Ball and Chain (A New Paradigm in Stored Password Security)

DerbyCon 4.0 - Family Rootz

Presented by: Benjamin Donnelly, Tim Tomes (LaNMaSteR53)
Date: Friday September 26, 2014
Time: 16:00 - 16:50
Location: Track 1

Weak security architectures have led us into a world of massive password breaches occurring at an alarming rate. Infrastructure and application authentication systems continue to rely on credentials stored in databases. While there are ways to mitigate risk to these systems, offline attacks against accessed credentials have remained possible… until today. Forget MD5. Forget SHA1. In fact, forget hashing altogether. We can do it better using the strategic advantages of the defensive perspective. The Ball and Chain password storage mechanism has the power to halt offline attacks on credentials for good. No more password breaches. No more fear of being the next Stratfor/Adobe/Yahoo/etc. No more CorrectHorseBatteryStaple. Let’s take back the internet.

Benjamin Donnelly

Tim Tomes


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats