PW - Cracking passwords for good, bad & commercial purposes: second thoughts on password cracking

so uh there have been several changes in the schedule as uh you've seen and heard maybe from me as well uh we are still in a co-work world uh there have been people with visa problems there are been people that have catch covet and couldn't come so we haven't been uh we've had to turn upside down the program quite a bit and i had myself as a backup speaker as i usually do because i wanted to talk about um password cracking and what i think about doing that ethically and morally this is sort of a discussion that we've had ongoing with passwords con for many years already it started back in 2015 at the university of cambridge in

uk where we had a speaker from russia she wasn't really that interested in password cracking but her husband was really interested in doing this stuff and she did a talk about the ethics of doing password cracking because in most cases we are downloading data that has been copied illegally or stolen or whatever you want to call it from some servers some company out there and we crack the passwords we see the emails we see the usernames the real names and so on of those people and there's the thing about you know is this legally allowed to do is it's ethical it's small to do now during the years i have experienced my fair share of [ __ ]

um i've been thinking about a lot about this would i've had what i have done myself cracking millions and millions and millions of passwords during the past 22 23 years and still not ongoing and i also thought that while doing that as a talk to finish off passwords con in las vegas is probably not the best idea i can do so and now also waiting for jeremy gosling i thought that well instead of just doing sad stuff i will show you a couple of slides that i've been doing lately uh as part of almost a lightning talk uh with some fun stuff in it some might have seen this before some might not but i will start with the

the simple part so this is the license plate of my car uh zero points for guessing what it says in norwegian on that plate and this is also the quote that i have on twitter i said that i have a reputation to maintain i have it verbally from cormac early at microsoft research with a witness present that he's interested in passwords well i'm obsessed with it and i do ask cormac to please confirm statements and he responds in public confirm i have a healthy curiosity while tulsam is pathologically obsessed and i'm actually proud of getting that from cormac because he's really good at his research and he has done research into passwords and usability stuff for for quite a few

years you might also have seen this but i use this to sort of exemplify what i say is the value of a single password this happened quite a few years ago this is twitter this is a soji associated press one of the largest news agencies in the world at the time they had two million followers and one they suddenly tweeted the message saying breaking two explosions in the white house and barack obama was injured now there were never any explosions there and there were never you know bark bombers was never injured in any way and it's sort of crazy to think that way well why would a news agency put out a tweet like that

and it's also interesting to see that in this case this tweet appeared only with associative press it was not mentioned it was not published in any other media no other channel at all of associated press only on twitter and this was before twitter had to have publication so you can probably guess where i'm going with this and this is the dojo's index that day you can see in the morning that you know do is going up and it's pretty good looks like a good day and you can probably spot the location where suddenly ap tweets that has been explosions and the president is injured now that drop in the dough john's index was 136.5 billion dollars

in worth that's a lot of money and they had to stop trading to figure out you know what the hell is this message from ap about and of course yep this is this is not for real and they could re-establish trading and everything went smoothly at least it looks like that the rest of the way and this happened because jeremy gosling is in the house the man the legend bye jeremy bye hi baby doll hi family [Laughter] i just started talking waiting for you jeremy i'm just filling in with some crap yeah yeah that's exactly what this just [ __ ] the point is here ap got phished two or three maybe four people at ap got

an email they clicked the link one of them was tricked into giving away username and password for the ap twitter account and it was actually the syrian electronic army who claimed to have done this they have ceased to exist i think i don't know if they're dead but they did a lot of really interesting hacks back in the days and i say that well the value of a single password is 136.5 billion dollars in worst case and even more fun i said this one earlier today but i here's the graphical explanation operation face factor 5000 photos people and also we knew their passwords and we decided to stuff it into the database and analyze the

data so me and my friend we looked at gender we categorized by whether the people were wearing glasses in the pictures or not the pictures were pictures from access cars physical access cards we also categorized by hair color saying well there's no hair present it could be blonde super blonde brunette red hat black or silver fox you probably understand what i mean by that and of course you can also have facial hair so we said well there's no facial hair there's the moustache the small bear a full bed and looking at these pictures we had to define the category of unix skewer i don't have to explain that anymore and we also had a coderick category of

porn donuts you probably know what that is as well

yeah the very short one around your mouth that's the pond doughnut that's like back in the 80s and watching american crime on tv i guess that poster okay poor stash okay so we did this stuff this into database then we could do the queries and what we did well we found where women prefer life on average women had longer passwords than men and we also found that men prefer higher variety or character entropy they used more different letters from the alphabet and special characters in the passwords and we also found that you'd excluders have the absolutely worst passwords now i know what company this is about because you know i was doing pen testing for them so i know sort of the reasoning

behind this as well

it services company perhaps um but it was a lot of fun now the crazy thing about this because this is you know me and a friend of mine doing this while we're partially drunk and we thought this was incredibly funny but i i presented this in many many talks and one day bbc news decided to do an article about that and if you go online and google search you can't see it there too too easy here but you can find the original article from bbc news where they are basically saying that women prefer longer passwords so women prefer length and as you just heard from the male audience in here as well laughing that i remember then out when that article

was published from bbc news you know reading the comments for that article was kind of crazy did you bbc news just write that women prefer length and that is now scientifically statistically proven that's interesting and i have talked to people that are really good in statistics and they say well if you have a selection of 5 000 people and you can say that from based on that women prefer length then you are correct about the entire population on planet earth until somebody can prove you wrong so kind of funny but you're going to have on other interests other interests in life than passwords i also take a huge interest in pin codes as well and back in fall of 2013 i went to a

local school in bergen my hometown and did a talk about passwords obviously and i asked the girls and the boys in the room to write down a four digit pin that they were absolutely sure they could remember in a month if i were to return and ask them do you remember your pin code four digit pin now any wild guesses on you know the choice of pin code birthdays yeah well i can reveal that the girls the most popular pin code selected by the girls was 1996 and that's their year of birth i can also reveal to you that among the boys 1996 was the second most popular pin code but which for the pink coil was the most

commonly selected pin code among 17 year old boys

this audience test never fails if there are men responding first it's going to be 69 69 or 1234 thus proving the you know superior intelligence of men and even funnier if there is a woman responding first would also say 6969 all one two three four thus proving that women actually understand men but the thing is the most selected pin code among these boys was one three three seven now the fun thing here is with this audience at that school when i said how many of you selected one three three seven a few of these boys they just went like yeah dude whoa whoa and all the girls in the room they were just like what happened now because there was no

women no girls in here that selected one three three seven now what is one three three seven hands up and in women cecilia knows you know yep so you read the numbers as letters that means l-e-e-t elite short for elite if you play computer games you play against somebody else they are really good and the round of world of warcraft or call of duty or whatever you will type in one through one three three seven saying like whoa you're really good when i explained that in this audience with these students all the girls no exceptions oh god and then i went to the university in trondheim in norway a little bit further up north now we're talking students 19 20 21 22

years old and i also showed this and there was one woman in the room that raised her hand and said yep i picked 137. and obviously i ran up to her like wow you could be the girl of my dreams i just gotta make sure you know do you play computer games because that's sort of well something that i do still at age 50. she said no i don't but i i do have male friends that play computer games but i don't okay well [ __ ] ah that's too bad but why did you select one three lisa [Music] and her response was well my postal address just outside the capital of oslo is one three three seven

and obviously all the main students will just like okay i know i'm moving so a bit of fun a bit of fun statistics and and surveys for you but again this also proves something that i've been saying for many many many years we are incredibly predictable when it comes to our choice in pastors and pin codes and who you are your interests your gender your age your parents your family wherever you work the stuff that you have in your office cubicle will most probably be association elements for your password so here's also something that i did uh several years ago this is martin luger she was a master thesis student and she got an assignment from me i was

co-supervisor look into how people pick their look patterns android look patterns and she did she also spoke about this here at passwords con she also did a talk at defcon about this as she discovered that well at least 10 percent of us will just do a simple english alphabet letter when you select an android look pattern she got the best possible score for a master thesis she got lots of questions and fantastic feedback at defcon and even better in my opinion a couple of years after she finished graduated and delivered her master thesis she got an email from the police in one country somewhere in europe and they said thank you for that research because that actually enabled them to

get into a phone that they were not able to get into otherwise and finding pictures revealing information related to abuse and the murder in a close relationship so i'm not doing this just for the thought of it this is lots of serious stuff and then steve jobs came on on stage and introduced the iphone 5s with the touch id and somebody tweeted a picture that you know summarizes summarizes my opinion on biometric security in one single picture

that's my opinion on biometric security in almost all cases biometric security is not biometric security it is biometric usability it increases usability by a lot i use biometrics myself on my iphone but i can just swipe up left or right and have a go at your pin code in any case so if you want to have good security on your iphone or your android device you need a really strong pin even if you are using biometrics otherwise it will be easy for me to get into your phone and also when uh people got hold of their iphone 5s there were some guys in jab in japan doing this video because you don't really need to use your finger

any part of your skin that has wrinkles can be used so if you want to before going to defcon and you're afraid somebody is going to steal your fingerprints on your phone don't use your finger use uh another part of your body so i like to troll people and with uh cso at another company back home in norway i'm having a little bit of fun i don't know how this started but what we do is every time there is a leak or some company especially in norway is getting hacked i say it's because of passwords there's a shitty password there's a default password there's lack of two vertication there's something related to passwords that essentially made them get

hacked and he says it cannot be that bad it cannot be happening that often it's zero days it's russian intelligence services that are using advanced hackers and everything and i say no you can hack pretty much anyone using simple pins or passwords and whenever i'm right the problem is password related and we're on video so i can't really play sound here that's right he um he needs to watch bg's you win again and to end on youtube and whenever he wins because somebody got hacked and it was not because of bad passwords i have to listen to shaggy it wasn't me i have watched that video i don't know maybe two times and he seriously [ __ ] hate the bgs

and he does this every time the entire music video on youtube bgs you win again so here he is in romania because he was traveling and suddenly i had to send him the link to the video and he just knew that oh [ __ ] it happened again so uh that's my short fun talk and now the man the legend himself passwords but make it to nihilism jeremy gosney how you doing buddy it's good to see you yeah likewise it's been like what three years four years six oh [ __ ] right there's a trap yeah one one president and one pandemic and i'm not sure what was the worst part i've had three kids in

that amount of time man that's crazy all right no one give me covet all right so as pair said i'm jeremy ghazni and i'm here to tell you that you all [ __ ] suck at threat modeling passwords we've been doing it wrong for years please get your frame throwers ready actually what we're gonna do don't just take my word for it we're gonna walk through it together we're gonna threat model password security right here right now you're gonna see that it's all [ __ ] we've been doing it wrong the entire time so i've been getting looped into twitter threads for the past i don't know what seven years people like crying about like oh this

side only accept a maximum of 16 passwords can you believe it oh hashtag password too strong and [ __ ] like that so i'm i'm i'm not gonna say i'm tired of it but my wife will tell you when i get drawn into these twitter threads i sigh and she's like what what twitter drama was it now like nothing like you know like so and so is pulling me into some [ __ ] on twitter and i gotta you know set them straight but let's just back up a minute so i used to say and i've been quoted saying this i mean like adam shostak's book on threat modeling saying this that password hashing is an insurance policy

and i thought this was really clever when i came up with this i said that password hashing is an insurance policy that an organization is essentially buying to buy themselves time in the event of a bridge to notify users and then to notify users you know so you can change their passwords uh before that they're exploited on other sites and then when we also talk about password uh threat modeling we talk about how the threat modeling for password for user password uh creation should assume that every site stores their passwords in plain text right so these two threat models are kind of adults with each other so uh and you have to forgive me i don't

actually have a talk actually prepared these are just a bunch of notes so um do i have a what oh this is not this is not a speaker request this is just me being very glad that you're here so i appreciate you you would what is it oh jesus yeah that's acceptable all right all right we want the title that's all you do i appreciate that well [ __ ] cheers you guys yeah so for those who don't know i didn't think i was going to make it this year um been like really financially strapped with the demise of tara hash if anyone's followed that [ __ ] um but someone stepped up and said like no you guys

have to [ __ ] come to vegas so they sponsored our trip i just drove from texas with my wife and four children we've been in the car for four days together we just got here an hour ago so yeah it's been a stressful four days so cheers y'all [Applause] that's the first shot i've taken in three three years god damn all right so why does it taste like pork

was that bacon scotch

[ __ ] man all right so where even were we all right so no anyway i'm saying uh i didn't think we're gonna make it so i kind of stopped working on this talk this talk was just like a seed and then i was like oh i'm not gonna be able to make it so i can actually develop it so um i just got a bunch of notes here so um oh anyway so yeah uh i said that uh the threat model for password security on uh on an organization side starts with the password database being compromised up to and including physical theft like that's that's where the threat model starts is password databases compromise on the user side

it's we assume that the service provider is storing the passwords in plain text right so that's where we've kind of assumed that the threat models were for the past under what decade or so but um things are a little bit different now right so password hashing was invented on multi-tenant unix systems right where you could just run git ent and get everyone's passwords for you know all the users and and even then you know you can still get everyone's uh you know even even with password hashing with the invention of descript you can still get people's descriptions encrypted passwords or everyone on the network uh we don't have that problem anymore we don't really have

you know too many enterprise multi-tenant environments where there's multiple users with the same shell to the same system right even in uh in a hosting context we have virtual machines or you know containers or something at that point we have some kind of uh isolation right you're not going to jump onto you know some cloud provider and run you know get ent password and see all the other users for ec2 you know on the machine it doesn't work like that anymore um it's same thing with like uh the way that we kind of assume for password hashing that sites are designed that websites and the services are designed when we talk about you know like oh a

vulnerability in a web app can compromise you know the database like yes it absolutely can but you know we're kind of thinking of more of an old monolithic model not a modern-day like you know modern web app uh uh like uh you know cloud native micro services type architecture um you know distributed uh usually with a hosted database or something like you know dynamodb or or redis or something like that right so um what i want to do is this is going to involve everybody uh where's pair do you have something to write with including a computer to type on okay we're gonna take notes here

all right let's just type in english i've said it to uh russian kuwait but uh whatever you want so word word is perfect yeah word perfect right ctrl n that works okay so here we go i'm gonna go first we're gonna re-threat model passwords right here on this fly i've already done this i want to see if this is a group come up with the same thing so physical theft where are what are our threat vectors for password database physical theft anybody shout it out what's that no no no we're talking about the threat itself the threat modeling assuming the crowd knows how to threat model we're talking about we're we're enumerating the threats right now so let's say

physical threat the first the first third we hit that's perfect yes so we have a malicious insider we actually had this at a company i worked for where i was the director of information security we had an employee who would replace a hard disk and a raid 5 array one disk every month to rebuild the array taking the old perfectly good drive so he could reassemble the raid array at home stole an entire database right so all right so let's uh oh where is left go to left computer left i don't know [ __ ] it all right whatever so physical theft that's a new page whatever [ __ ] it all right so we have a malicious insider

right

and that could be self-hosted or a colo provider right where the hell's the dash all right i'm just gonna hit equals oh that's a zero whatever

okay what about in the cloud where we have shared databases right we could have an employee who has access to the hosted database as well right so let's say uh hosted right okay so taking a step up from physical theft what's another threat that we're combating against with with passwords with the combat against passwords that's not a threat to passwords okay online brute force right where we have a login on a web page and a user is trying something uh like hydra right to enumerate uh username and password so we'll say online brute okay what's another threat in our thread malware okay keyloggers like it i love it okay i heard two different things at once and

i'm deaf in both ears oh like sql injection you mean okay great not great okay and what would you say fishing okay what else do we have in our threat model what was it a rubber hose technique for those who don't know i was a 97 echo in the army that was interrogator so i love it all right backups that's great i'm actually gonna put that up here with physical theft

goddamn right she did karen i'm not that's also physical theft because that's going to go yeah so uh yeah as i put sticky note but post it we'll use the copyrighted term all right how about remote code injection we have a legitimate flaw in the application where we're actually executing our ce and we have access so we can read the databases right

okay i will allow it

this is a good list what was that okay i like that one that's that's thinking outside the box was that jim fitness said that holy [ __ ] sir how are you call me a [ __ ] legend there's jim fenton right there okay what else do we have in our threat model for passwords default passwords

someone left you guys know what prop sex is in california you have to disclose what causes cancer so it was oh oh i'm sorry it's that bacon that's that bacon scotch forgetting numbers okay is there any oh yes sir you know what i'm laughing but i can see where that is something that's plausible because they sell everything else about us right any other identifiable information they sell so why the [ __ ] not sell our passwords as well i would buy them

okay is anybody can you want to think of any other threat in our threat model for password security any other threats to passwords okay i'm just gonna put that under a generic man in the middles does that work you like it awesome [Music] i'm going to lump that under man in the middle because in order to exploit are you talking in transit or at rest so if it's at rest i'm going to go ahead and say that's covered by things like rc and physical theft and if it's in transit i'm gonna lump that under man in the middle are we good with that okay this is democracy and action okay yes sir

do people do that holy [ __ ] uh oh are you getting unruly oh come here little man this is my two-year-old malachi everyone say hi malachi malachi doesn't like passwords because it prevents him from watching youtube do you say hi yeah i love it hard-coded pet but no he's right so i'm i'm gonna say that hard-coded passwords are slightly different than default passwords because a user is aware of a default password right but a user may not be aware of a hard-coded password and we see that time and time again especially with network devices cisco juniper they love hard-coded backdoor passwords don't they so i'm going to go ahead and say heart heart code

[Music] okay anything else in our threat model before we go through these i'll allow it i'll allow side channels if i can spell it

you see a rainbow whoa [ __ ] is it right there [Music] yeah there it is ask for adults though buddy that's a daddy beverage okay i know it is a rainbow it's a beautiful cup okay all right shoulder surfing you know what i will allow that too i'm gonna put that under physical how physically you have to be the shoulder surf depends on the user

[Music] okay [Music]

you're right you're right so the password is cracked probably on another site right so i'm going to go ahead and say that that's covered by password reuse and the event that that password is breached on another site and cracked and then credential stuff right and then for ones that aren't i'm going to say that's covered by online brute force right is that fair is there anything i'm missing there i'm just being i'm just being fair i may be missing something this bacon scotch is [ __ ] with me yes sir a tempest attack okay does everyone know what a tempest attack is all right thank god all right it's a side channel that's actually where i was going too

you are correct but side channel sir oh yes sir in the back what is it a candy bar like you give him a candy bar for the password yeah no i'm gonna put that under phishing or social engineering or something there uh i like it though i like it yeah and there's also uh we had this one here too right the the uh buying the passwords right or selling the passwords buddy i'm gonna have to hide this from you okay all right all right so is everyone comfortable with the threats in our threat model yeah all the possible threats to password security all right here's what we're gonna do and you're not gonna be happy about this

put on a helmet because i'm about to blow your mind okay now for the militia for the for the physical threats right because remember i i even said i'm in [ __ ] like ink in a book saying that password security starts with you know physical with with the password database being compromised that's where the threat model starts and i'm telling you i was wrong tell me where length and complexity will defend against any of these who can think of one scenario for physical theft or length and complexity matter

oh shoulder surfing clever so you're you know what i'm gonna put an x next to that one potentially yes if you're trying to shoulder surf someone and they have a ridiculous [ __ ] god awful [ __ ] you password you'd have to be like rain man to pick that [ __ ] up right so that's true they got they got the they got the the they got the yeah they got the unified camera in the corner recording it so um but you're right you you are right that is a potential mitigation for shoulder surfing is make your reach your password so complex no one could possibly shoulder surf it so i like that all right

i will accept that okay now let's go down to online brute force now keep in mind have any of you actually performed online brute force okay how fast did it go slow extremely slow right okay so in order to make online brute force practical you pretty much have to have a botnet or some sort of distributed infrastructure and that's assuming they don't do rate limiting or account lockout right they do rate limiting now you have to also have like you know a different ip address trying like you know a handful of attempts to try to slide under the radar right it's not easy to online brute force your guesses for online brute force have to

be highly targeted right so i'm gonna argue that length and complexity are rather irrelevant for online brute force because for online brute force you're either trying a credential list or something really really [ __ ] dumb like company name one summer 2022 right does everyone agree with that if you even have a moderately complex password it's probably not gonna get cracked by online brute force okay key loggers does length and complexity defend against key lockers in any capacity [Music] do you want to do what i can't i can't i can't hear you talking to my good ear oh i'm right here you want to see me i'm right here oh you want to see this

oh no okay all right well i don't know she's talking about brother oh you found the rainbow cup toddlers will get into anything all right you do all right here you show me you show me yeah no that's that's not okay okay okay buddy all right all right sql injection so i'm gonna go ahead and start by prefacing this saying that modern web app frameworks have made sql injection less and less prevalent does anyone here do pen tests like daily how often do you find sql injection now compared to five years ago more and more rare right in fact on the o loss top 10 it's fallen from number one where it sat for [ __ ] ever to

number three right it's not even just sql injection that's all injections they finally woke up and lumped all injection attacks together because they basically are the same [ __ ] attack it's injecting different things right i might be injecting [ __ ] php in this attack or injecting you know uh sql in this attack but it's all [ __ ] injection you know even cross-site scripting is just you know javascript or html injection right so they lumped all injection together and it's fallen number three so modern web app frameworks are it's not obsolete don't get me wrong it's just harder to [ __ ] up and code sql injection today than it was five years ago and obasa has

shown this it's falling from number one number three right and i'm also going to say too with today's distributed architecture these servers handling the web app processing may not and in fact likely are not the same ones that handle authentication depending on the size and complexity of the app when we as you know cryptographers or password geeks think about this we think of a monolithic application running on one server but that just really isn't the truth especially for you know anything even remotely complex these days [Music] you want to see blue who's blue out there right here lord child okay um no bubbles [Music] hey do you watch youtube do you wanna watch dinosaurs you wanna watch

dinosaurs your mom to see mommy go get dinosaurs

he looks just like me doesn't he all right so keeping the things i just said in mind sql injection may or may not yield password hashes or it may yield only password hashes right and not the user's data that's part of the application or it may yield everything right not just the password hashes but all the data that the user has stored in the application thus making the password hash is less attractive because you already have all the data that's inside the app in the database right so it's basically three different vectors here for sql injection we have sql injection why is there no dash on your keyboard where do you hide which region where's the dash

how can i do sql injection without a dash english but still oh it's down there well now it's american so now you've got me there that's what i've been hitting before i can't give me zeros okay all right thank you pair up now you have the us layout i love you buddy okay so we have sql injection with hashes and i'm gonna say sqli with hashes plus plus you said it was the american layout this is not the freedom layout all right uh with user data and all right sqli uh what did i say with that without ashes but with data all right so in the event of sql injection with hashes there is a chance of course that length

and compact and complexity could in fact you know uh mitigate this attack right so we'll put an x there in this scenario where we have both the hashes and the user data it does [ __ ] all nothing for the most part right and then without hashes but with data of course it doesn't matter if you have links in complexity because all the data's been compromised you know you have hashes to crack all right all right fishing does length and complexity matter for fishing no rubber hose no absolutely not okay remote code injection

plausible deniability all right you know what i'll allow it i'm gonna put one slash that's half an x for plausible deniability

where you're going with that though is kind of where i'm going with this so yeah so i'm giving half a slash but no you're right but that's kind of where i'm going okay so remote code execution if you have rc on a system in that case like that that goes back to what my original threat model was right where password hashing becomes the insurance policy right where now we're trying to you know uh have a strong password hashing algorithm to buy time for us to notify or identify the breach contain the british notify users and users have time to be notified and update their passwords and [ __ ] like that right but if you have rce on a box you can just

attach to the process and read the passwords in plain text as they're being submitted right you can sniff them from memory you can scrape them from memory or you can sniff them over the wire you know like there's a lot of different vectors here that password hashing just doesn't defend against right so for the most part if someone has arbitrary code execution length and complexity don't defend against that in any way password reuse does length and complexity defend or mitigate against password reuse no oh

[Music] okay so you're getting psychological now no no that's that's fair that's fair okay so um users who are inclined to create short passwords are also therefore more likely to be the users who use that same password everywhere that's the argument

i will accept that argument i will counter argue that what happens in reality is you end up with password bang facebook password bang twitter you see what i'm saying yeah and i i it pairs done a lot of research in that regard as well i think you agree with that that it tends to be you're still reusing the same password you just have your own password system you know what i'm saying the people who have their little systems for their passwords it's really it's the same [ __ ] password you just put some different [ __ ] on the end for each service oh you were my replacement high replacement buddy [Music] i read that it was like jeremy will be

missed and i'm like i'm right here i'm not dead yet still have 1600 miles to go all right no that was really funny nice to meet you okay oh oh it's going dark on me okay so [Music] i'm gonna put a question mark here for debatable all right supply chain we have some piece of malware that's been slipped in upstream and we don't know about it not scraping our users passwords which lethal complexity doesn't [ __ ] defend against does it all right default passwords legally doesn't [ __ ] defend the service provider's selling your passwords because why the [ __ ] wouldn't they when they sell everything else doesn't defend man in the middle

it doesn't defend hard-coded passwords that's a little bit different because and check it didn't select that password right but like let's say we're talking about a system with like you set the world's most longest and complex password for the root password you're like oh no one can get in but then someone's like cisco one two three and they get in right you know so yeah no totally i mean yeah like it didn't defend against that did it side channels maybe i'm going to say that length and complexity could maybe defend against the side channel maybe depending on how reliable the side channel is if it's a flaky side channel a shorter password probably has more of

a chance to be caught than a longer password right so maybe that was it that was everything we came up with okay now we have the threats and we have the risks and we have the mitigations out of all of these things does length and complexity matter what is the one thing that would defend against all of this can anybody name it the okay the second thing unique passwords unique my proposal now is that the only [ __ ] thing that matters with regards to password security is not length not complexity not anything else not emojis not any other [ __ ] not even the underlying password hashing function because again as a user our threat model

assumes that the service provider is storing the passwords in plain text right so i propose that the new threat model for password security is that the only one thing that matters is uniqueness you want to sit on a table oh thank you brother you're the best oh that's really cold that's really good man give that kid a raise okay so oh

okay so let's break down that scenario okay so this scenario is let's say we have a way to crack or gain access to a person's password we log into the server

sure right right right

okay congratulations you've gotten one user out of all my users right so even with and i'm gonna i'm gonna i'm gonna i'm gonna address something that we also don't really talk about in the password space password strength is an unsolved problem we have not solved the problem of how to measure password strength how to measure how strong a password is we already know that shannon entropy is [ __ ] right we're not creating encryption keys oh it's fine let it die let it die no we're not creating shannon entry has nothing to do with passwords we typically measure passwords in terms of key space but even then key space is irrelevant if the key space is one

because it's in our [ __ ] dictionary right so we have yet as of 2022 this is like a [ __ ] millennium prize problem is how to measure the strength of insecurity of a user created password a machine created password is easy we can do easy math on that assuming the source of random is sufficiently random which where's the scotch but you know but as far as a user created string we have no way of measuring there's been some really novel approaches some really cool shit's been done in the space but none of us really actually solved that problem so even if you try to implement some kind of control you know to defend against the creative

user who creates a you know variation of summer 22 that bypasses all the complexity checks and meets the minimum length requirements right like there has to be some kind of margin of error for human stupidity and human creativity because password restraint is an unsolved problem now the best way to solve that is to get rid of passwords which fido 2 is pretty well poised to do that thank you water fairy

okay so do you agree no no all right one to center all right does anyone else have a rebuttal go ahead

okay so let's talk about so um when i say the only required the only request that matters is uniqueness right so what i'm saying what i'm proposing is that shifts the threat model for users to basically just be password managers right where we have a password manager creating a unique password for each one of our sites and services so we don't have users creating passwords we have unique passwords that are being generated and created for every every service right so does that clarify that so we don't have users really creating dumb passwords i think that addresses both things so because that's the path to unique right the path to unique is to remove humans and our dumb squishy predictable brains

from the password creation process entirely yes sir it [ __ ] doesn't so you're right it doesn't defend against all of them but that was also a really unique one that i hadn't considered but it's also highly plausible so oh the question was how does having a unique password defend against a service provider who's actually selling your passwords you know and when i first went through this threat model by myself i had not considered that that was not in my threat model but i think it's highly plausible because again they sell everything else about us why would they not sell passwords and people like me would buy them i [ __ ] wouldn't harpy if [ __ ]

twitter put up a thing like you know to the ad networks to like you know i had partners been like this data set includes you know username email address plain text password [ __ ] sold take out a second mortgage am i wrong no so hit me up twitter they'll probably bury it in a new hula now they will exactly usually use one of any [ __ ] clue yes sir

no [Music] account one password right so each and every account that you have you create a new password for and the only way to do that is essentially with a password manager to manage all that for you no there's no reason to change your password if you don't suspect it's been compromised right and as we went through the threat model the threats of compromising the password a lot of those things the password itself is irrelevant right so changing isn't going to do anything for 90 of things in the threat model of course

that's right you can yes it's like your own little canary so basically what he said is if you're using a unique username and a unique password like free site and service you now know who gets breached based on what spam you receive the different email addresses right or what if you have blackmail attempts or things like that right you [ __ ] know because you're only using one set of credentials for one side or service it's like your own little canary out there so all right does anyone have anything else no oh oh oh oh to manage your oh manager you do you do so i'm gonna very very quickly address this because this is

again this is all this is [ __ ] that i put out on twitter like 25 times a month to where i'm blue in the [ __ ] face and like you're right so you have your password manager which generates all your passwords for you except for your master password for your password manager in which case you have to commit that to memory right and that's most of the grievance of people on twitter who are like it only allows 30 characters for my password holy [ __ ] how insecure like unless you have to create a password you have to commit a memory for that site and service it doesn't [ __ ] matter your password only has to beat the 12 or

13 characters long for me not to crack it right so then for your master password right your password manager is employing a proper key derivation function that is slow as [ __ ] [ __ ] and and i'm not going to be able to try you know my usual you know 750 billion guesses per second against your master password i'm just not without incurring massive expense and are you worth it do i want to expand that kind of you know capital just to crack your password you know are you important enough for that like i'm not demeaning you good sir i'm sure you're perfectly upstanding human being i love your smile but you know i'm not gonna drop five

million dollars to crack your password i'm not [ __ ] you so yeah for your password manager master password which employs a proper key derivation function you don't have to have anything that strong even a seven character random password which is easy to remember will be pretty [ __ ] secure if it's hashed with like you know argon 2 with an insanely high number to where your you know run time is like you know greater than 1000 milliseconds right so it's simple stuff once you saw once you bring it down to this level password security becomes [ __ ] easy you know like it's like you know mom and dad can do it type [ __ ]

all right one more thing and then i'm gonna concede the mic to the people who want to clear the room

how will hsm factor into this so on a service or a user level or at a organization level on a user level i would say an hsm wouldn't play much of a difference but on a service provider level assuming you have good secrets management right for the hsm like you don't even have to do expensive password hashing in that case you can just do an hmac with a key that's stored in the hsm and it doesn't matter if the password has released because i don't have the [ __ ] key in the hsm right so i'm never going to crack those passwords um does that answer your question awesome all right so since no one else has any strong

disagreements i'm going to say i win all right thank you guys good to see everybody going after three years and i'm really not sure what to say now it's like jeremy i you don't disagree with me i yeah but i really enjoyed doing this conference and suddenly i don't see the point anymore it's uh thank you passwords but make it nihilism now you understand the title jim i need some help here tell me why should i continue to do pastorscon because it seems pointless now thank you jeremy uh i have no further questions for this one absolutely awesome uh obviously uh you will stay around uh today and for a few more days as well or i'll be here

till sunday monday sunday monday hit him up and try to find some more arguments so we can continue to do passwords con uh that was the end of password scotland for this for this round thank you all for coming to passerscon i love doing this it is wonderful to be back in vegas uh for me it's been six years since the last time i was here i'm already looking forward to come back next year and i hope you enjoy the rest of b-sides and also attend the pool party today and see you around i will also be at defcon specifically i'm doing a talk at the krypton privacy village on friday called id theft insurance the emperor's new

clothing so maybe i will see you there and until then thank you to everyone to the volunteers to all the staff of b-sides to everyone that has helped us out and most importantly all of you being here thank you [Applause]