Rethinking P@ssw0rd Strength Beyond Brute-force Entropy

BSidesLV 2017

Presented by: Ross Dickey
Date: Wednesday July 26, 2017
Time: 12:00 - 12:25
Location: Ground1234!

Everywhere you need a password, the requirements follow a basic pattern: X length; must contain (or not contain?!?) lowercase, uppercase, digits, and symbols; must be rotated every Y days. But is that enough? This talk rethinks how we approach password strength, or “entropy”, in the real world.

There are many people who create passwords nonrandomly and think they’re making their passwords look random, but many common “clever” tricks aren’t so, and in fact are very guessable. Rather than calculating entropy as if the passwords were created randomly, we can find new and clever ways of calculating entropy given this knowledge.

Ross Dickey

I am a SysAdmin turned Software Engineer turned DevOp turned security-minded DevOp. I have been in the industry for 14 years but strong into security for over three. Starting around the time of the Ashley Madison hack I've had a passion for passwords, and their use and misuse by amateurs and pros alike.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats