Sex, Secret and God: A Brief History of Bad Passwords
Most of what we've been told over the years about what makes a good password has been wrong, so it's no surprise most people pick bad passwords. This talk will cover the history of password policy and password cracking starting from the days when Richard Stallman hacked the passwords forced on his MIT computer lab because he considered them an authoritarian method of control. Next I'll discuss the golden days of password guessing featured prominently in movies like Hackers and WarGames. Next I'll move to the tech boom, rainbow tables, and the introduction of draconian IT policies like password rotation and password complexity and the dirty little leet-speak password secrets they led to.
As we get closer to the modern day I'll discuss the "correct horse battery staple" password renaissance and more modern approaches to password cracking spawned by tools like oclhashcat and giant password databases dumps like RockYou. We'll finish up with the latest attempts to fix the password auth problem such as new approaches to secure password generation in password managers and schemes such as diceware as well as cover password auth reinforcements like the different forms of 2FA (including U2F) and Facebook's new approach to "I forgot my password" workflows. By the end everyone should have plenty of ammunition to take back to their IT department and get rid of those horrible password policies.
Kyle Rankin is Senior Vice President of Security and Infrastructure at Zero; the author of the upcoming Linux Hardening in Hostile Networks, as well as DevOps Troubleshooting, The Official Ubuntu Server Book, Knoppix Hacks, and is an award-winning columnist for Linux Journal. He speaks frequently on security and Open Source software including at O'Reilly Security Conference, CactusCon, SCALE, OSCON, Linux World Expo, Penguicon, and a number of Linux Users' Groups.