Tuesday, January 10, 2012


(Picture is (C) KluZz - aka my friend/colleague Jan Fredrik Leversund)
I have received many questions about the two first Passwords^XX conferences that I arranged in cooperation with professor Tor Helleseth at the university here in Bergen, Norway. The most frequent question after Passwords^11 in June 2011 is of course "when and where will the next conference be?". So here is some preliminary information from me, as well as a quest for sponsors for doing the conference somewhere in the US as well! :-)

1. FREE, as in FREE
I want the conference to be open for anyone to participate (limited seats though), and FREE to attend. At least as free as possible. No, I'm not interested in making any money of it. Attendees will eventually have to pay for food and their own drinks in the evening of course.

I want to learn something, and I sure hope the audience want the same. The best way to do it in my opinion: a mix of people from public, private and academic sectors. Public as police, military, not for profit organisations (ISC)2, ASIS, ISACA etc, private as in commercial companies or single persons, and academics (professors and perhaps PhD's... :-))

Sure. But I won't give you time to talk during the conference, unless to solve problems without selling your own products. Food, drinks, facilities, pamphlets, parties, whatever. Bring it. What do I need sponsors for? Well, first and foremost to pay travel and accomodation for selected speakers. At Passwords^10 and Passwords^11 we had speakers that came on their own, with no commercial support backing them. Travelling halfway around the world to speak about passwords, they deserve some help getting there. Each of the two previous conferences had budgets <= USD 9000,-, so it's not that much of a big deal I think.

This is, was, and will be a conference focusing on passwords and PIN codes only. Period. No biometrics, 2-factor authentication or any other solutions. Why? Because we won't get rid of passwords or pin codes any time soon. Better make the best of it - I belive a lot can still be done to improve the situation.

Yes, I will of course do a call for papers. That said, let me give you a few ideas on who I would like to have thee as a speaker, and why (in no particular order):

I would love to have Cormac Herley from Microsoft Research there. He can bring his co-authors as well, I think I could spend a full day without breaks listening to them presenting their published papers. If Frank Stajano has any updates for PICO, or if he has been looking more into security usability, I'd like to hear about it. Oh, and on the topic of security usability, I would like to listen to Markus Jakobsson from PayPal as well. More suggestions for speakers from the academic world is of course most welcome. Oh; and if anybody knows Bruce Schneier: Yes, I'll accept any talk on passwords from him - preferably with the phrase "security theater" somewhere in the headline.

Passware and Elcomsoft scared us all at the previous conferences. I'd like to invite them back again for updates and live demonstrations, eventually also bringing in Oxygen Software to show us forensics of smart phones. (People still get amazed when I talk about iOS forensic toolkit and what kind of information you can get access to, or the firewire attacks from Passware....). Focusing on smart phone/pad security, these guys should be able to give us a fun show to watch - and a few ideas for our next audits of corporate Activesync policies.

We would have to invite back quelrods, or James Nobis if you like. He knows his stuff on rainbowtables. Eventually also Sc00bz and Powerblade from the Freerainbowtables project to present on the latest developments there. That project continues to prove that you need to salt your passwords, period.

As for password crackers, atom would be an obvious speaker, presenting .. anything... about hashcat. In fact I would like to hear lots of stuff about it, and by bringing in Solar Designer from Openwall or some of the hard-core guys from the JtR mailing list on advanced rule creation with JtR/hashcat, we're talking serious stuff. A presentation from Bitweasil at Cryptohaze would of course be of interest as well, while Michail could eventually give us some interesting perspectives from a completely different side of our world. Not to forget we should have Matt Weir (@lakiw) talk a little about NIST SP800-63 and his PhD work. And in the second corner: Norbert Schmitz (@nidshce) from Germany, who have plans on improving the attacks as outlined by Matt in his work.

We should also look at all the statistics we've got, based on the ever-increasing number of leaks found all over the Internet. I presume Martin Bos (@purehate_) and Troy Hunt would have both statistics and opinions to share. :-)

Remembering Howard Smith from Oracle UK, and his suggestion for a panel discussion at Passwords^10 (which we did do, right there and then), if somebody knows a lawyer who can present on the legal side of downloading, cracking, distributing, PIPAL'ing and commenting on leaked passwords - I'd love that.

I would also like to see somebody talk about the usability aspects of passwords and pins. How do we assign them, side-channel transfers of username/pass/url/system name , password resets, service account management, why the annoying asterisks when I type my password (Good article at darkreading here).

Hey; Microsoft could present on "picture password" in Windows 8! (I guess they will still be using NTLM though... *doh!*), while somebody else could talk on PBKDF2, bcrypt and scrypt. Or perhaps Joan Daemen would like to update us on the status of SHA-3?

Last but not least - any chance we could try to work out some "best practices" that we - as "password experts" - can agree on, and pass on to all those who need it?

I guess the above would easily cover 2 full days, right? :-)

Comments are most welcome. Feel free to contact me by e-mail for personal inquiries.


  1. The CrackMeIfYouCan team will be there.


  2. Exciting! Hopefully I'll be able to be there.

  3. Thx Minga! :-)

    Second thoughts, there are many more that I would like to have present at Passwords^12 of course:

    We need Hernan Ochoa (@hernano) to talk about pass-the-hash and pass-the-ticket attacks on Windows platforms. We need - somebody? - to talk about "how to configure popular web software XYZ to utilize strong hashing algorithms, instead of lousy defaults".

    If somebody could create a list of popular/mainstream software that currently DOES NOT support 1) long passwords (say len32+), 2) good hashing algorithms (no salting, pbkdf2 or whatever), I would really appreciate it. Essentially that would be a a list of "not recommended if you want to avoid embarrassment, Anonymous, Lulz, leaks and complete pwning".

  4. Here's a list of sites that don't hash their passwords: plaintextoffenders.com

    Then there's the funny hashes like MySQL323 and battle.net's XSHA1.


All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.