Vulnerabilities leading to password leaks are not going away, and will continue to occur. Defenses against the plaintext disclosure of passwords needs to occur at multiple levels. One of these levels being the initial creation of the users password. Historically this has been done using traditional complexity checks utilizing JavaScript or language specific libraries, leaving the development up to application developers, who may have not had the training or expertise to implement adequate requirements.
I will present a new tool to fix this issue, and increase the potential for password complexity requirements. Acting as a language agnostic web service, the tool will allow the developers of any application to test prospective passwords against highly configurable requirements. By performing checks in this manner we can eliminate common password creation techniques, including but not limited to: keyboard walking, single base word leetspeak transformations, and passwords based on dates.
A discussion of complexity requirements, user behavior, and tool creation will be followed by the demo and release of an open source web service.
Tom Steele, aka reba, is an American security consultant currently employed by Fishnet Security, best known for being a Node fanboy. The dynamic nature of his current role allows him to touch many areas of the offensive security spectrum. When not working, he can be found creating tools to solve complex problems -- in Node. Some say that his genitals are on upside-down, and that if he could be bothered, he could crack the Da Vinci code in 43 seconds.