Building and Breaking Password Reset Mechanisms
It happens to everyone, you forgot your password. Now you need to get back into your account and prove you are who you say, but without using your password as proof. How, then, can that be done securely? More interestingly, how can it be done insecurely? This talk will dissect a number of security vulnerabilities found in real-world password reset mechanisms, and discuss how password reset mechanisms should be built.
Speaker: Dan Crowley
Daniel Crowley is a Senior Security Engineer and Regional Research Director for NCC Group Austin, tasked with finding and exploiting flaws in everything from Web applications and cryptosystems to ATMs, smart homes, and industrial control systems. He denies all allegations of unicorn smuggling and questions your character for even suggesting it. He has been working in information security since 2004. Daniel is TIME’s 2006 Person of the Year. He has developed and released various free security tools such as MCIR, a powerful Web application exploitation training and research platform, and FeatherDuster, an automated modular cryptanalysis tool. He does his own charcuterie and brews his own beer. He is a frequent speaker at conferences including Black Hat, DEFCON, Shmoocon, Chaos Communications Camp, and SOURCE. Daniel can open a door lock with his computer but still can’t launch ICBMs by whistling into a phone. He has been interviewed by various print and television media including Forbes, CNN, and the Wall Street Journal. He holds the noble title of Baron in the micronation of Sealand. His work has been included in books and college courses.
Food: Taco Deli. Arriving at 11:30 AM gives you time to get some food and find a seat. We try to start the meeting around 11:50 AM.