Rethinking Password Strength Beyond Brute-force Entropy

Explore the complexities of password security in this 32-minute conference talk from BSidesLV 2017. Delve into the limitations of traditional password strength metrics, examining why entropy calculations and brute-force resistance alone are insufficient. Investigate the impact of password rotation policies, the fallacy of relying solely on length, and the importance of considering human behavior in password creation. Learn about alternative approaches to measuring password strength, including the diceware method, and gain insights into creating more effective security policies. Discover why common practices like using usernames as passwords pose significant risks, and understand how to better educate users on secure password practices.

Intro
Why Do I Password?
Entropy of Password Lists
I hate rotating passwords!
Long Passwords Won't Save You
Alice Teaches Bob About Security
Bad Passwords, Usernames
Measuring Entropy
What was that diceware thing?