Password Security Policies - Lessons Learned from Recent Password Leaks
Brian Sutton, Flavio de Cristofaro
OWASP AppSec Latam 2012
Date published
owasp password leak passwordcracking

Yahoo, eHarmony and LinkedIn are some of the popular websites whose
credentials databases, each containing millions of password hashes, were
recently exposed to the general public.
Our research team analyzed both technical and human factors that affect
password strength and resistance to cracking. From a technical point of
view, the most significant flaw was the use of naïve functions for
password storage. On the human side of the equation, people define and
use passwords following patterns which also reduce the effectiveness of
protection mechanisms affecting the security of a system.
Throughout this talk we’ll describe and analyze the security protections
applied to the leaked passwords. We’ll also present metrics showing why
these protections were insufficient, and present generally accepted
mechanisms for storing passwords. We’ll be closing the talk discussing
how we took advantage of the flaws mentioned above to crack 90% of one
of these leaks in record time.