Proactive Password Leak Processing
Talk Abstract: An average person on the Internet reuses their same password across multiple sites more often than we'd prefer, which has increasingly resulted in account compromise headaches felt both by them and the sites they visit. Most organizations have limited options to prevent password reuse altogether, but they can take advantage of the same data used by attackers: password leaks.
Large companies (like Microsoft, Google, Facebook, and Yahoo!) have started proactively searching for the passwords leaked by other sites and then finding matches within their own user populations. They can then force a password change or require supplemental authentication to make certain the legitimate user keeps control of their account. This presentation discusses what exactly is involved in processing this ill gotten data, as well as whether it makes sense for your organization to integrate this into your information security program. This page was created as a reference to my PasswordsCon 16/BSidesLV 2016 talk, Proactive Password Leak Processing. Here is a link to my presentation slides (PDF). Here's the video of my session: |