Password Cracking

Doing a little bit of work related reading today and learned a few things about passwords based on a 2013 Derbycon presentation:

Password rotation introduces password vulnerabilities (I actually already knew this and have complained about it at various jobs but what can you do)

*Users will invent ways to remember their password

**90 day rotation - seasonal password

**30 day rotation - month based

***Users will use the same root word for future passwords and only change numbers and special characters

Keyboard Patterns, i.e. qwe123, easily defeated by Hashcat

Special rules required?

*There is an order to which characters, numbers, special characters people will use

*There is an order to where they will place specific characters

**These patterns are universal

***Exclamation point is the most commonly used special character

***Capital letters are almost always the first letter in a password

***If the rules require a special character and a digit the special character and the digit will be at the end. 

Simple stuff but with the tools and hardware available now it makes it almost trivial to compromise a password.

(Note:  I am claiming no special expertise in password cracking just remarking on what I was reading and viewing)

Video of the presentation:  http://www.irongeek.com/i.php?page=videos/derbycon3/1301-cracking-corporate-passwords-exploiting-password-policy-weaknesses-minga-rick-redman