Hamburg on Ruby

Lightning Talks

1. @KlausTrainer - End-to-End Arguments in System Design
2. @catrinmsj - Entwickler und die anderen - guckt doch mal ins Nachbarbüro
3. @LAndreas - System call interception
4. @toadle - The end of developer-days. - Ab wann braucht der Markt eigentlich keine Entwickler mehr?
5. @halfbyte - How do you keep your dependencies up to date?

Security folks urge us to use strong passwords all the time. The common approach to ensure this in a corporate environment is to implement password policies. You know, these annoying rules that do not let you choose your favorite password anymore. Plus, the stuff that forces you to change your now not so favorite password every 90 days.

In the past years, there has been some controversy within the security community whether our beloved password policies actually make sense. That is, do they lead to better passwords, or do they just frustrate the users and maybe even lead to weaker passwords. Well, guess what: As it turns out, not all is good about password policies.

In this talk, I will share some experience from running a password cracking service in a corporate environment. The service was implemented in addition to a common password policy. The goal was to raise awareness and to strengthen the passwords of my colleagues. Results show that passwords which are compliant with complex policies nevertheless can be cracked within minutes. We will see how dramatic the effect of poor password hashing is to this type of attacks, and how you can run such a service without being hated by all of your colleagues :)