After-action report: learning from the mistakes we've made with passwords

Cormac Herley
DFP Classroom - FSC 2300

I'll review a decade's worth of research on passwords and authentication, highlighting areas where accepted wisdom turned out to be spectacularly wrong. It turns out that the ways we've been measuring password strength are flawed, and the ways we recommend to achieve it don't work. Strength doesn't make much of a difference anyway, and forcing people to change passwords does as much harm as good. Password re-use, far from being a shameful manifestation of user failing, is an all-but essential tool in allocating effort as portfolio size grows. And so on.

Rather than waste a good crisis I'll try to figure out why we've been so wrong so often, and why errors take so long to discover. Is there a pattern to these mistakes? What else have we got wrong? I suggest there is a problem with the way we reason about security problems, and suggest what we need to avoid and detect errors like these in the future.

Event directions

Once you are inside the Forestry Science building walk to the rear (south-east) of the building by passing through the large open study area and up the stairs to the 2nd level student (“treetop”) lounge area. Turn left, pass through the double doors, and room 2300 will be immediately to your right.