SlideShare a Scribd company logo

ZeroNights2013 testing of password policy

Download as PPTX, PDF
Anton Dedov
Anton Dedov

http://2013.zeronights.org/fasttrack#dedov

Technology
1 of 32
Testing of Password Policy Anton Dedov ZeroNights 2013
Who Am I • Software Developer and Security Engineer @ Parallels Automation • Open source developer • Mail: adedov@gmail.com • Twitter: @brutemorse
Motivation • It is hard for application developers to choose between existing password meters reasonably. • Worse, some implement their own [or customize existing] without understanding of security and psychological implications. • Need some framework/criteria that would help reasonable choice. 3
NAÏVE SECURITY MODEL
Untargeted Online Attacks User base Common passwords 100 K • 1 guess per user / day • 2 days to find first password • 100 days to find 50 passwords 10 K 100 K 2.5 K 5K • 1 guess per user / day • 10 days to find first password • 1.5yr to find 50 passwords
Targeted Online Attacks • • • • • 10 failed attempts  1 hour block 240 attempts per user / day 7200 attempts per user / month 86400 attempts per user / year More IP-s scale linearly
Offline Attacks • Huge dictionaries • Specialized hardware and clusters • No time/complexity limitations except – Enforced password quality – Hash speed – Salt uniqueness 7
TESTING PASSWORD METERS
Candidates • • • • • Plesk jquery.complexify zxcvbn libpwquality passwdqc
Method • • • • Apply meters to password bases Dictionary attacks with JtR Rule-based attacks with JtR Collect essential parameters
Apply Meters • Requirement: meter should provide unambiguous signal about if password is accepted or not. • Passwdqc tells straight “OK” or “Bad”. • Others return score. Minimal accepted score documented. 11
Password Bases • • • • • Real customers RockYou all CMIYC-2010 not cracked Random passphrases Random 10-char passwords Red for attacks; blue for psychological acceptance. 12
Dictionaries Dictionary Tiny English RockYou top Common-passwords English Tiny English crossed / 8 chars Size, words 817 1438 3546 54316 72100 13
Rules Rule JtR defaults JtR jumbo m3g9tr0n-2048512 m3g9tr0n-2048517 Factor ~ 40 ~ 5500 = 3510 ~ 860 14
Cracking Sessions None JtR default Tiny 817 words 41K words JtR jumbo 4M words m3g9tr0n2048512 2.8M words m3g9tr0n2048517 707K words 15
Cracking Sessions • 25 attacks per password base per meter • Min dictionary size 817 • Max dictionary size 396M RockYou dictionary was not used against RockYou password base. 16
Parameters • M – passwords approved by meter • D – attack dictionary size • C – # of guessed passwords during attack • Attack effectiveness • Attack economy C M C D 17
Online Attacks Effectiveness For dictionaries < 100K Max guess rate 0.007% 18
Max Attack Effectiveness 0.1400% 0.1200% 0.1000% 0.0800% 0.0600% 0.0400% 0.0200% 0.0000% passwdqc customer2 customer1 rockyou plesk zxcvbn complexify pwquality 0.0304% 0.0210% 0.0011% 0.0130% 0.0089% 0.0002% 0.0182% 0.0315% 0.0130% 0.0546% 0.0460% 0.0049% 0.0794% 0.0290% 0.0224% 19
Max Attack Economy 160.0000% 140.0000% 120.0000% 100.0000% 80.0000% 60.0000% 40.0000% 20.0000% 0.0000% rockyou pwquality complexify zxcvbn plesk passwdqc 62.1545% 19.8816% 64.1850% 0.1224% 0.1224% customer1 0.2782% 0.1224% 0.2782% 0.1224% 0.1224% customer2 0.1224% 0.1224% 0.1224% 0.1224% 0.1224% 20
Average Attack Economy 9.0000% 8.0000% 7.0000% 6.0000% 5.0000% 4.0000% 3.0000% 2.0000% 1.0000% 0.0000% rockyou pwquality complexify zxcvbn plesk passwdqc 3.2154% 1.0375% 3.4033% 0.0079% 0.0137% customer1 0.0177% 0.0095% 0.0180% 0.0092% 0.0092% customer2 0.0093% 0.0101% 0.0096% 0.0092% 0.0094% 21
Guesses Totals Meter plesk passwdqc zxcvbn complexify libpwquality RockYou Customer 1 Customer 2 0.08% 0.18% 0.54% 0.54% 1.16% 0.28% 0.23% 0.26% 1.06% 0.50% 0.28% 0.12% 0.06% 0.40% 0.45%
Guesses Totals 2.50% 2.00% 1.50% rockyou-all customer2 1.00% customer1 0.50% 0.00% passwdqc plesk zxcvbn complexify pwquality 23
Psy. Acceptance: User Passwords Meter plesk passwdqc zxcvbn complexify libpwquality RockYou Customer 1 Customer 2 0.21% 1.60% 5.43% 2.03% 4.32% 3.45% 14.90% 16.29% 7.05% 11.88% 5.53% 40.62% 43.16% 27.18% 34.27%
Psy. Acceptance: User Passwords 70.00% 60.00% 50.00% 40.00% customer2 customer1 30.00% rockyou-all 20.00% 10.00% 0.00% passwdqc plesk zxcvbn complexify pwquality 25
Psy. Acceptance: Hard Passwords Meter plesk passwdqc zxcvbn complexify libpwquality CMYIC-2010 Pass-Phrases 24% 59% 42% 3% 10% 0% 99.98% 99.76% 99.94% 99.82% Random 10 chars 42% 100% 99.99% 0% 81% 26
Psy. Acceptance: Hard Passwords 100.00% 90.00% 80.00% 70.00% 60.00% CMIYC2010-uncracked 50.00% phrases-rand39 40.00% random10 30.00% 20.00% 10.00% 0.00% passwdqc plesk zxcvbn complexify pwquality 27
The “editors” choice Security passwdqc plesk zxcvbn jquery.complexify libpwquality Psychology zxcvbn passwdqc libpwquality jquery.complexify plesk 28
Conclusions • • • • Test your security tools for security Avoid write your own security tools All tested meters protect from online attacks Also seem protect from offline attacks (for slow hashes and unique salts) • But most tend to deny more passwords than it is necessary, including known to be hard ones • Passwdqc and zxcvbn look best
Where to go? • Bigger dictionaries and brute force • Testing on real people to – Learn evolution of “common passwords” lists – Test psychological acceptance empirically • More meters? 30
Special thanks Alexander Peslyak Solar Designer 31
Bonus: time to process RockYou… (MBP 2011) 3:15 zxcvbn pwquality plesk passwdqc complexify 5:48 0:13 0:26 0:16 0:00 1:12 2:24 3:36 Hours 4:48 6:00 7:12

Recommended

The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIBM Sverige
 
Business Continuity Planning Seminar
Business Continuity Planning SeminarBusiness Continuity Planning Seminar
Business Continuity Planning Seminarcmckinney
 
Implementing the Data Maturity Model (DMM)
Implementing the Data Maturity Model (DMM)Implementing the Data Maturity Model (DMM)
Implementing the Data Maturity Model (DMM)DATAVERSITY
 
Data Engineer's Lunch #54: dbt and Spark
Data Engineer's Lunch #54: dbt and SparkData Engineer's Lunch #54: dbt and Spark
Data Engineer's Lunch #54: dbt and SparkAnant Corporation
 
Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Carlos Sierra
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Business Continuity and Disaster Recovery Strategy
Business Continuity and Disaster Recovery Strategy Business Continuity and Disaster Recovery Strategy
Business Continuity and Disaster Recovery Strategy Chandrak Trivedi
 

Recommended

The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelSarah Moore
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIBM Sverige
 
Business Continuity Planning Seminar
Business Continuity Planning SeminarBusiness Continuity Planning Seminar
Business Continuity Planning Seminarcmckinney
 
Implementing the Data Maturity Model (DMM)
Implementing the Data Maturity Model (DMM)Implementing the Data Maturity Model (DMM)
Implementing the Data Maturity Model (DMM)DATAVERSITY
 
Data Engineer's Lunch #54: dbt and Spark
Data Engineer's Lunch #54: dbt and SparkData Engineer's Lunch #54: dbt and Spark
Data Engineer's Lunch #54: dbt and SparkAnant Corporation
 
Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Understanding my database through SQL*Plus using the free tool eDB360
Understanding my database through SQL*Plus using the free tool eDB360Carlos Sierra
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Business Continuity and Disaster Recovery Strategy
Business Continuity and Disaster Recovery Strategy Business Continuity and Disaster Recovery Strategy
Business Continuity and Disaster Recovery Strategy Chandrak Trivedi
 
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...TuynNguyn819213
 
Recovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point ObjectiveRecovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point ObjectiveYankee Maharjan
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented ArchitectureAlan McSweeney
 
Integrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement ModelIntegrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement ModelAlan McSweeney
 
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...Ludovico Caldara
 
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...Alithya
 
Madurez de gestión de identidades
Madurez de gestión de identidadesMadurez de gestión de identidades
Madurez de gestión de identidadesJaime Contreras
 
Service and Support as Production in I.T.
Service and Support as Production in I.T.Service and Support as Production in I.T.
Service and Support as Production in I.T.Malcolm Ryder
 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesBobby Curtis
 
EDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data GovernanceEDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data GovernanceDATAVERSITY
 
Gobierno de datos con Power BI
Gobierno de datos con Power BIGobierno de datos con Power BI
Gobierno de datos con Power BIdbLearner
 
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...Databricks
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateExtreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateBobby Curtis
 
Executing the Digital Strategy
Executing the Digital StrategyExecuting the Digital Strategy
Executing the Digital StrategyBen Turner
 
Building a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionBuilding a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionWSO2
 
Talend Data Quality
Talend Data QualityTalend Data Quality
Talend Data QualityTalend
 
Data and AI reference architecture
Data and AI reference architectureData and AI reference architecture
Data and AI reference architectureWilly Marroquin (WillyDevNET)
 
WAF deployment
WAF deploymentWAF deployment
WAF deploymentAravindan A
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cAjith Narayanan
 
Enterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit OverviewEnterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit OverviewMike Walker
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 

More Related Content

What's hot

ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...TuynNguyn819213
 
Recovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point ObjectiveRecovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point ObjectiveYankee Maharjan
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented ArchitectureAlan McSweeney
 
Integrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement ModelIntegrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement ModelAlan McSweeney
 
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...Ludovico Caldara
 
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...Alithya
 
Madurez de gestión de identidades
Madurez de gestión de identidadesMadurez de gestión de identidades
Madurez de gestión de identidadesJaime Contreras
 
Service and Support as Production in I.T.
Service and Support as Production in I.T.Service and Support as Production in I.T.
Service and Support as Production in I.T.Malcolm Ryder
 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesBobby Curtis
 
EDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data GovernanceEDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data GovernanceDATAVERSITY
 
Gobierno de datos con Power BI
Gobierno de datos con Power BIGobierno de datos con Power BI
Gobierno de datos con Power BIdbLearner
 
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...Databricks
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateExtreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateBobby Curtis
 
Executing the Digital Strategy
Executing the Digital StrategyExecuting the Digital Strategy
Executing the Digital StrategyBen Turner
 
Building a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionBuilding a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionWSO2
 
Talend Data Quality
Talend Data QualityTalend Data Quality
Talend Data QualityTalend
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cAjith Narayanan
 
Enterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit OverviewEnterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit OverviewMike Walker
 

What's hot (20)

ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
ASVS 5.0 – The rise of the Security Verification Standard - AppSec Global San...
 
Recovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point ObjectiveRecovery Time Objective and Recovery Point Objective
Recovery Time Objective and Recovery Point Objective
 
Process Oriented Architecture
Process Oriented ArchitectureProcess Oriented Architecture
Process Oriented Architecture
 
Integrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement ModelIntegrated Project and Solution Delivery And Business Engagement Model
Integrated Project and Solution Delivery And Business Engagement Model
 
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
Oracle RAC, Oracle Data Guard, and Pluggable Databases: When MAA Meets Oracle...
 
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
How WillScot-Mobile Mini Utilized Enterprise Data Management for Business Tra...
 
Madurez de gestión de identidades
Madurez de gestión de identidadesMadurez de gestión de identidades
Madurez de gestión de identidades
 
Service and Support as Production in I.T.
Service and Support as Production in I.T.Service and Support as Production in I.T.
Service and Support as Production in I.T.
 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best Practices
 
EDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data GovernanceEDW Webinar: Managing Change for Successful Data Governance
EDW Webinar: Managing Change for Successful Data Governance
 
Gobierno de datos con Power BI
Gobierno de datos con Power BIGobierno de datos con Power BI
Gobierno de datos con Power BI
 
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
The Modern Data Team for the Modern Data Stack: dbt and the Role of the Analy...
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateExtreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGate
 
Executing the Digital Strategy
Executing the Digital StrategyExecuting the Digital Strategy
Executing the Digital Strategy
 
Building a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionBuilding a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) Solution
 
Talend Data Quality
Talend Data QualityTalend Data Quality
Talend Data Quality
 
Data and AI reference architecture
Data and AI reference architectureData and AI reference architecture
Data and AI reference architecture
 
WAF deployment
WAF deploymentWAF deployment
WAF deployment
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12c
 
Enterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit OverviewEnterprise Architecture Toolkit Overview
Enterprise Architecture Toolkit Overview
 

Similar to ZeroNights2013 testing of password policy

Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)Mike Felch
 
Stress Test as a Culture
Stress Test as a CultureStress Test as a Culture
Stress Test as a CultureJoão Moura
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthIDERA Software
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Ted Wentzel
 
Everything You Need to Know About Sharding
Everything You Need to Know About ShardingEverything You Need to Know About Sharding
Everything You Need to Know About ShardingMongoDB
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3TEKMONKS
 
Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Dave Nielsen
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyDocker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyAndreas Grabner
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
Journey of Migrating Millions of Queries on The Cloud
Journey of Migrating Millions of Queries on The CloudJourney of Migrating Millions of Queries on The Cloud
Journey of Migrating Millions of Queries on The Cloudtakezoe
 
Why everyone speaks about DR but only few use it?
Why everyone speaks about DR but only few use it?Why everyone speaks about DR but only few use it?
Why everyone speaks about DR but only few use it?Francisco Alvarez
 
Securing Solr Search Data in the Cloud
Securing Solr Search Data in the CloudSecuring Solr Search Data in the Cloud
Securing Solr Search Data in the CloudSameer Maggon
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the CloudSearchStax
 
Crafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithCrafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithSanjiv Kawa
 
The Amino Analytical Framework - Leveraging Accumulo to the Fullest
The Amino Analytical Framework - Leveraging Accumulo to the Fullest The Amino Analytical Framework - Leveraging Accumulo to the Fullest
The Amino Analytical Framework - Leveraging Accumulo to the Fullest Donald Miner
 

Similar to ZeroNights2013 testing of password policy (20)

Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
 
Stress Test as a Culture
Stress Test as a CultureStress Test as a Culture
Stress Test as a Culture
 
Apex triggers i
Apex triggers iApex triggers i
Apex triggers i
 
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL SleuthGeek Sync I CSI for SQL: Learn to be a SQL Sleuth
Geek Sync I CSI for SQL: Learn to be a SQL Sleuth
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
 
Everything You Need to Know About Sharding
Everything You Need to Know About ShardingEverything You Need to Know About Sharding
Everything You Need to Know About Sharding
 
Login cat tekmonks - v3
Login cat tekmonks - v3Login cat tekmonks - v3
Login cat tekmonks - v3
 
Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!Add Redis to Postgres to Make Your Microservices Go Boom!
Add Redis to Postgres to Make Your Microservices Go Boom!
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and ScalabiltyDocker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
Docker/DevOps Meetup: Metrics-Driven Continuous Performance and Scalabilty
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
Journey of Migrating Millions of Queries on The Cloud
Journey of Migrating Millions of Queries on The CloudJourney of Migrating Millions of Queries on The Cloud
Journey of Migrating Millions of Queries on The Cloud
 
Why everyone speaks about DR but only few use it?
Why everyone speaks about DR but only few use it?Why everyone speaks about DR but only few use it?
Why everyone speaks about DR but only few use it?
 
Securing Solr Search Data in the Cloud
Securing Solr Search Data in the CloudSecuring Solr Search Data in the Cloud
Securing Solr Search Data in the Cloud
 
Securing Search Data in the Cloud
Securing Search Data in the CloudSecuring Search Data in the Cloud
Securing Search Data in the Cloud
 
Crafting tailored wordlists with Wordsmith
Crafting tailored wordlists with WordsmithCrafting tailored wordlists with Wordsmith
Crafting tailored wordlists with Wordsmith
 
The Amino Analytical Framework - Leveraging Accumulo to the Fullest
The Amino Analytical Framework - Leveraging Accumulo to the Fullest The Amino Analytical Framework - Leveraging Accumulo to the Fullest
The Amino Analytical Framework - Leveraging Accumulo to the Fullest
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

ZeroNights2013 testing of password policy

Editor's Notes

  1. Naïve model
  2. 0.007 2276 0.64185 rockyou-all zxcvbn common-passwords-none
  3. 0.1224% : 1 to 1000
  4. 0.01% : 1 to 10000.001% : 1 to 10000
  5. 1.72% of CMYIC was cracked
  6. 20K/s vs. 2000/s