Thoughts on Presentation topic of Passwords

[phunkpwnz]

Hi everyone,

 My name is phunkpwnz I made an introduction some months ago. Long story short I'm a noob but interested in the broad field of infosec and all other extensions of it which is curiously enough everything. So I am interested in life. That being said I am presenting a topic for my schools infosec club and I am leaning toward talking about passwords.

 In particular how passwords cannot be naively thought as the only security policy and how you most definitely need other policies/protocols with it. And I compare it to lock picking how eventually the intruder will break into your house but the fact he is lock picking in a suspicious manner should trigger your other policy of A) alerting the police or  B) calling him out on his actions etc. Now this is good for those new to infosec but I am sure that there will be people who already know this and I was just curious as to what other things would people more immersed in the field be interested in hearing related to the topic?

I am also gonna add a few statistics about the rate of possible brute force attacks using cuda and known scripts and how to harden your system against it etc. But any other avenues I might look into to make my presentation a bit more interesting to the already initiated?

Thanks in advance.

TLDR? - Basically I have a presentation on passwords and I would like to know what intermediate or expert level people in the infosec/hacking/IT/generally knowledgeable might be interested in hearing about this topic.

[I_Learning_I]

I believe what's really important is that you show the weakness of dictionary based passwords, that you show the magnitudes on the password (26^length..., 36, 52, 62) when it comes to bruteforce and that you state the difference between online and offline cracking.
I believe if while explaining this you give examples to aircrack, CUDA cracking and john the ripper you will have explained the biggest part. Everything after that should be boring to the average user, as you would be explaining how protocols work, which can be messy for someone listening this for the first time and might be more confusing than clarifying.

If you're presenting to people interested and knowlegeable you can go into specific encryption like EAP, MD5, and many others, presenting the vulnerabilities of those same encryption methods.

[phunkpwnz]

Great advice,

I will tackle it exactly like that. Thanks a lot.

[Architect]

Great advice,

I will tackle it exactly like that. Thanks a lot.

Great place to start researching is this PDF from the Czech Society for Systems Integration found using google, very precisely:
Password Audit as indicator of security quality

[proxx]

Good chance to spill my thoughts.

Where I work we dont have a too strong password policy.
We thought about it a long time.

There is one fundamental problem with very strong passwords and a renewal policy, people are stupid.
The CEO of company A doesnt like $T$F*HYFW%"( , even if we force him to, he's gonna do one thing.
Write it down.....
Major problem.

Might be hard to crack but if you just walk in and pickup the post-it attached to the monitor... well..
So we enforce a medium strenght password policy.
We give out passwords and dont let people consider their own , they are just too stupid and I dont like endless discussion.
So we give out rememberable passwords of considerable strenght (I wrote a tool for that) and have a flush every x period.
Key thing is that we have passwords good enough to resist basic cracking (not talking massive clusters) but are easy enough and purposely created to be rememberable to prevent the issue mentioned above.
Human aspect plays a bigger role than computational problems in this case, at least thats my vision.

[phunkpwnz]

Thank you all for posting your thoughts. I will try and implement majority of the ideas and give a brief breakdown with the final presentation I come up with and for proxx here you go incase you haven't seen this. http://imgs.xkcd.com/comics/password_strength.png

[vezzy]

For fuck's sake, I hate that comic so much.

For some reason everyone thinks it's gospel and it is posted incessantly.

The algorithm devised in the comic, while having a generally higher information entropy, on the flip side has a lower Kolmogorov complexity. That is to say, it is easily describable: combine four dictionary words together. Any semi-compotent cracker who has a hunch that you're using this pattern will take it into account and generate a respective procedure to accommodate for this. Most hash cracking software nowadays allows for wordlist mangling rules, or one can use a dedicated program and even just plain old sed and Perl one-liners if they so choose.

Of course, it will be safer against dumb bruteforce and character exhaustion, but such a vector is rarely used in the first place anyway for obvious reasons. As with any other technique, human stupidity will take its toll: people will use certain combinations and permutations thereof more than other ones. These can be narrowed down through character profiling, information gathering, social engineering, Markov modeling, statistical frequency and so on, if one is dedicated enough.

You're not smart, interesting or funny by posting xkcd comics.

[phunkpwnz]

Didn't know your personal feelings. So it's noted I take a comic for what it is a vague commentary on life. For sure you are right in what you described but I was just using the xkcd comic to shed light on the balance between a perfect policy and the human factor that you always need to consider and maybe weaken your policy for. I guess you consider it low brow humour and I apologize.

Also thanks for the added info via psych analyzing.

EDIT: Just giving an update the presentation went well everyone enjoyed it and luckily for me I was able to connect my presentation with the adobe leak of passwords so everything explained itself wonderfully. We discussed bad implementation of secure protocol basically via Adobe. All in all I would like to say thanks to everyone who posted , it got me in the right mindset to discuss a topic I've only just started to truly grasp.

So thanks again.

Staff Note: If you don't find the modify button to your liking you can file a complaint here: http://www.consumercomplaintagency.org/