioned that before it's getting a inventory of application logs and being able to follow up on those is really really important and then the next piece here is going to be the

the factor that's used what kind of factor results of that factor and the reasons for that factor so here we see that there's a push that's sending out to a application on your phone the result was a success and it's a success because the user approved it you also want to bring along your first factor logs if you see a bunch of failures like you're seeing a brute force was the password brute forced first and now they're brute forcing the mfa system you also want to bring along help desk tickets a lot of times you'll see weird going on and then you look up help desk tickets for that user and it's like hey they were just having a bad day um they

couldn't get their phone to work they couldn't get the push to work or whatever uh and then just remember defense and depth success here does not always mean success in the application and we're actually going to deep dive a little bit further into these i have some good examples here so brute force we'll dive into this we're going to verify this was a benign hit because if you kind of take a look at this a little bit interesting when we break down those five individual hits the logins appear to have completely random timing there's no real pattern there we have a successful login after the failures we're going to talk to ivan's manager and we're taking a look specifically at

um we have that asset inventory so we know that ivan has a mobile phone we know ivan has a work phone and those approved numbers looking at that authentication device that's kind of weird um he has a 9-1 which is the country code for india where 919 is the uh local area code for rtp uh so that's kind of odd that he added a phone number for india there to his account because we have open uh open self-service adding devices turned on so we're gonna talk to his manager and it turns out hey he typoed his desk phone number he thought he had to press 91 to get out of the system and ended up coding that

into uh his authentication methods um so we're just going to [Music] uh and then also his his mobile phone was on silent and that's why the the push messages were on fail we're we're um we're failing and not being answered so we're gonna go in and we're gonna fix that for him and get rid of that that phone for him and that was pretty benign the next one here we're gonna investigate a little bit further oh we don't have asset inventory we have no idea what faith's phone number should be that's very sad we also have no idea where she should be located so are those logins weird or not we have no idea is

that phone number weird we have no idea um we see that we have a high count of failed logins so we have 27. let's take a look at those a little bit closer it turns out those login attempts are exactly five minutes apart to the second so that's a bit odd um we do have an asset inventory for the laptop though and we see that faith was issued a mac os at this company we have a windows system logging in so again that's odd so let's go ahead and talk to faith's manager she's on vacation this is great so we're just going to go ahead and disable face account until she returns and then we're going to reissue

her a new password so that the attempts against the second factor are going to stop disable the account just in case she decides to click accept on one of those pushes that keep coming through in that brute force and then we're going to go ahead and follow up and do further investigation on those login attempts we had a correct password how did that correct password get leaked out and do further investigation on that see if there were any users or anything the next one i'm going to talk about is suspicious login reporting a lot of people that i've talked to actually didn't know that this was a thing where you can have users actually report in if

they see a suspicious or fraudulent login you get a push you can say hey that was weird i deny that and then i'm reporting that as fraud same thing with a phone call factor calling in you can press one number to accept it in a different number to report it as fraud i love this because it allows users to actively report weird things that they see in the environment setting up another detection method for you this happens with the push or the phone call options can't really do it with an sms or anything like that and then you have to educate the users they have to know that it exists they have to know that it's there in order

for them to be able to push that button and let you know i also want to give them some information maybe to your incident response team like after you push the button could you please email us and tell us if you saw anything else weird going on or just how to get in contact with that so we're going to take a look at some suspicious login reports some logs here we're going to verify benign again here with with ivan the first thing that you'll notice is that his auth device matches his mobile on file and this is pretty much always going to happen it's going to be the original user's phone that is reporting fraud if you're

a red teamer or an attacker why are you reporting the authentication as fraud probably not going to happen that's a bad attack if it does i'm going to take a look here and the access ip matches the authentication ip so that means that both the phone that we're sending the the push out to is in the same location enough that it's at least going out through the same router getting the same ip address and everything as the access device which could be a laptop or could be a different device so we're taking a look here a little bit more into ivan himself and his outlook status says that he's traveling that's interesting let's talk to ivan's manager

why did he report fraud since he's out we can't really talk to him directly um so it turns out that ivan saw this really cool talk at b-sides las vegas and got all excited about fraud reports and decided to sit around the bar and take some bets and it turns out he was showing off how fast his incident response team will respond to a fraud report so my company's faster than yours um so we're gonna verify that benign and like please don't do that

yes yes the ir team gets a percentage of the winnings for responding so quickly um so so this next one are going to investigate a little bit more faith is back and the asset inventory shows again that faith was issued to mac os and we have a windows device logging in um we learned our lesson from the the brute force and now have her phone number on file so we can take a look at that uh it turns out uh we talked to faith's manager uh turns out faith is on vacation again and we're gonna go ahead and disable her her account and wait until she comes back to reissue her password and when we

do further investigation you can see that login attempts are from the same subnet as before we talked to faith about her password and hey what did you do when you changed it she incremented it by one that's a different password so pretty easy to guess again and get back into the system in order to start sending pushes but we taught her how to report fraud this time so instead of getting just hammered she was able to report fraud and get the incident response team on it right away so the next piece that we're going to take a look at are phones themselves um yeah so phone number or the or the token that you're using um if you're getting a

push and again the ip address is based or yeah the ip address of the authentication device and then it's a location based on an ip lookup service again you want to bring your employee phone book again that inventory mobile device asset inventory if you're issuing cell phones out to users or are you allowing them byod with some level of registration or mobile device management and then you want to have a kind of a basic understanding of phone number country codes and locations and things like that and then the caveat here is bring your own device or open enrollment if you're not keeping track of that at all you're going to have no idea what what's coming in here is normal or not

and then remember that pushes and codes don't require cellular you can get a push over wi-fi and if you're getting authentication codes out of the application itself that doesn't require cellular so you're not going to get an ip sometimes you might not even get a phone number just that they use the app to do that so we're going to go uh hunting in the authentication device data and we're going to take a look at a mismatched the access so here in this log we see that the authentication device was located in california but that access device or that laptop that was trying to log in is saying that it was in moscow so we're going to take a look at that one a

little bit more uh the other thing that you want to take a look at is multiples and i'm going to get into that we'll do deep dive into that here with multiple users on one phone number so we're going to dig into these a little bit more here we have uh six users that are all using one phone number and one extension and we're gonna take a look at those users a little bit more those help desk agents they all have the same manager and the same hire date and we're going to go ahead and call that number because that's kind of interesting that they're using an extension and it turns out that it plays a tone

and when we look up that tone it's pressing the number one so the outgoing voicemail message on that extension it goes straight to voicemail and then just plays the number one to accept our mfa so we have six people just automatically accepting mfa uh so we're gonna have some emails with a manager and what's going on oh turns out it's a secure building they can't use mobile they can't use any sort of other devices but you know what we're going to issue them some hard tokens so that they aren't just using the same extension and bypassing mfa completely so next one we're going to investigate a little bit more we're taking a look at grace's landline

she's named it for us so that's nice we have three people here and they all have three different job titles which is kind of interesting we're going to look into this a little bit more and it turns out that grace is with laptop support and she's doing some shadow i.t to to do her job here um so instead of going about calling up trudy or frank she's actually adding her phone to their systems and knowing their their uh passwords so that she can go in and make changes to their account and set up laptops and stuff for them while they aren't there while they're out on lunch she can log in and set up those laptops

turns out that the time stamps on those login match the time frames of her support tickets so again having your support ticket system so you can go back and cross-reference that uh and we're going to confirm that there's a password change on all of those users and we're going to remove grace's landline from those other users because that shouldn't be happening and then we're going to have a conversation with her management and make the support process more secure make sure that they shouldn't be doing things like that it is kind of nice and you do notice that that people can note in some of these systems people can label their their phone numbers so one

of the things that i did when i first started digging around in the logs was i threw in an easter egg and anybody that that goes in and tries to look at my logs they're going to see that i always log in from a banana phone so good luck looking at that um the next example here is one user multiple phones and again i wrote this talk in november 2019 you might remember something that happened in december 2020 where fireeye was able to detect an attacker in their in their system when they noticed a second phone on an employee's mfa so it was added to that but if you aren't keeping track of new devices that are being added or you have

a history we're going to go into how do you hunt for that after the fact if you're not getting those alerts real time so we're going to dig into this a little bit and we're going to do this one as benign we see that we have the mobile inventory and we have her work phone number and if you take a look at those a little bit closer we do have three phones there but one of them has been named so where alice previously had an unlabeled cell phone uh ellis got a new iphone so cool congratulations um the mfa system had a code update so when she added that phone it decided to tag on iphone for us to

try to be helpful uh so she installed mfa on the new phone which caused the mfa system to relabel it so that's benign all those uh phones are accounted for we're going to investigate this one a little bit more because this is interesting uh we see that we have a mobile number and a um work number on file for him and then we have these five other phones and bob's login phones don't match the company records so this is starting to look weird uh the logins happen at all hours of the day he's logging in at 1am he's logging in at 1pm he's logging in just all different hours of the day we're going to contact bob's manager

about this and try to see what's going on and uh it turns out he was outsourcing his work to other contractors and they had his password and added all their phones to his account bob's doing the work of five people because he is five people so now i'm going to kind of get into like some gray areas and beyond the technology you have restricted areas and skiffs and like how do you compensate and work around that the whole thing of like oh they're going to an extension have a plan to like issue ub keys or one time passwords uh password tokens if those are acceptable in those areas the other thing is contractors a lot of times contractors are given

expectations of employees but they aren't given the permissions and abilities to do things that employees are able to do so make sure that you level set those so that contractors aren't trying to use credentials of employees in order to just do their job and then the last one is assistance and what i mean um by this is is uh for the call for papers for this conference even they understand the concept that people have administrative assistants or people that help them out with different things there are lots of applications that don't understand this concept so if you have somebody that has an assistant how do they log in as that person in order to assist that person

with their job it's amazing how many people don't understand delegation in applications and are logging into the higher level person that they are assisting so be on the lookout for that and then i'm going to get into the actions that you can take back with you is go out and respond to findings um limit self-enrollment i've kind of made that clear where it's like hey if you let people uh add other devices they will if you don't explain to them how backups work you might see things like oh yeah i added my spouse's phone to my account because if i lose my phone i can use my spouse's phone what is that allowed maybe think about limiting

self-enrollment you might want to limit or just not have phone call authentication it's one of those things where you don't have to unlock the phone so if somebody loses their their laptop and their phone is also in their backpack they now have access to the second factor with a phone call without having to um having to do anything else to get into that if you do have the phone call you might want to um you might want to change the default number on that the the group there that was able to play the tone in the voicemail they knew that it was always going to be like the number one to accept that push just

change that up every so often so you have to actually listen to the message in order to push the right number and then be sure that you be sure that you fix what you find you find a lot of weird stuff um just don't let it slide like oh yeah this is how it's done it for 10 years just logging in as other people to do their job like actually dig in and get through and do that you want to be sure that you educate your users beyond the password policy educate them about reporting fraud educate them about not adding other phones and things like that um but let them make sure that they understand or report

those suspicious mfa requests and fraud and let them know that it's okay to report user requests for sharing credentials i had a situation where a contractor was being pressured by their management to share their credentials for the company in order to get their paycheck uh because the the manager who is not part of the who's part of the contracting company not part of the co company um wanted to log in and basically scrape company data uh in order to do recruiting and things like that but um make sure that it that users can report things um or you know hey like this this admins away on vacation share the password share the credentials and stuff like that make

sure that that can be reported and resolved and then include contractors uh i used to be a contractor kind of treated like second class citizens at some companies and stuff like that you just want to be sure that you bring them along on on security and making sure that they're following it correctly and then some of the other mfa takeaways do not set it and forget it go back read your logs always read your logs all systems read logs search for the unusual figure out what normal is and then find out what's not normal investigate the logs i'm just going to keep hammering that i love logs go out and just read them some of my future research that i want

to do i haven't done a whole lot on password lists but i want to get into that i want to do client-based authentication more about token duplication um i want to take a look and see if people are sharing ub keys or tokens and stuff between users not something i've really gotten into and then just to thank thanks to my employer for on the job research and training the other security professionals that shared their stories with me and i kind of mixed into some of these things co-workers for my logging obsession and investigation and stuff and then duo has some pretty good documentation if you want references i'll leave this slide up for a minute and

that's it if there are any questions [Applause] even better than i expected and that that means a lot so really really good um questions

uh for hunting through your logs and stuff do you use any automated tools is it just kind of whatever the vendors provided for that or are you did you write some scripts or something to flag like some of these interesting cases that might happen frequently yeah so i've written um and set up uh like plays like if you have a playbook and stuff like writing up a bunch of um splunk queries or some queries that will go through and find certain things

ah thanks for a great talk when uh when the ffa that you have is not for the organ employees of the organization but of your customers like uh financial companies and stuff like that do you think any of these analysis can be applicable to this situation yeah i think they could um if you were to like have those logs um it might be interesting to see if there are any customers sharing information if you do have i would think maybe like with a financial situation there if there's any sort of fraud going on like maybe you have multiple like one phone on multiple users accounts there could be a situation of fraud going on there

with customers thank you thanks for your talk uh so many of your examples um were that showed that if we weren't using telephone pstn as a second factor authenticator these these examples just wouldn't exist and they're sure there's a cost associated with issuing a uh an authenticator that's sure there's an uh a cost associated with issuing a heart authenticator but it seems like your time or you know the time of the the it people and the risk of loss would largely be subsumed by you know would subsume the cost of of those authenticators why can't we get away from that that that is a fantastic question i don't know like why why are the vendors still

producing those sort of things and i i guess i was supposed to ask you who you are as well yeah jim you need to say who you are i am jim penton i'm i'm one of the people i'm a contractor i work with nist on uh user authentication guidelines okay cool yeah yes please update the guidelines get rid of phones jim jim has talked to pastor scum before and he's one of those with his name on the sp 863d yeah so uh yeah more questions

what kind of training do we give users to educate them without getting too nitty-gritty or like revealing uh security flaws in an existing system how do we make that practical yeah some of the vendors do have some education like when you first roll it out and i think they are getting better at like education packages that you can use to like mail campaigns and things like that um probably just being like a little bit transparent without making them like too curious yeah you had several uh examples in here some of them crazier than others uh what's the sort of craziest thing you've ever found war stories from a reality yeah some of those were not reality at

all and then some of them were and i'm just gonna like leave that up to the imagination which ones were uh protect the innocent maybe um i i think it's soft time for me to to do one of my stories which is for real i've told this one i've included this in talks before but there might be new people here as well and this story uh is something that i did as a pen tesla doing password cracking many years ago in a galaxy far far away and it's also very interesting to see how social and cultural differences play a role when i tell a story because together with a friend of mine we did a penetration test and we cracked

the passwords of a lot of people and there's a vista for you here susan all right so uh we had a really lovely song yep can you hear me yeah we had a really lovely uh speaker request uh for all of the staff and volunteers at b-sides to be excellent to each other uh so that we could be excellent to all the other participants so with that in mind i actually it would really touched us we'd like to present you with something as a result

cool [Applause]

thank you demon

so to continue my story we were able to crack the passwords of approximately 5 000 people that easy windows long time ago and then we also found a windows directory where we found pictures of all these people like headshots being used for physical access cards and this wasn't part of our assignment but we had an evening where we you know we were drinking beer and i i can't remember today who came up with the idea but the idea was pretty simple do you think men or women have the best passwords so we had 5000 pictures and we had 5000 passwords we put everything into a database and then we spent a couple of days two guys analyzing pictures

and we looked at gender which is i should say fairly easy to identify from pictures we also identified if the person in the picture were using glasses and used that as a thing we could check for we also looked at hair color including no hair or gray or brown or black and also facial hair and when we had done that to 5000 pictures we could do queries into the database and what did we find number one we found that women prefer length

some people doesn't dare laugh and mainly it is men laughing there might be a few women as well but this is about passwords so we found that women on average had longer passwords than men we also found that men prefers a wider selection in characters they used more different letters from the alphabet and special characters and so on and in norway at least in our culture it's the thing that and i'm sure to say this but blonde women are supposed to be just a little bit more stupid than everybody else but blonde women didn't have the worst passwords the worst passwords belongs to males that goes into the category of unix guru and that is a category we had to create

based on hairstyle and beard style so you can imagine the rest they had the absolute worst passwords and now the end of the joke the person type with the best passwords were women with red hair and that is something i just cannot understand due to my ex-wife being a redhead and with that thank you and our next talk will be at three o'clock so be back then thank you [Applause] okay

[Music]

[Music] [Music]

[Music]

do [Music]

[Music]

[Music] do [Music] do [Music]

[Music]

[Music] so [Music]

[Music]

do [Music]

[Music] so

[Music]

you

[Music]

escape to exit and then just i'll tap to give focus unfortunately you're gonna have to look there while you're talking

okay so we'll get started again um sort of a background for this talk is that i think i believe that when we are discussing passwords we are giving our password advice when we are talking about password cracking which we love to do we are most of the time focusing on english names and words a vast majority of all research is heavily leaning towards english even me with norwegian being my native language there is a lot less research about that we had an excellent talk several years ago in stockholm from somebody living in south africa talking about exactly that he said that if you know swahili as an example and you can do a very simple

password in swahili chances are pretty small that the bad guys will be able to crack it because they just don't have a word list in swahili available and today i'm really happy to have back again dimitri from south africa and his colleague ethan that will be talking about the one with the foreign word list and i'm not gonna say that's a continuation of that previous talk but again research into passwords and passphrases that are not necessarily strictly english or using standard english alphabet so please take it away [Applause] thank you bear thanks thanks everyone for attending today just some background on us so i'm dimitri fusekis i'm the chief technology officer at bcs group which also owns

a company called bit crack cyber security we're based in south africa and we operate throughout africa handling cyber security pen testing assessments advisory password auditing and so forth so ethan is one of my colleagues he's a security consultant from the company so we'll both be presenting this part today as per mentioned we have done i've done some talks before on passwords having efficient password lists but what we wanted to do was look for new and different ways that people are creating their passwords especially now and especially since that talk was given i think you said seven or eight years ago i can't remember how long ago it was we've also changed a lot a lot of the

dynamics around how we enter passwords now a lot of it is more done on a mobile device than it is for example on a keyboard in front of a a computer which is why we're also going to touch on a few things related to entering passwords on a mobile device but when it comes to foreign word lists what we wanted to touch on was what makes an efficient word list right very briefly i'm not going to go into too much detail on that but it's the reason for why also we want to discuss foreign word lists by my english is when we will now start looking at the foreign word list the one with the emojis so coming to the

cell phones again generating passwords on on cell phones is very common these days which means we have a keyboard that can also do emojis now and that also creates some complexity some websites will die a horrible death if you try and use emojis but some will not so if those passwords are leaked and there's password hashes up for being cracked emojis could be in there and then putting it all together we'll just show you some brief tools that we created to help you do that they'll be on github uh shortly after the talk and we hope that you'll extend them and work with them and get them to do more and then of course the mandatory cat picture for pear i

hope you'll i hope you like it good so we can now begin okay so what makes an efficient word list and as i said we're going to spend too much time on this but i wanted to highlight actually the opposite what's not efficient and why we thus want to have these targeted wordless so big wordless they're not efficient right especially if you've got slow passwords that you want to crack if you've got a 25 gig word list and you've got a ton of gpus and you're cracking md5 that's great you'll you'll get through them switch to assaulted hash switch to bcrypt something like that and your great grandchildren will still be watching the job running

so we want to create efficient wordless especially ones in foreign languages what about numbers in word list we want to leave these out as well the reason i'm mentioning numbers is because they'll come up in the emoji side as well we generally don't want numbers and word lists because brute force rules can generate those very quickly we can append them to words or stick them anywhere in a wordless candidate so there's no point to really having uh numbers in our word lists except maybe when we're dealing with emojis and you'll see why when ethan does his part there may be a good point to having your rules output some words with emojis and the golden wordless rule that i've

stressed before all those many years ago if a rule can do it your wordless shouldn't have it okay because if your word list has all the things your rules could do instead of using the computational power of your gpu you're just using text files and hard disk io and it's pointless because you're shoving those planes into gpus and you're just doing a glorified comparison rather than getting work done on the process of the gpu so try and keep the word list as simple as possible let rules do all the work that needs to be done on that so for the first part the first technique we're going to look at to today is something called

translation when it comes to foreign word lists now i don't know if any of you have had experience with chancellor alliteration if you've ever had to translate into other languages uh you may have come across transliteration what is it so according to the dictionary it's defined as representing or spelling in the characters of another alphabet right so it's not translation it's transliteration but it can happen after translation okay so if i've got a word in one language i are translated to another language right and that language could be say it is russian or arabic or greek or something without a standard latin character set that's all good and well and we can find many dictionaries on the internet with

russian words with greek words without with arabic words but what most people do is that they're sitting in front of a keyboard that's got latin characters or english if you want to call it that but let's call it by the proper name which is latin character so what do they do they think of the word in their in their home language but they type it out the way it sounds on the keyboard that's transliteration so let's look at an example if we take the word alphabet okay that's what the translation to alphabet is in russian okay now a russian person entering a password on a website may think to themselves well let me take this word and rather type it

as it sounds and so i'm not going to enter the russian character so we could have a dictionary with a lot of russian words in it some nice unicode there you could brute force if you're using hashcat or john unicode characters yes you might come past this word at some point but there's a good chance and we see that a lot in the passwords we crack that the person didn't actually type it in that character set what they did in fact was they used transliteration which is here on our next slide okay so they took how the word would sound in their language and they wrote it out in latin characters and then they add all the bells and

whistles to it so we can have adding of numbers we can have special characters we can have case sensitive toggling uh we can add special characters to it we can do quite a lot right now if you were only working off of english this word wouldn't come past in your dictionary right because it's not an english word its base started off in russian and we see it sounds like the word alpha vitamin excused my russian pronunciation but i'm dmitry the greek version not the russian one so my russian's not good and alphavit could have been written like that and thus we would have missed it in our in our dictionaries if we were trying to crack these passwords even if

you're brute forcing okay we're not assuming that was the password we're assuming it's going to be a complex one and something that's got to go through rules to actually be effective so how do we generate these words okay because we could do it manually but manually i mean you go take russian word what is the what does it sound like how's it pronounced okay let me write that in in latin characters all right like brute forcing b crypt with a large word list your great grandchildren will be doing that work as well what about dictionary mappings not exactly easy because it's long and it's hard and the other thing is it may not understand the pronunciation of the

word to actually give you an answer right so when i'm saying that word in another language like arabic greek russian or chinese how does it sound and how do i get that into english or non-uh standard characters back into the latin characters so we leveraged a service and both google and microsoft offer the service the microsoft one just is a lot easier to use it's called microsoft's azure cognitive services and it's actually not designed for this it's designed for all the fancy things like uh auto completion of words on your apps translation translating sentences and keeping the right intent in it but one of the features it does have in the future that we're using is

transliteration where it can take a language like a russian word or a sentence give you the translation of that into how it sounds and then give you the english transliteration sorry the latin characters translation for that so if we come back to this slide right that word running through microsoft's cognitive services came out with that okay now something else to keep in mind is that these characters might not always be what a person will use what do i mean what do i mean by that right maybe some of you can pick pick it up but if i'm a russian person and i'm pronouncing off of it and i'm not using an english or a latin keyboard to type

alphabet i might not use an i i might use a y so it might be a l f a v y t okay we'll touch on that just now because that means some rules are required in these word lists to get them to be even more effective than just dumping out a bunch of words and using them so azure cognitive services just a warning about this okay like any service out there especially when you spin up your aws machines and you do something and you forget about it and then you have to sell your house something similar might happen here okay there's a free tier in in azure where one million characters can be transliterated for free after

that you need to use a paid service and that's going to bill you per character so if you take the the tool as it is and you shove a 25 gig word list in it well it's gonna it's gonna it's gonna be a bit expensive yeah the hard way [Laughter] okay so it's going to get expensive what we've done and i'll get that on to the next slide for you we've done some things to help you out we'll continue putting them on our git as we go forward but what i want to show you quickly if i can just escape from here is coming to our console here okay

okay i'm just going to show you the code here it's very easy to use to go forward so what you do is we come to the bottom you'll get yourself a and a subscription from microsoft's cognitive services it'll spin up an endpoint for you that that you can use you simply add your location you add the endpoint using the translate endpoint this code will be online you can take it and work with it and then you go from from there and when we get to looking at the tools i'll show you what the output for that is now what we did is we took the english dictionary and we shoved it through the service okay

and it's a two-stage process but thankfully microsoft cognitive services returns both in the same reply so we took english we said take the english dictionary and convert it to russian right then how would that russian be pronounced give us the transliteration in latin characters and that's when you get output like this now okay so it's the english dictionary and that's obviously the end of it i'm not showing you the whole thing it's the english dictionary and we've translated it and at the same time taken the pronunciation and transliterated that and now we have a whole bunch of nice base words to use when we're cracking our past passwords to help you we've done three languages

through the engine i'll put those on github for you you can use them as base words and you can extend it further um obviously like i mentioned be careful because once you pass the free tier your critical is going to start being built for the output coming coming out out of this it's not overly expensive i'm just saying just keep an eye on what you're doing and the reason i mentioned rules are so important is never ever give this your dictionary with a whole bunch of junk in it right because if you give azure airplane one two three or zero is going to say well this looks like a spelling mistake i'm sure you meant airplane

right now i say you've got a thousand of those you've actually paid to translate the same word a thousand times because a 0 is going to either give an error or it's going to say i think you meant this and it's going to give you the word so you actually do duplicating work so make sure the input dictionaries into the cognitive services when you use these tools are very based dictionaries they have nothing extra added to them so that it can just give you the raw output of what it sounds like when translated in to english after that there's some rules you you can consider like i mentioned and we'll put these up on the github as well

okay because people are not microsoft's cognitive services right they think differently they get into habits so someone who is russian maybe and typing these words on on an english keyboard the way they sound may not use an i where it should be they used a y instead maybe they didn't use a k they used the c instead so now you don't want wordless with this because like i mentioned you want your word list to remain efficient and fast but you want rules to plug into your password tracking offload it to your gpu let it do all the hard work here of figuring out all these iterations of what the person could have typed while they were busy with it

in case you forgot or you don't know okay this this is a standard hashcat rule the s means replace x with y so replace a y with an i replace an i with a with a y replacing c with a k i'm sure you get the drift you can build on these we have done quite a lot of this so i'll publish those on git for you as well what we've done in the various languages as we've looked at what people could have used right so for example greek if you're translating the word greek say drink in greek is right so potter could be p-o-t-o when written on a latin keyboard but greeks have the omicron and the

omega which looks like a w so the person could maybe have used a w instead of an o but the cognitive engine won't know that it'll give you p-o-t-o as the output and so these rules will then come in handy to fix those minor things where just human humans have changed it by using a character that could have been some something else so that covered the first technique the second technique we're going to look at is keyboard walks with a difference when it comes to foreign languages and this is an interesting one because i didn't realize how often it actually gets used but it's used quite a lot not really on on cell phones and tablets

but certainly on computer keyboards and keyboards where people type okay a normal keyboard walk this is not what we're talking about right i'm sure those of you in the know will know what a keyboard walk is you have a pattern you don't know the the password you know the pattern on the keyboard right so i go and a password comes out of it okay and these various tools that can do that hash cat's got a few others have a few right not complex there's many ways to do that but how does it tie into foreign wordless right if the person's used that well we're going to look at a keyboard now it's called the perma keyboard it's a chinese keyboard

one of the many chinese keyboards out there they're simplified ones there's there's uh non-simplified ones there's a whole lot of different ones but what we're going to do now is we're going to look at a keyboard walk based on the assumption that two things have happened either the person typed the word in chinese but left the keyboard set in english or type the word in english and left the keyboard set in chinese right so what happens then is i'm thinking of the word password right so i'm a chinese person i speak english and speak chinese and i think let me type password in but i'm going to be clever as it were and what i'm going to do is i'm not

going to leave the keyboard in english i'm going to set the keyboard to chinese and then type the word past password now if we do that then we press a p and an a and an s and an s and a w and o and r d that's what comes out in characters okay it means nothing you can't translate it it's not a word right it looks pretty random and if you came that across that in in the past in a hashes you were trying to crack you may look at it and think but we're not trying to translate it it's not working that's because the original word was actually thought of in a different

language but it was typed on a multi-language keyboard with it set in the other language so the person hit the right keys but the keyboard entered what each one of it in which chinese simplified is and that's what came out as characters and then they might add their fancy things like a few exclamation marks and or well we knew we know users it's not complicated chances are it was at august 22 or something but the fact is that this is pretty random from our point of view and the opposite could be true right the person could have thought of the word in chinese but typed it on this keyboard set to english in which case it'll look like

gibberish to you but there's actually words so what we've done is we built a tool that'll also be on on github and it's it's going to take a few of these keyboards and say okay give me the input language and i'll show you what what would have been output if the person entered it in that language but set the keyboard to its actual language or the other way around and so you would get a nice wordless filled with these random characters as it were even though they're not actually random random characters so those were the two techniques i've covered for you now um the transliteration which is how does it sound in that language but i'm typing it in latin

characters right very common so when i crack some hashes using those base words it does crack a few uh of the open stuff that you can find lying around on the internet remember to think about your about the target right so if it's a russian website where you've got hashes that that you're legally obtained and you're and you're trying to crack them okay you're not going to use chinese transliteration as much as you are going to use russian you could you can if you want to but i'm saying give it some thought as well when you're working out that and then on on the keyboard things to think about your targets as well because it could be that it's an arabic keyboard

right but the person thought in english but typed it in arabic mode on the keyboard and so we've got a bunch of arabic gibberish which is actually makes sense if you look at what was typed when they walked the keyboard so up next we're going to introduce ethan and he's going to take us through the one with the emojis

the one with the emojis so why do we need to account for emojis in our password lists well for starters there's increasing support for it we on our mobile phones we've had emojis for ages and you're seeing now in windows 11 they've just released a emoji keyboard max also had it for a while so a lot of devices have support for emojis so it's no longer the case where you'd maybe make a password on your phone and then when you get your desktop it wouldn't work because there's no emoji support there also our heavy use of our mobile phones everyone has a mobile phone and using emojis has become part of our lives we use it in our text messages

it's really become part of our language so it's only natural that it also become part of our passwords as well again a lot of accounts are only used on our mobile devices if we think about things like instagram tick tock uber they're all accounts that we only use on our mobile devices where we have emojis and then there are a lot of emojis over 3600 emojis in unicode standard so this is a very very large character set that we need to take accounts in of when we do our passwords perfect so what does our tool do well our tool works on the assumption that people would use emojis in phrases in their passwords you can generate a random list of the

most frequently used emojis and use that to try cracks and passwords but what our tool does is it will take a phrase for example i love my dog hashcat and then the plaintext password of that could be i love my dog cat 2022 all together without spaces and then the emoji five password of that would be i beating hearts my dog emoji hash emoji etc etc there were a couple challenges that we faced when making this tool first off there's a lot of emojis for example the word love could have well over 20 different emojis related to that specific word could have the heart emoji the blue hoten heart emoji heart eyes kissy face all those

different ones could portray the word love and same with things like dog so what we had to do is generate all those different combinations and someone might have only used one emoji in their password they might have used two they could have used three etc etc so with this tool we really try to generate all the different possible emojis with this or passwords with this well that does mean that you're gonna get end up with a word list that's quite big if you don't have a really specific input file with just a couple words or phrases another challenge was the different skin tones if we think about just the thumbs up emoji or good emoji there are five

different other skin tones and we need to take accounts of that as well and how it works with emojis and and things like skin color or color is this actually two different unicode characters we have one unicode character for the thumbs up and then the next unicode character for the color brown and combine they generate the brown thumbs up emoji so we also generated that on our tool tool input so our tool can take in a variety of inputs you can take in something like a book or wikipedia page about someone some sort of article and we're also using engrams to to do this and what an engram is is collection of n number of words or

sample text with um with the highest probability of what the word will be next so for example i've got the wikipedia page of formula one driver max verstappen and in there we can see that after the word max the most common word that would come after that would be verstappen and then when he was born born 30 september and so on and so forth so you could feed it anything from a book or wikipedia page and generate passwords like that another thing you can take in is just a text file of passwords so you might have in your password list something like i love my dog hashcat 2022 you would have to have the numerical value in there

otherwise it won't get transferred into emoji and then although we'll just split that up into the different words in there so i love my dog and then i'll change all the those words into emojis so options for the tool obviously just the in file option the file you want to take as input for it art file spaces you can choose if you want to have spaces in between the words or if you just like them all stuck together numbers if you'd only like to emojify the numbers in your in your password you can also choose to do that sub char substitutes all available characters instead of just the words so for a password like fox moon 19

there's uh emoji for the character for the letter o for x for m and what that will do is it'll just generate fox moon with all those characters being emojis and also generates all the different component combinations of that dashing this is for if you're using engrams for something like a book or an article and then dashing is just the number of engrams the depth that you that you want to go to so just for a quick demonstration

oh yeah escape okay cool

good so just go to our tool python.name can i have our input file

i think it's test yeah and then i odd file okay

so this would just do change every of all of the words in that text file into an emoji so for just examples we can look at what our input was that was sorry

apologies is very difficult to see up here so that would just be our example uh file i'm a fan of the radar chili peppers i'll put that in there and then the outputs

is it in it did you see our odd file

so there would be our output file of all the different emojis and all the different combinations where's it gone

of all the different combinations of that word and i can't zoom it and they'll go through all the different combinations of that just um with the emojis in there cool handing back to dimitri

okay just so you can see it a bit but clearer okay so if you go back to the beginning okay so that's what it took with red hot chili peppers okay so obviously it's going to iterate as ethan mentioned through the different options of what could be red hot right um okay that's the mask again as we go down we get to the next one okay

so as ethan mentioned it can get complex with emojis because different people use emojis to mean different things right okay like when i'm when i when i'm happy i might use an emoji with a smiley face someone else may think thumbs up means i'm okay so i'm happy so we have to iterate a lot based on intent as well which does create make the file bigger but depending on what hash you've got it can get through them quite fast you can also use std art on the tool and and pipe it straight into hash cat so you don't even have to generate the uh wait for the word list to generate either i'm just going to exit this quickly

okay so if we come back to our um

slides where we were okay so putting it all together so we've had a look at the one with the emojis we've had a look at the keyboard walks so looking at transliteration right if i have a file uh let's call it uh test1.txt okay and we put some words in there base words that we want in our dictionary so let's take uh aeroplane let's take potato uh someone give me some words nouns garden gar

okay good okay so what we'll do then is um we will call our tool right and we're going to say that the in file is test1 okay we give it an art file test1.out okay and then we give it the language so what i want to do is i want to make this let's take arabic right ar so i'm asking the cognitive translator translated to arabic how does it sound if i speak it in arabic and give me that in latin characters and hopefully if it works we should get some output here okay so there we have some output i'm not sure if it's big enough to see okay so what it did did is it translated

aeroplane to tyra i'm not my arabic is also not good right so if i'm pronouncing it wrong forgive me but so it took the word translated it out and then gave you what it what it would it would sound like again the tool will be on github and you know take it and change it make it better get it for what you want it to do there's no threading for example the reason i didn't put threading in is because i was worried that might burn my credit card even more than then then it has already but um yeah so just just be careful because if it goes wide microsoft's going to be smiling at you

with the amount of of what you're doing but like i mentioned we will over time be translating based dictionaries for you into these uh so just visit the github page every so often um which like if i go back to here um so it's it's not there yet don't visit it yet we haven't copied the stuff over but uh from this evening or tomorrow if you visit it i will tweet it out as well you can then visit it and we'll start putting this stuff up there and you're welcome to fork all the tools and create your own change them as you want to and do that so that's how we covered foreign word list

i'd like to thank everyone also uh some of the stuff we've done is not has been studied before we're just changing the way we're adapting it so we've got some people to thank for research and and stuff that they've done as well um uh the word ninja emoji translate the natural language toolkit hash cat of course um those people whose names i don't want to destroy and then uh yeah for uh microsoft azure cognitive services i'm i'm thanking them for taking my money thank you very much uh but the service is good and and it works well like i mentioned there is a google one as well if you want to play with that one we're not using it in our

tool but you can also play with the google one as well give it a try see what it's like and you can build off that thank you very much [Applause] questions for dimitri and ethan sure while they're asking i'll put it back up i have a question uh in my language we have a someone wanted this one i think uh i'm just going to add the twitter account as well while you're asking questions so that we can also yeah i have a question for you uh yeah can you say anything about any success rates you've had with this i mean the tool is awesome the concept is awesome but have you been able to crack like one

more hash or are we talking uh what are we talking about how you know how much have you improved your uh password cracking capability with it so we did crack a few hashes on some publicly available lists um we didn't try to target them specifically so we didn't actually create the word list we created were more for the talk than for actual wordless uh targeted lists out there we tried them on a few from the hash killer website but but again it's too vast to actually know what they think what they could have been they were uncracked hashes that some of the password crackers have tried and didn't get and a few cracked out of

that we i would see it working a lot better is in a corporate environment so if you get ntlm hashes um especially in in corporate environments where they've got the multiple keyboards pretty sure you'll see quite a bit of that and you'll see it if you can get a hold of hashes well maybe add the disclaimer if you can legally get hold of hashes from websites with mobile registration you'll come across a lot of emojis on there like ethan mentioned although the keyboards are available in windows and mac i don't think the uptake is as high as when they're creating them on the mobile devices your example of the keyboard works uh walks is something that i actually saw

when i was tracking passwords illegally in ukraine like 15 years ago so people were doing that back then they thought of something in russian or ukraine and and they sort of looked at the achilles characters but they actually typed in what became english characters into the system and to me was complete nonsense until i realized what they were actually doing more questions

i i think there's a question probably more for ethan some of the conversions to emojis that you had ended up being very short like i love my dog could be i heart dog do you have and i'm wondering if if uh uh websites and so forth are uh counting the minimum password length wrong you know you'd if it's supposed to be eight characters do they are they counting you know each emoji is like four or something like that because that's that's its length in unicode uh it well it depends so a lot of the emojis are just a single character a single unicode character but then again some of them with like different colors and stuff it's two it's two characters

right you'll see it as two characters but but even the emojis that are a single character it takes multiple bytes to represent that so it might be a four byte long unicode character to represent that emoji yes but it will still be only seen as one character okay yeah i i'm hoping that they're seeing it as one rather than four otherwise you're going to get some really probably easy to crack two character uh passwords yes sorry just to add to that so what i think a lot of websites are doing as well is that they're taking the input if it's unicode um they're then catering for okay it's unicode so don't look at the actual

unicode itself but work out what how many characters i've i've i've got in unicode rather than how many plain text with the actual unicode written out as you one or whatever the hex value is for that okay so thank you again dimitri and ethan great talk now there will be a break until five o'clock uh some changes are coming jeremy gosney couldn't come and he had to cancel his talk and magic happened so he is now at a hotel and hopefully he will do his talk passwords but make it uh nihilism at five o'clock i will gladly skip my talk for listening to him so i really hope that you will be back at five o'clock and i

will go look for jeremy right now thank you [Applause]

[Music]

[Music] [Music]

[Music]

[Music] do

[Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] [Music]

[Music]

[Music] so [Music]

[Music]

so [Music]

so [Music] [Music]

[Music]

[Music] do [Music]

[Music]

do [Music]

[Music]

[Music] do [Music]

[Music]

do [Music]

[Music]

[Music] do [Music]

[Music]

so [Music]

[Music] so [Music]

[Music] do [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so [Music]

[Music]

[Music] do [Music] [Music]

[Music]

[Music] so [Music]

[Music]

[Music] do [Music]

[Music]

[Music] so

[Music]

so [Music] so [Music]

[Music] do

[Music]

[Music] do

[Music]

and the bartender says what put on your face put on your face mask yeah would that be sort of some sort of way of saying you know you need to get salted or ah i'm up here i'm allowed to not wear a face mask

it's the is the privilege of speakers to speak without face masks

there's been a new leak his s all pin codes being used for credit cards have been leaked online there's a file you can download all of them even yeah every single one so now you need to change your pin into something

do people not watch

[Music]

[Music] [Music] stuff and she did a talk about the ethics of doing password cracking because in most cases we are downloading data that has been copied illegally or stolen or whatever you want to call it from some service some company out there and we crack the passwords we see the emails we see the usernames the real names and so on of those people and there's the thing about you know is this legally allowed to do is it's ethical it's small to do now during the years i have experienced my fair share of um and i've been thinking about a lot about this what i've had what i have done myself cracking millions and millions and millions of

passwords during the past 22 23 years and still not ongoing and i also thought that well doing that as a talk to finish off passwords con in las vegas is probably not the best idea i can do so and now also waiting for jeremy gosney i thought that well instead of just doing sad stuff i will show you a couple of slides that i've been doing lately as part of almost a lightning talk with some fun stuff in it some might have seen this before some might not but i will start with the the simple part so this is the license plate of my car zero points for guessing what it says in norwegian on that plate

and this is also the quote that i have on twitter i said i have a reputation to maintain i have it verbally from cormac early at microsoft research with a witness present that he's interested in passwords well i'm obsessed with it and i do ask cormac to please confirm statements and he responds in public confirm i have a healthy curiosity while thorsem is pathologically obsessed and i'm actually proud of getting that from cormac because he's really good at his research and he has done research into passwords and usability stuff for for quite a few years you might also have seen this but i use this to sort of exemplify what i say is the value of a single password

this happened quite a few years ago this is twitter this is a soji associated press one of the largest news agencies in the world at the time they had two million followers and one they suddenly tweeted the message saying breaking two explosions in the white house and barack obama is injured now there were never an explosions there and there were never you know bombers was never injured in any way and it's sort of crazy to think that way well why would a news agency put out a tweet like that and it's also interesting to see that in this case this tweet appeared only with associated press it was not mentioned it was not published in any other media no

other channel at all of associated press only on twitter and this was before twitter had 200 education so you can probably guess where i'm going with this and this is the dojo's index that day you can see in the morning that you know though is going up and it's pretty good looks like a good day and you can probably spot the location where suddenly ap tweets that has been explosions and the president is injured now that drop in the dojo's index was 136.5 billion dollars in worth that's a lot of money and they have to stop trading to figure out you know what the hell is this message from ap about and of course yep

this is this is not for real and they could re-establish trading and everything went smoothly at least it looks like that the rest of the way and this happened because jeremy gosling is in the house the man the legend hi jeremy hi hi baby doll hi family [Laughter] i just started talking waiting for you jeremy i'm just filling in with some drop yeah yeah that's exactly what it lists just the point is here ap got fished two or three maybe four people at ap got an email they clicked the link one of them was tricked into giving away username and password for the ap twitter account and it was actually the syrian electronic army who claimed to have done

this they have ceased to exist i think i don't know if they're dead but they did a lot of really interesting hacks back in the days and i say that well the value of a single password is 136.5 billion dollars in worst case and even more fun i said this one earlier today but i here's the uh graphical explanation operation face factor 5000 photos of people and also we knew their passwords and we decided to stuff it into the database and analyze the data so me and my friend we looked at gender we categorized by whether the people were wearing glasses in the pictures or not the pictures were pictures from access costs physical access cards

we also categorized by hair color saying well there's no hair present it could be blonde super blonde brunette red hat black or silver fox you probably understand what i mean by that and of course you can also have facial hair so we said well there's no facial hair there's the moustache the small bear the full bed and looking at these pictures we had to define the category of unix guru i don't have to explain that anymore and we also had a coderick category of palm donuts you probably know what that is as well

yeah the very short one around your mouth that's the pawn donut that's like back in the 80s and watching american crime on tv i guess that's the point that paul's okay paul stash okay so we did this stuff that's into database then we could do the queries and what we did well we found that women prefer length on average women had longer passwords than men and we also found that men preferred a higher variety or character entropy they used more different letters from the alphabet and special characters in the passwords and we also found that unexcuses have the absolutely worst passwords now i know what company this is about because you know i was doing pen testing for them so i know

sort of the reasoning behind this as well

ig services company perhaps um but it was a lot of fun now the crazy thing about this because this is you know me and a friend of mine doing this while we're partially drunk and we thought this was incredibly funny but i i presented this in many many talks and one day bbc news decided to do an article about that and if you go online and google search you can't see it there too too easy here but you can find the original uh article from bbc news where they are basically saying that women prefer longer passwords so women prefer length and as you just heard from the male audience in here as well laughing that

i remember then when that article was published from bbc news you know reading the comments for that article was kind of crazy did you bbc news just write that women prefer length and that is now scientifically statistically proven that's um interesting and i have talked to people that are really good in statistics and they say well if you have a selection of 5 000 people and you can say that from based on that women prefer length then you are correct about the entire population on planet earth until somebody can prove you wrong so kind of funny but you're going to have on other interests other interests in life than passwords so i also take a huge interest in pin

codes as well and back in fall of 2013 i went to a local school in bergen my hometown and did a talk about passwords obviously and i asked the girls and the boys in the room to write down a four digit pin that they were absolutely sure they could remember in a month if i were to return and ask them do you remember your pin code four digit pin now any wild guesses on you know the choice of pin code birthdays yeah well i can reveal that the girls the most popular pin code selected by the girls was 1996 and that's their year of birth i can also reveal to you that among the boys 1996 was the second most popular

pin code but which four digit pink was the most commonly selected pin code among 17 year old boys

this audience test never fails if there are men responding first it's going to be 69 69 or 1234 thus proving the you know superior intelligence of men and even funnier if there is a woman responding first she will also say 69 69 or 1234 thus proving that women actually understand men but the thing is the most selective pin code among these boys was one three three seven now the fun thing here is with this audience at that school when i said how many of you selected one three three seven a few of these boys they just went like yeah dude whoa whoa and all the girls in the room they were just like what happened now because there was no

women no girls in here that selected one three three seven now what is one three three seven hansa and in women cecilia knows you know yep so you read the numbers as letters that means l-e-e-t leaked short for elite if you play computer games you play against somebody else they are really good and the round of world of warcraft or call of duty or whatever you will type in one through one three three seven saying like whoa you're really good when i explained that in this audience with these students all the girls no exceptions oh god and then i went to the university in trondheim in norway a little bit further up north now we're talking students 19 20 21 22

years old and i also showed this and there was one woman in the room that raised her hand and said yep i picked 137 and obviously i ran up to her like wow you could be the girl of my dreams i just gotta make sure you know do you play computer games because that's sort of well something that i do still at age 50. and she said no i don't but i i do have male friends to play computer games but i don't okay well ah that's too bad but why did you select one three four and her response was well my postal address just outside the capital of oslo is one three three seven

and obviously all the male students will just like okay i know i'm moving so a bit of fun a bit of fun statistics and and surveys for you but again this also proves something that i've been saying for many many many years we are incredibly predictable when it comes to our choice in passwords and pin codes and who you are your interests your gender your age your parents your family wherever you work the stuff that you have in your office cubicle will most probably be association elements for your password so here's also something that i did uh several years ago this is matalega she was a master thesis student and uh she got an assignment from me i

was co-supervisor look into how people pick um their lock patterns android look patterns and she did she also spoke about this here at passwords con she also did a talk at defcon about this she discovered that well at least 10 percent of us will just do a simple english alphabet letter when you select an android lock pattern she got the best possible score for a master thesis she got lots of questions and fantastic feedback at defcon and even better in my opinion a couple of years after she finished graduated and delivered her master thesis she got an email from the police in one country somewhere in europe and they said thank you for that research

because that actually enabled them to get into a phone that they were not able to get into otherwise and finding pictures revealing information related to abuse and the murder in a close relationship so i'm not doing this just for the thought of it this is lots of serious stuff and then steve jobs came on on stage and introduced the iphone 5s with the touch id and somebody tweeted a picture that you know summarizes summarizes my opinion on biometric security in the one single picture that's my opinion on biometric security in almost all cases biometric security is not biometric security it is biometric usability it increases usability by a lot i use biometrics myself on my

iphone but i can just swipe up left or right and have a go at your pin code in any case so if you want to have good security on your iphone or your android device you need a really strong pin even if you are using biometrics otherwise it will be easy for me to get into your phone and also when uh people got hold of their iphone 5s there were some guys jab in japan doing this video because you don't really need to use your finger any part of your skin that has wrinkles can be used so if you want to before going to defcon and you're afraid somebody somebody's going to steal your fingerprints on your

phone don't use your finger use uh another part of your body so i like to troll people and with a cso at another company back home in norway i'm having a little bit of fun i don't know how this started but what we do is every time there is a leak or some company especially norway is getting hacked i say it's because of passwords there's a shitty password there's a default password there's lack of two phrasal version there's something related to passwords that essentially made them get hacked and he says it cannot be that bad it cannot be happening that often it's zero days it's uh russian intelligence services that are using advanced hackers and

everything and i say no you can hack pretty much anyone using simple pins or passwords and whenever i'm right the problem is password related um and we're on video so i can't really play sound here that's right he um he needs to watch bee gees you win again and to end on youtube and whenever he wins because somebody got hacked and it was not because of bad passwords i have to listen to shaggy it wasn't me i have watched that video i don't know maybe two times and he seriously hate the bgs and he does this every time the entire music video on youtube bgs you win again so uh here he is in romania because he was

traveling and suddenly i had to send him the link to the video and he just knew that oh it happened again so uh that's my short fun talk and now the man the legend himself passwords but make it nihilism jeremy gosney [Applause] how you doing buddy it's good to see you all yeah likewise it's been like what three years four years six oh right because of trump yeah one one president and one pandemic and i'm not sure what was the worst part i've had three kids in that amount of time man that's crazy [Music] all right no one give me cobid all right so as pair said i'm jeremy ghazni and i'm here to tell you that you

all suck at threat modeling passwords we've been doing it wrong for years please get your frame photos ready actually what we're going to do don't just take my word for it we're going to walk through it together we're going to threat model password security right here right now and you're going to see that it's all we've been doing it wrong the entire time so i've been getting looped into twitter threads for the past i don't know what seven years people like crying about like oh this side only accept the maximum of 16 passwords can you believe it oh hashtag password too strong and like that so i'm i'm i'm not gonna say i'm tired of

it but my wife will tell you when i get drawn into these twitter threads i sigh and she's like what what twitter drama is it now like nothing like you know like yo so-and-so is pulling me into some on twitter and i gotta you know set him straight but let's just back up a minute so i used to say and i've been quoted saying this i mean like adam schostak's book on threat modeling saying this that password hashing is an insurance policy and i thought this was really clever when i came up with this i said that password hashing is an insurance policy that an organization is essentially buying to buy themselves time in the event of a

bridge to notify users and then to notify users you know so they can change their passwords before that they're exploiting other sites and then when we also talk about password threat modeling we talk about how the threat modeling for password for user password uh creation should assume that every site stores their passwords in plain text right so these two threat models are kind of adults with each other so uh and you have to forgive me i don't actually have a talk actually prepared these are just a bunch of notes so um do i have a what oh this is not this is not a speaker request this is just me being very glad that you're here

so i appreciate you you would what is it oh jesus yeah that's acceptable all right

i appreciate that well cheers you guys yeah so for those who don't know i didn't think i was gonna make it this year um been like really financially strapped with the demise of tara hash if anyone's followed that um but someone stepped up and said like no you guys have to come to vegas so they sponsored our trip i just drove from texas with my wife and four children we've been in the car for four days together we just got here an hour ago so yeah it's it's been a stressful four days so cheers y'all [Applause] that's the first shot i've taken in three three years god damn all right so why does it taste like pork

was that bacon scotch

man all right so where even were we all right so no anyway i'm saying uh i didn't think we're gonna make it so i kind of stopped working on this talk this talk was just like a seed and then i was like oh i'm not gonna be able to make it so i can actually develop it so um i just got a bunch of notes here so um oh anyway so yeah uh i say that uh the threat model for password security on uh on an organization side starts with the password database being compromised up to and including physical theft like that's that's where the threat model starts is password databases compromise on the user side

it's we assume that the service providers is storing the passwords in plain text right so that's where we've kind of assumed that the threat models were for the past under what decade or so but um things are a little bit different now right so password hashing was invented on multi-tenant unix systems right where you can just run git ent and get everyone's passwords for you know all the users and and even then you know you can still get everyone's uh you know even even with password hashing with the invention of desk script you can still get people's description encrypted passwords everywhere on the network uh we don't have that problem anymore we don't really have

you know too many enterprise multi-tenant environments where there's multiple users with the same shell to the same system right even in uh in a hosting context we have virtual machines or you know containers or something at that point we have some kind of uh isolation right you're not gonna jump onto you know some cloud provider and run you know get ent password and see all the other users for ec2 you know on the machine it doesn't work like that anymore um it's same thing with like uh um the way that we kind of assume for password hashing that sites are designed that websites design the services are designed when we talk about you know like oh a

vulnerability in a web app can compromise you know the database like yes it absolutely can but you know we're kind of thinking of more of an old monolithic model not a modern day like you know modern web app uh uh like uh you know cloud native micro services type architecture um you know distributed uh usually with a hosted database or something like you know dynamodb or redis or something like that right so um what i want to do is this is going to involve everybody uh where's pair do you have something to write with including a computer to type on okay we're gonna we're gonna take notes here

all right just type in english i've said it to a russian kirilik but uh whatever you want so word word is perfect yeah word perfect right control in that works okay so here we go i'm going to go first we're going to re-threat model passwords right here on the split i've already done this i want to see if this is a group come up with the same thing so physical theft where are what are our threat vectors for password database physical theft anybody shout it out that no no no we're talking about the threat itself the threat modeling assuming the crowd knows how to threat model we're talking about we're enumerating the threats right now so let's say physical

threat the first the first we have that's perfect yes so we have a malicious insider we actually had this at a company i worked for where i was the director of information security we had an employee who would replace a hard disk in a raid 5 array one disk every month to rebuild the array taking the old perfectly good drive so you could reassemble the raid array at home stole an entire database right so [Laughter] all right so let's uh oh where is left go to left computer left i don't know it alright whatever so physical theft that's a new page whatever it alright so we have a malicious insider right

and that could be self-hosted or the colo provider right where the hell's the dash all right i'm just gonna hit equals oh that's a zero whatever

okay what about in the cloud where we have shared databases right we have an employee who has access to the hosted database as well right so let's say uh hosted right okay so taking a step up from physical theft what's another threat that we're combating against with with passwords with the compatible passwords what's another threat to passwords okay online brute force right where we have it login on a web page and a user is trying something uh like hydra right to uh uh enumerate uh username and password so we'll say online brute okay what's another threat in our thread malware okay keyloggers like it i love it okay i heard two different things at once and

i'm deaf in both ears oh like sql injection you mean okay great not great okay and what would you say fishing okay what else do we have in our threat model what was it a rubber hose technique for those who don't know i was a 97 echo in the army that was interrogator so i love it all right backups that's great i'm actually going to put that up here with physical theft

that's also physical theft because that's going to go yeah so uh yeah i put sticky note but post it we'll use the copyrighted term all right how about remote code injection we have a legitimate flaw in the application where we're actually executing rce and we have access so we can read the databases right

okay i will allow it this is a good list what was that okay i like that one that's that's thinking outside the box was that jim fitness said that holy sir how are you call me a legend there's jim fenton right there okay what else do we have in our threat model for passwords default passwords

oh someone left you guys know what prop 6 is in california you have to disclose what causes cancer so it was oh 60 oh i'm sorry it's that bacon just that bacon scotch forgetting numbers okay is there any oh yes sir you know what i'm laughing but i can see where that is something that's plausible because they sell everything else about us right any other identifiable information they sell so why the not sell our passwords as well i would buy them

okay is anybody can anyone think of any other threat in our threat model for password security any other threats to passwords okay i'm just going to put that under a generic man in the middles does that work you like it awesome

we can chris i'm gonna put i'm gonna i'm gonna lump that under man in the middle because in order to exploit are you talking in transit or at rest if it's at rest i'm gonna go ahead and say that's covered by things like rc and physical theft and if it's in transit i'm gonna lump that under man in the middle are we good with that okay this is democracy and action okay yes sir

do people do that holy uh oh are you getting unruly oh come here little man this is my two-year-old malachi everyone say hi malachi malachi doesn't like passwords because it prevents him from watching youtube do you say hi yeah i love it hard-coded but no he's right so i'm going to say that hard-coded passwords are slightly different than default passwords because a user is aware of a default password right but a user may not be aware of a hard-coded password and we see that time and time again especially with network devices cisco juniper they love hard-coded backdoor passwords don't they so i'm going to go ahead and say heart code okay anything else in our threat model before

we go through these i'll allow it i'll allow side channels if i can spell it

you see a rainbow whoa is it right there yeah there it is ask for adults though buddy that's a daddy beverage okay i know it is a rainbow it's a beautiful cup okay all right shoulder surfing you know what i will allow that too i'm gonna put that under physical how physically you have to be the shoulder surf depends on the user

so you're right you're right so the password is cracked probably on another site right so i'm going to go ahead and say that that's covered by password reuse and the event that that the password is breached on another site and cracked and then credential stuff right and then for ones that aren't i'm going to say that's covered by online brute force right is that fair is there anything i'm missing there i'm just i'm just being fair i might be missing something this bacon scotch is with me yes sir a tempest attack okay does everyone know what a tempest attack is all right thank god all right it's a side channel that's actually where i was going to

you are correct but side channel sir oh yes sir in the back what is it a candy bar like you give them a candy bar for their password yeah no i'm gonna put that under fishing or social engineering or something there uh i like it though i like it yeah and there's also uh we had this one here too right the the uh buying the passwords right or selling the passwords buddy i'm gonna have to hide this from you okay all right all right so is everyone comfortable with the threats in our threat model all the possible threats to password security all right here's what we're gonna do and you're not gonna be happy about this

put on a helmet because i'm about to blow your mind okay now for the militia for the for the physical threats right because remember i even said i'm in like ink in a book saying that password security starts with you know physically with the password database being compromised that's where the threat model starts and i'm telling you i was wrong tell me where length and complexity will defend against any of these who can think of one scenario for physical theft or length and complexity matter

oh shoulder surfing clever so you're you know what i'm gonna put an x next to that one potentially yes if you're trying to shoulder surf someone they have a ridiculous god awful you password you'd have to be like rain man to pick that up right so that's true they got they got the they got the the they got the yeah they got the unified camera in the corner recording it so um but you're right you you are right that is a potential mitigation for shoulder surfing is make your reach your password so complex no one could possibly shoulder surf it so i like that all right i will accept that okay now let's go down to online brute

force now keep in mind have any of you actually performed online brute force okay how fast did it go slow extremely slow right okay so in order to make online brute force practical you pretty much have to have a botnet or some sort of distributed infrastructure and that's assuming they don't do rate limiting or account lockout right if they do rate limiting now you have to also have like you know a different ip address trying like you know a handful of attempts to try to slide under the radar right it's not easy to online brute force your guesses for online brute force have to be highly targeted right so i'm going to argue that length and complexity are rather

irrelevant for online brute force because for online brute force you're either trying a credential list or something really really dumb like company name one summer 2022 right does everyone agree with that if you even have a moderately complex password it's probably not going to get cracked by online brute force okay key loggers does length and complexity defend against key lockers in any capacity [Music] you want to do what i can't i can't i can't hear you talking to my good ear oh i'm right here you want to see me i'm right here oh you want to see this oh no okay all right well i don't know what you're talking about brother oh you found the rainbow cup

toddlers would get into anything all right you do all right here you show me you show me yeah no that's that's not okay okay okay buddy all right all right sql injection so i'm gonna go ahead and start by prefacing this saying that modern web app frameworks have made sql injection less and less prevalent does anyone here do pen tests like daily how often do you find sql injection now compared to five years ago more and more rare right in fact on the oh loss top ten it's fallen from number one where it sat for ever to number three right and it's not even just sql injection that's all injections they finally woke up and lumped all injection

attacks together because they basically are the same attack it's injecting different things right i might be injecting php in this attack or ejecting you know a sequel in this attack but it's all injection you know even cross-site scripting is just you know javascript or html injection right so they lumped all injection together and it's fallen number three so modern web app frameworks are it's not obsolete don't get me wrong it's just harder to up and code sql injection today than it was five years ago and obasa has shown this it's falling from number one number three right and i'm also going to say too with today's distributed architecture these servers handling the web app processing

may not and in fact likely are not the same ones that handle authentication depending on the size and complexity of the app when we as you know cryptographers or password geeks think about this we think of a monolithic application running on one server but that is really isn't the truth especially for you know anything even remotely complex these days you want to see blue who's blue right there right here lord child okay um [Music] no bubbles hey do you watch youtube do you want to watch dinosaurs yeah you want to watch dinosaurs did you see your mom did you see mommy go get dinosaurs

he looks just like me doesn't he all right so keeping the things i just said in mind sql injection may or may not yield password hashes or it may yield only password hashes right and not the user's data that's part of the application or it may yield everything right not just the password hashes but all the data that the user has stored in the application thus making the password hashes less attractive because you already have all the data that's inside the app in the database right so it's basically three different vectors here for sql injection we have sql injection why is there no dash on your keyboard where did you hide which region where's the dash

how can i do sql injection without a dash english but still oh it's down there oh well now it's american so now you got that's what i've been hitting before it can't give me zeros okay all right thank you pair now you have the us layout i love you buddy okay so we have sql injection with hashes and i'm gonna say sqli with hashes plus plus you said it was the american layout this is not the freedom layout all right uh with user data all right and we have sqli uh what did i say with that without hashes but with data all right so in the event of sql injection with hashes there is a chance of course that length

and compact and complexity could in fact you know uh mitigate this attack right so we'll put an x there in this scenario where we have both the hashes and the user data it does all nothing for the most part right and then without hashes but with data of course it doesn't matter if you have links in complexity because all the data has been compromised we don't have hashes of crap all right all right fishing does length and complexity matter for fishing no rubber hose no absolutely not okay remote code injection nearly oh

plausible deniability all right you know what i'll allow it i'm going to put one slash that's half an x for plausible deniability

where you're going with that though is kind of where i'm going with this so yeah so i'm giving half a slash but no you're right but that's kind of where i'm going okay so remote code execution if you have rce on a system in that case like that goes back to what my original threat model was right where password hashing becomes the insurance policy right where now we're trying to you know have a strong password hashing algorithm to buy time for us to notif or identify the breach contain the brace notify users and users have time to be notified and update their passwords and like that right but if you have rce on a box you can just

attach to the process and read the passwords in plain text as they're being submitted right you can sniff them from memory you can scrape them from memory or you can sniff them over the wire you know like there's a lot of different vectors here that password hashing just doesn't defend against right so for the most part if someone has arbitrary code execution length and complexity don't defend against that in any way password reuse does length and complexity defend or mitigate against password reuse no oh

okay so you're getting psychological now no no that's that's fair that's fair okay so um users who are inclined to create short passwords are also therefore more likely to be the users who use that same password everywhere that's the argument

i will accept that argument i will counter argue that what happens in reality is you end up with password bang facebook password bang twitter you see what i'm saying yeah and i i it pair's done a lot of research in that regard as well and i think you agree with that that it tends to be you're still reusing the same password you just have your own password system you know what i'm saying the people who have their little systems for their passwords it's really it's the same password you just put some different on the end for each service oh you were my replacement high replacement buddy

i read that it was like jeremy will be missed and i'm like i'm right here i'm not dead yet still have 1600 miles to go all right no that was really funny nice to meet you okay oh oh it's going dark on me okay so i'm gonna put a question mark here for debatable all right supply chain we have some piece of malware that's been slipped in upstream and we don't know about it not scraping our users passwords which lethal complexity doesn't defend against does it all right default passwords legally doesn't defend the service writers selling your passwords because why the wouldn't they when they sell everything else doesn't defend man in the middle it doesn't defend hard-coded passwords

that's a little bit there because you use it in ch didn't select that password right but like let's say we're talking about a system with like you set the world's most longest and complex password for the root password you're like no one can get in but then someone's like cisco one two three and they get in right you know so yeah no totally i mean yeah like you didn't defend against that did it side channels maybe i'm going to say that lead think of place he could maybe defend against a side channel maybe depending on how reliable the side channel is if it's a flaky side channel a shorter password probably has more of a chance to be caught than a longer

password right so maybe that was it that was everything we came up with okay now we have the threats and we have the risks and we have the mitigations out of all of these things does length and complexity matter what is the one thing that will defend against all of this can anybody name it the okay the second thing unique passwords unique my proposal now is that the only thing that matters with regards to password security is not length not complexity not anything else not emojis not any other not even the underlying password hashing function because again as a user our threat model assumes that the service provider storing the passwords in plain text right

so i propose that the new threat model for password security is that the only one thing that matters is uniqueness you want to sit on a table oh thank you brother you're the best oh that's really cold that's really good man give that kid a raise okay so oh

okay so let's break down that scenario okay so this scenario is let's say we have a way to crack or gain access to a person's password when we log into the server

sure right right right at some point

okay congratulations you've gotten one user out of all my users [Laughter] right so even with and i'm gonna i'm gonna i'm gonna i'm gonna address something that we also don't really talk about in the password space password strength is an unsolved problem we have not solved the problem of how to measure password strength how to measure how strong a password is we already know that shannon entropy is right we're not creating encryption keys oh it's fine let it die let it die no uh we're not creating shannon entry has nothing to do with passwords we typically measure passwords in terms of key space but even then key space is irrelevant if the key space is one

because it's in our dictionary right so we have yet as of 2022 this is like a millennium prize problem is how to measure uh the strength of an insecurity of a user created password a machine created passwords easy we can do easy math on that assuming the source of random is sufficiently random which where's the scotch but you know but as far as a user created string we have no way of measuring there's been some really novel approaches some really cool shit's been done in the space but none of us really actually solved that problem so even if you try to implement some kind of control you know to defend against the creative user who creates

a you know variation of summer 22 that bypasses all the complexity checks and meets the minimum length requirements right like there has to be some kind of margin of error for human stupidity and human creativity because password rate's an unsolved problem now the best way to solve that is to get rid of passwords which fido 2 is pretty well poised to do that thank you water fairy

okay so do you agree no no all right one to center all right does anyone else have a rebuttal go ahead

okay so let's talk about so uh when i say the only required the only request that matters is uniqueness right so what i'm saying what i'm proposing is that shifts the threat model for users to basically just be password managers right where we have a password manager creating a unique password for each one of our sites and services so we don't have users creating passwords we have unique passwords that are being generated and created for every every service right so does that clarify that so we don't have users really creating dumb passwords i think that addresses both things so because that's the path to unique right the path to unique is to remove humans and our dumb squishy predictable brains

from the password creation process entirely yes sir it doesn't so you're right it doesn't defend against all of them but that was also a really unique one that i hadn't considered but it's also highly plausible so oh the question was how does having unique password defend against a service provider who's actually selling your passwords you know and when i first went through this threat model by myself i had not considered that that was not in my threat model but i think it's highly plausible because again they sell everything else about us why would they not sell passwords and people like me would buy them i wouldn't heartbeat if twitter put up a thing like you know to the ad networks to like you

know the ad partners been like this data set includes you know username email address plain text password sold take out a second mortgage am i wrong no so hit me up twitter they'll probably bury it in a new hula now they will exactly use the user of any clue yes sir

account one password right so each and every account that you have you create a new password for and the only way to do that is essentially with a password manager to manage all that for you no there's no reason to change your password if you don't suspect it's been compromised right and as we went through the threat model the threats of compromising the password a lot of those things the password itself is irrelevant right so changing isn't gonna do anything for ninety percent of things in the threat model

that's right you can yes it's like your own little canary so basically what he said is if you're using a unique username and a unique password like free site and service you now know who gets breached based on what spam you receive at different email addresses right or what if you get blackmail attempts or things like that right you know because you're only using one set of credentials for one side or service it's like your own little canary out there so all right does anyone have anything else no

you do you do so i'ma very very quickly address this because this is again this is all this is that i put out on twitter like 25 times a month to where i'm blue in the face and like you're right so you have your password manager which generates all your passwords for you except for your master password for your password manager in which case you have to commit that to memory right and that's most of the grievance of people on twitter who are like it only allows 30 characters for my password holy how insecure like unless you have to create a password you have to commit a memory for that site and service it doesn't matter

your password only has to beat the 12 or 13 characters long for me not to crack it right so then for your master password right your password manager is employing a proper key derivation function that is slow as and and i'm not gonna be able to try you know my usual you know 750 billion guesses per second against your master password i'm just not without incurring massive expense and are you worth it do i want to expand that kind of you know capital just to crack your password you know are you important enough for that like i'm not demeaning you good sir i'm sure you're perfectly upstanding human being i love your smile but you know i'm not gonna drop five

million dollars to crack your password i'm not you so yeah for your password manager master password which employs a proper key derivation function you don't have to have anything that strong even a 7 character random password which is easy to remember will be pretty secure if it's hashed with like you know argon 2 with an insanely high number to where your you know run time is like you know greater than 1000 milliseconds right so it's simple stuff once you saw once you bring it down to this level password security becomes easy you know like it's like you know mom and dad can do it type all right one more thing and then i'm gonna concede the mic to

the people who want to clear the room

how will an hsm factor into this so on a service or a user level or at a organization level on a user level i would say that hsm wouldn't play much of a difference but on a service provider level assuming you have good secrets management right for the hsm like you don't even have to do expensive password hashing in that case you can just do an hmac with a key that's stored in the hsm and it doesn't matter if the password has released because i don't have the key in the hsm right so i'm never going to crack those passwords um does that answer your question awesome all right so since no one else has any strong

disagreements i'm gonna say i win thank you guys good to see everybody again after three years and i'm really not sure what to say now it's like jeremy i you don't disagree with me i yeah but i really enjoyed doing this conference and suddenly i don't see the point anymore it's uh thank you passwords but make it nihilism now you understand the title jim i need some help here tell me why should i continue to do passwords con because it seems pointless now thank you jeremy uh i have no further questions for this one absolutely awesome uh obviously uh you will stay around uh today and for a few more days as well or i'll be here

until sunday monday sunday monday hit him up and try to find some more arguments so we can continue to do passwords con uh that was the end of password scott for this for this round [Laughter] thank you all for coming to passwords con i love doing this it is wonderful to be back in vegas for me it's been six years since the last time i was here i'm already looking forward to come back next year and i hope you enjoy the rest of b-sides and also attend the pool party today and see you around i will also be at defcon specifically i'm doing a talk at the krypton privacy village on friday called id theft insurance in the emperor's new

clothing so maybe i will see you there and until then thank you to everyone to the volunteers to all the staff of b-sides to everyone that has helped us out and most importantly all of you being here thank you [Applause]

yeah

BSides LV 2022 - Wednesday - PasswordsCon

Related talks