On January 20, I will be giving a talk at ShmooCon Epilogue on PathWell, a project we did last summer. Epilogue is a great event and is much easier to get tickets for than ShmooCon, and I highly recommend it. (And I said that before they accepted my talk ;)

Over the past couple of years, we - mostly my coworker Rick Redman (Minga) - have given many talks about how enterprise password strength enforcement rules, as currently implemented, are broken and harmful. They make enterprise passwords easy to crack. The only thing worse than having them is not having them.

PathWell ("Password Topology Histogram Wear-Leveling") introduces a new dimension for measuring and enforcing enterprise password strength that attempts to take away from the attacker the advantages that they currently have when cracking (or even just flat-out guessing blindly) an enterprise's passwords.

My Epilogue talk will be recorded, and we will be publishing slides, white papers, etc.

But, in the first 15 minutes of my talk I try to fly over the ground that Rick has covered in multiple hour-long talks. If you are interested in the topic of password cracking as an attacker, or in the topic of my talk - how enterprises can defend themselves better - then you should watch one of his past talks first, such as "Why Your Password Policy Sucks" at Passwords13 or "Exploiting Password Policy Weaknesses" at DerbyCon 3.

PathWell takes the techniques that have been the most successful for attackers in the last few years, and turns them around to become new ways to enforce password strength, making passwords several orders of magnitude harder to crack for a given password length and hash type. More at/after my talk :)