CactusCon, the largest annual hacker and security conference in Arizona, had over 1,200 registered attendees check in for its fifth event on Sept. 29 and 30.
The conference, held at the Phoenix Convention Center, was expected to draw in at least 800 attendees.
Talks and workshops were lined up throughout Friday and Saturday. On Friday, topics included online vulnerabilities and exploits, gift cards’ vulnerability to hacking and an introduction to the DumpsterFire toolset, among others. There were workshops on memory forensics and practical malware analysis.
Saturday lasted even longer into the day with talks on the ten commandments of physical security, e-commerce data breaches, and IoT security. There were workshops on web app vulnerabilities and pen testing.
Both days placed emphasis on helping cyber-professionals fill the many related jobs open in the Valley. CactusCon offered resume workshops, talks on the hiring process and networking opportunities.
Attendees were mostly all adults employed in the IT sector, but some younger faces joined the crowds, too. On Saturday, children aged 8 to 17 attended CactusCon Kids workshops and learned about online privacy and careers in technology. Kids could also get hands-on experience with coding, lockpicking and soldering—one crowd member said volunteers were having a hard time getting the kids to take turns at the stations because they were enjoying themselves so much.
One of the highlights of the weekend was a presentation called “Sex, Secret and God: A Brief History of Bad Passwords,” given by Kyle Rankin, senior vice president of security and infrastructure at Zero.
Rankin told audiences that his presentation was intentionally made to be for all audiences and was, much less technical than some others at the conference that were directed toward tech professionals.
He explained that original computers didn’t have passwords—hackers then viewed passwords as means of control and didn’t want to allow system admins to control the users. But, when the time came for passwords, they weren’t effective anyway. Almost everyone chose random dictionary words, like passwords for speakeasies, Rankin said, that were easy to crack. Certain words like love, sex, secret, God, and password were used over and over again. People also chose words that meant something to them and were easy to guess, like children’s and pets’ names.
Then IT departments began putting password policies in place to prevent against these easy targets. They forced people to make passwords longer and add capital letters, numbers and symbols. But, human’s natural tendencies showed through. Almost everyone made (and still makes) passwords that are dictionary words beginning with a capital letter and ending with numbers and an exclamation point—also easy to crack when hackers know the patterns.
Rotating passwords also isn’t effective, Rankin said, because people use the same patterns over and over again, like using the same word but increasing a number by one each time. Constantly changing passwords also means IT departments spend a lot of time helping people who get locked out of their accounts.
Rankin believes the best passwords are ones people can’t remember—truly random, complex, and over 20 characters. This is why he recommends the use of a password manager, so people don’t even have to try to remember them. He also recommends use of extra security, like two-factor authentication via phones, biometrics, U2F plugin device keys, etc.
“Researchers must shift focus from hacker motives to real world users,” he said, explaining that the only way to increase overall password security is to make it easy and understandable for everyday people.
If topics like bad passwords interest you, keep any eye out for news on the 2018 CactusCon.