Tuesday, July 28, 2009

Defcon 17

Just packing everything up and getting ready to head to Vegas. I'll be closing out the conference 4PM Sunday with my talk:

Cracking 400,000 Passwords, or How to Explain to Your Roommate Why the Power Bill is a Little High
Remember when phpbb.com was hacked in January and over 300,000 usernames and passwords were disclosed? Don't worry though, the hacker only tried to crack a third of them, (dealing with big password lists is a pain), and of those he/she only broke 24%. Of course the cracked password weren't very surprising. Yes, we already know people use "password123". What's interesting though is figuring out what the other 76% of the users were doing. In this talk I'll discuss some of my experiences cracking passwords, from dealing with large password lists, (95% of the phpbb.com list cracked so far), salted lists, (Web Hosting Talk), and individual passwords, (TrueCrypt is a pain). I'll also be releasing the tools and scripts I've developed along the way.
The talk itself is going to mostly focus on what these attacks mean to the defender and some of the different optimizations an attacker can use to increase their chances of cracking passwords given limited resources. Hopefully it should be a fairly fun talk. A preview copy of my slide deck can be found here.

2 comments:

CG said...

do you always close out the cons? didnt you close out shmoocon as well?

Matt Weir said...

Naw, my Shmoocon talk was at 10:00am on a Sunday morning. This timeslot was much less painful ;)