 Hello. All right, so my name is Kyle Rankin, and I'm the Chief Security Officer at Purism. So this is a five-minute lightning talk based on a 50-minute presentation that's based on a chapter in a book I wrote called Linux Hardening and Hostile Networks. I usually do slides one bullet point at a time, but you can't do that in upscale. So wall of text, get ready. It's going to be really great. But you can see the proper presentation that's 36 slides at that URL. So computers didn't always have passwords, it turns out. We think of them as a good thing, but it turns out some people thought of them as a bad thing. Richard Stallman, in particular, saw passwords as a means of control. So we know of him for a lot of contributions, but a lot of people don't know that he's a password cracker. So he joined the MIT labs. They didn't have passwords. He was cool with that. The admin put in passwords, and he started cracking them and then going to users and saying, hey, by the way, I know that your password is mumble. Why don't you do what I do and just hit Enter? It's a lot faster that way. And so yeah. So then we had passwords, right? But the thing is most computers supported at most a character. Some of them mixed uppercase and lowercase. So what you got were single words, really easy to guess. Popular passwords were things like love, sex, secret, and of course, God. And even more so, password, because that's a great password, as we all know. So if you wanted to hack someone, what you would do is just go through the dictionary, try them all, and you would find the password. If that's too slow, you know a little bit about the person. You make guesses. And that's how everyone got hacked in movies. So if you wanted to hack the whopper, you would pick Joshua. If you wanted to hack the Gibson, you pick God. So with things like John the Ripper, you could automate this. So IT policy started jumping down with Active Directory and allowing you to set policy. So for example, you'd have a policy that says, you must have at least one uppercase letter. So what did people do? Well, they did this because you would have 19 billion combinations, which sounds like a lot. It's impossible. Adam's in the universe, right? Well, so people would just uppercase the first letter. So you'd have QWERTY, secret password. And the attackers are like, huh, I'm just going to uppercase the letters too. So then they say, well, we're going to be smart. We're going to have you have at least two numbers in addition to the uppercase letter, because that's 57 billion combinations. Impossible to crack. Again, Adam's in the universe. So everyone just put two numbers at the end. And the attackers said, OK, that's cool. I can just put two numbers at the end of my dictionaries. So then they said, well, OK, that's fine. Stupid users, not following our rules. We're just going to require a symbol too, because that's 782 billion combinations. Again, impossible. No way to do this. So what everyone did was they started adding bangs to the end, which I like to call a password mullet. You know, you have uppercase in the front and all of the numbers and symbols at the back. So then IT people said, well, I'll be really clever. I'm going to take a dictionary word and apply leet speak to it, because then I can remember it. And so if you have password, you change the a's into fours and things like that. If you want to be fancy, you do an ampersand instead of an a. And you get a password that we use for an admin password at a previous job. The problem is hackers know leet speak to. I don't know if you knew that. So then they said, I know what we'll do. We'll rotate passwords. And so they say every three months we'll rotate them. So what the users did was they picked password one, then they picked password two, bang, then password three, bang. The attackers guessed your first password, and then from then on they knew every other password you would ever pick. So then IT spent all of their time every three months dealing with account lockouts and resetting passwords. All the users who picked a really hard password would get frustrated because it would be reset and it basically never worked. So then we had XKCD, correct horse battery staple, and we started doing long pass phrases. And so right now I would say, what's a good password? I would say, OK, fine. At the very least, 12 character minimum, no rotation and no complexity. That's 95 quadrillion combinations, by the way. That's better than the 7.2 quadrillion that you have in an 8 character complicated password. No rotation means users are going to pick longer and more complex passwords because they can remember it and then muscle memory. But you don't have to believe me because what do I know? NIST even thinks this is a good idea now after decades of bad policy. So you can't take a picture of that slide now, but you should take it to your IT department. So what's a good password? One that you can't remember. So I'd say very long 20 plus characters, truly random complex in a new password for every account. That's impossible. So use a password manager so you don't have to do that. The problem is you do have to remember a couple of passwords for your password manager for disk encryption. So use a password database, like KeePassX or something like that, and then that makes it a little bit easier. So the conclusion, you can do strong authentication today, but InfoSec can't decide what that looks like. Everyone disagrees on what a good password is and what good auth is. The other thing is attackers have always paid attention to users and user behavior, but defenders never really have. They just sort of push down policy. So defenders need to change that. Researchers need to focus less on movie threats and more on real life, how real users use policy. And in general, stop blaming users for their problems. The end.