Avi Douglen – Passwords, Rehashed All Over Again

Posted on Updated on

Avi DouglenPasswords suck.

It’s no secret – passwords are boring, passwords are weak, passwords are STOOPID. We all hate using them, we all hate building systems for them, we all hate breaking them, we all just hate dealing with them. Nevertheless, passwords are here to stay as the most common authentication mechanism. At least, passwords are a simple mechanism, and we all understand how to protect them well enough.

Then how come we keep getting them wrong?

Wait, whaaaat??

Not only are password protected sites usually flawed; not only are millions of passwords stolen more often than stupid cat pictures are posted to Facebook; not only does your mother reuse the same simple password everywhere – we, the security industry, keep giving bad password advice!

This talk will discuss popular misconceptions regarding how to secure passwords, even amongst security experts. We will also show some practical attacks against the common recommendations in this area. Finally, I will share the simple solutions that we should be recommending, and prove mathematically that they are correct.

AviD has always denied being a hipster, but when it comes to password misuse he is a downright cranky neckbeard.

During his many years as a developer, security lead, and consultant, he has been party to some pretty poor password practices. (Pretty poor password practice parties are not as much fun as you might think). Now, he is attempting to atone for that, and throws a hissy fit every time he encounters a site with counter-productive password practices. Stay on his good side and do the right thing.

For the past X years, AviD has been working as a consultant, supporting organizations of all sizes in integrating security methodologies and products into their development processes. He spends a lot of time doing security research, and often provides training on secure coding and other security topics. He is also a frequent speaker at industry conferences, such as OWASP and RSA.

AviD also leads the OWASP Israel chapter, is a community moderator on https://security.StackExchange.com/ , and a volunteers as a high school tech teacher.