Password Security Policies - Lessons Learned from Recent Password Leaks

Yahoo, eHarmony and LinkedIn are some of the popular websites whose credentials databases, each containing millions of password hashes, were recently exposed to the general public.

Our research team analyzed both technical and human factors that affect password strength and resistance to cracking. From a technical point of view, the most significant flaw was the use of naïve functions for password storage. On the human side of the equation, people define and use passwords following patterns which also reduce the effectiveness of protection mechanisms affecting the security of a system.

Throughout this talk we’ll describe and analyze the security protections applied to the leaked passwords. We’ll also present metrics showing why these protections were insufficient, and present generally accepted mechanisms for storing passwords. We’ll be closing the talk discussing how we took advantage of the flaws mentioned above to crack 90% of one of these leaks in record time.