Identity and security - learning from data
Charl Van Der Walt
Ensuring Confidentiality, Integrity and Availability is the core purpose of Information Security. All of these depend in one way or another on establishing and confirming the identity of a person that could be anywhere on any computer, in the world and often needs immediate access to dozens of systems containing sensitive and valuable information.
In today’s most prevalent paradigms, identity is confirmed by means of a password, and in most cases, identities and passwords are managed using Microsoft’s Active Directory platform.
In this presentation, we describe and analyse data we collected from millions of cracked passwords obtained during attack and penetration tests performed against dozens of corporate customers worldwide. We use this data to examine how relevant passwords and corporate password policies are in light of contemporary attack methodologies and consider what that means for the future of corporate IT security!