Skip to main content
notice

October 13, 2016: Invited Speaker Seminar: An Administrator's Guide to Password Policy in 2016


Mr. Dan Wheeler
Dropbox Inc.

Thursday, October 13, 2016 at 4:00 pm
Room EV001.162

Abstract

For decades, password policy has mostly consisted of ad hoc rules based on character class counts: how many uppercase letters, numbers and symbols?  This practice is not only burdensome and ineffective, but inconsistently implemented: no two sites can agree on which set of ad hoc rules to enforce, creating confusion and a sizeable usability headache for everyday internet users.

How can administrators do better?  Starting with a threat model discussion, we'll explore the options around implementing policies that are friendlier to users, accurate against today's best guessing attacks, and crucially, no harder than these ad hoc rules to implement.  Our discussion will put to use two client-side password strength estimators: zxcvbn from Dropbox, and a new approach from CMU that employs recurrent neural networks.  We'll also dive into the internals of zxcvbn and compare its estimations to four modern guessing attacks.

Biography

Dan Wheeler joined Dropbox in 2010 as one of the first 12 engineers, and stayed six years, working as a generalist on web, server, internationalization, payments, and security projects.  He led the team that built two-factor authentication not long after Dropbox's breach of 68 million passwords in 2012, and continues to maintain the zxcvbn password strength estimator.

Contact

For additional information, please contact:


Dr. Mohammad Mannan
514-848-2424 ext. 8972
m.mannan@concordia.ca




Back to top

© Concordia University