Male nerds with colored hair and glasses sitting behind laptops.

Monday, May 15:

TimeSpeakerTalk title
08:30Doors open / registration / coffee“Social interaction”
09:00Per ThorsheimWelcome to PasswordsCon!
09:05Per ThorsheimWhat did PasswordsCon ever do for you?!?
10:15Stephan WieflingEvaluating Risk-based Authentication on a Large-Scale Online Service

10:45Maximillian Golla“Make it screaming”: How Administrators Configure Risk-based Authentication
11:30Philipp MarkertSomething Is Rotten in the State of California: How Users React to Sign-in Emails
12:00Jim FentonWhat’s new in the NIST authentication guidelines draft?
13:30Tamas BisztrayPrivacy-Preserving Password Cracking: How a Third Party can Crack our Password Hash Without Learning the Hash Value or the Cleartext
14:30Kirsi HelkalaAccessible authentication – a current status
15:30Espen JohansenWhy passwords and pincodes have screwed up my musical taste and why it’s actually a good thing. Experience sharing from a convert.
16:15 -> Food, drinks, challenges, surveys & lightning talks!

Lightning talks:
1. Octav Opaschi (Detack GmbH)
2. Marie Øseth & Ingunn Furuberg (Msc students, NTNU)
“Social interaction”
Ingunn & Marie

Tuesday, May 16:

08:30Doors open / coffee“Social interaction”
09:00Sanchari Das“Too Cute of a Toy”
Evaluating the Usability of Multi-Factor Authentication Security Keys for Athletes
09:30Cecilie WianHow hard can it be? – choosing the right password manager
10:30Dario PasquiniPassword Alchemy with Universal Neural-Cracking-Machines: Transmuting email addresses into Password Models
11:30Stefan IvarssonPassword Culture: Understanding the mind of the masses to improve dictionary attacks
12:00Ashley SheilGuessing PINs, One Partial PIN at a time.
13:30Collins Munyendo“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 digits.
14:15Mackenzie JacksonGaining access through leaked credentials – How attackers discover and exploit secrets
15:00Hazel MurrayQuantum multi-factor authentication
15:30Per ThorsheimEnd of day 2 / Open part of PasswordsCon
–:–Evening meetup in city center somewhere?

Wednesday, May 17:

Picture of Norwegian flag

Thursday, May 18:

Speakers, titles & abstracts are not published online.
Event is physical only, no streaming or recordings.
Chatham house rules: “When a meeting, or part thereof, is held under the Chatham House Rule, participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed.

Speaker info, with talk abstracts:

Speaker infoTitle & abstract
Picture of Stephan Wiefling
Stephan Wiefling
Stephan Wiefling is a PhD Candidate from Germany (Institute for Cyber Security and Privacy, H-BRS). His work focuses on making cybersecurity and privacy usable for everyone. He also brought his expertise into the industry (e.g., Meta, Telenor).

Mastodon: @[email protected]
Evaluating Risk-based Authentication on a Large-Scale Online Service

Risk-based authentication (RBA) is recommended by government agencies (e.g., NIST, NCSC, ACSC) to strengthen password-based authentication against attacks involving stolen passwords, like credential stuffing or password spraying.

Users find RBA more usable than 2FA, and equally secure [1]. Its security and privacy properties also look promising [2]. But how does it really perform on a large online service?

We studied 3.3 million users and 31.3 million login attempts at a single sign-on service to uncover the real-world RBA behavior. Beyond that, we provide an open login data set and an open source solution to bring RBA into practice.

Website and Data Set:
[1] Talk from PasswordsCon 2020:
[2] Talk from PasswordsCon 2021:
Profile picture of Tamas György Bisztray, PasswordsCon speaker.
Tamas Bisztray
PhD candidate, University of Oslo

Privacy-Preserving Password Cracking: How a Third Party can Crack our Password Hash Without Learning the Hash Value or the Cleartext

Using the computational resources of an untrusted third party to crack a password hash can pose a high number of privacy and security risks. The act of revealing the hash digest could in itself negatively impact both the data subject who created the password, and the data controller who stores the hash digest.
This paper solves this currently open problem by presenting a Privacy-Preserving Password Cracking protocol (3PC), that prevents the third party cracking server from learning any useful information about the hash digest, or the recovered cleartext.
This is achieved by a tailored anonymity set of decoy hashes, based on the concept of predicate encryption, where we extend the definition of a predicate function, to evaluate the output of a one way hash function. The protocol allows the client to maintain plausible deniability where the real choice of hash digest cannot be proved, even by the client itself. The probabilistic information the server obtains during the cracking process can be calculated and minimized to a desired level.
While in theory cracking a larger set of hashes would decrease computational speed, the 3PC protocol provides constant-time lookup on an arbitrary list size, bounded by the input/output operation per second (IOPS) capabilities of the third party server, thereby allowing the protocol to scale efficiently. We demonstrate these claims both theoretically and in practice, with a real-life use case implemented on an FPGA architecture.
Profile picture of Cecilie Wian
Cecilie Wian
Test & security consultant

Bachelor i Educational Psychology, Master in Digital Culture. Cecilie has a big heart for users, as well as a passion for the tech we interact with. At Bouvet she works with testing and security. As an experienced tester, Cecilie is all about testing what matters, combating abusive and user-unfriendly tech.


Mastodon:[email protected]
How hard can it be? – choosing the right password manager

Single-sign-on and tokens still haven’t eradicated passwords and both individuals and large businesses have a lot of passwords. Poor password hygiene is a huge risk, letting any hostile walk right in the door. So managing passwords in a good way is a must both for security and for keeping users sanity.

The question remains: what is a good choice? The talk does a dive into popular solutions and measure them against selection criterias and some of the possible choices.

The talk is a detailed look at usability and user friendliness. Selection criteria, and pitfalls in choosing a password no matter if you are a professional, single user, family or choosing a manager for enterprises and larger businesses.
Profile picture of Hazel Murray
Hazel Murray
Dr, CyberSkills, Munster technological University

Quantum multi-factor authentication

Quantum computing has the theoretical ability to break modern cryptography. However, it can also provide the key to stronger more resilient systems.

In this talk we introduce the quantum mechanics principles that enable the development of advanced computing and communication systems with capabilities beyond those we currently see in classical computing. We present a quantum multi-factor authentication mechanism based on the hidden-matching quantum communication complexity problem. It offers step-up graded authentication for users via a quantum token.

We will outline the protocol, demonstrate that it can be used in a largely classical setting, explain how it can be implemented in SASL, and discuss arising security features.
Profile picture of Dario Pasquini
Dario Pasquini
Postdoc at École Polytechnique Fédérale de Lausanne (EPFL), Switzerland


Personal homepage:
Password Alchemy with Universal Neural-Cracking-Machines: Transmuting email addresses into Password Models

“Bob is a system administrator of an average-size web application with a non-English-speaking user community. Bob would like to deploy a password meter to harden the password of his users. 

However, deploying an accurate password meter for an under-represented, and, possibly unique, user community is not an easy task. There are no ready-made solutions available online; thus, if Bob really wants an accurate password model for his community, he has to train one from scratch. This means that Bob must find leaked plaintext passwords that follow a distribution similar to the one of his user community and use them to fit some kind of machine learning model.

Unfortunately, Bob does not have any idea where to find suitable password leaks, and, even if those were available, Bob knows nothing about machine learning. Failing in deploying his tailored password model, Bob ends up using an off-the-shelf password meter that performs poorly on the passwords of his non-English-speaking community. Bob is sad; his community has insecure passwords—everyone loses.

To make Bob’s life easier, we developed the first universal password model — a password model that, once pre-trained, can automatically adapt to any password distribution.  We call it “Universal Neural-Cracking-Machine” (UNCM). To achieve this result, a UNCM does not need to access any plaintext passwords from Bob’s users. Instead, it exploits users’ auxiliary information, such as email addresses, as a proxy signal to predict and characterized the underlying password distribution. 

Using a UNCM, every Bob out there can now autonomously generate tailored password models for their systems regardless of their expertise and resources. It is enough to download a pre-trained UNCM, provide it with the auxiliary information associated with users (e.g., email address), and deploy the resulting password model. No further training steps, targeted data collection, or prior knowledge of the community’s password distribution is required.”
Profile picture of Dr. Stefan Ivarsson
Dr. Stefan Ivarsson
Senior Security Consultant, Truesec

Password Culture: Understanding the mind of the masses to improve dictionary attacks

As part of Security assessments, we regularly perform password recovery operations to assess the resilience against credential-based attacks toward customer systems. Backed by a large number of recovered passwords from systems and customers of varying sizes and password policies, we can observe human cultural patterns in the selection of passwords.

What kind of passwords do humans tend to select when limited by policies?

Let’s have a short dive into the mind of the masses and with this understanding of what is commonly selected, use this to improve dictionaries we use in recovery.
Profile picture of Espen Johansen, "willy wonka" style.
Espen Agnalt Johansen
Tryggleiksjef, Visma

Why passwords and pincodes have screwed up my musical taste and why it’s actually a good thing. Experience sharing from a convert.

For several years I have studied criminal environments and sought to understand their behavioural patterns.  I went in with a strong bias toward looking for sophisticated methods and obscure yet beautiful sidechannel attacks.  I have learned a lot since then.

Today I spend millions on converting belief systems and realise that Per may have been right all along.
The password and pincodes actually reflect a level of sophistication and a side channel that actually is a thing of beauty and grace when you choose to go deep and invest.

My talk will share stats, details and thoughts after spending millions on hardcore security efforts and still observe that very, very «sophisticated» people find passwords very hard to deal with.  I will seek to combine this with personal accounts from a long security career and end up with recent stories from the trenches when facing infostealers in global infrastructures. 

Expect this to get personal, and expect it to contain music.
Profile picture of Jim Fenton.
Jim Fenton
Consultant, Altmode Networks


What’s new in the NIST authentication guidelines draft?

In December 2022, NIST released a draft revision to their Special Publication 800-63, Digital Identity Guidelines. This talk will discuss some of the changes in the new draft, especially with respect to authentication and particularly passwords.
Profile picture of Maximilian Golla
Maximilian Golla
Max Planck Institute for Security and Privacy (MPI-SP)



“Make it screaming”: How Administrators Configure Risk-based Authentication

Risk-based authentication (RBA) complements standard password-based logins by using knowledge about previously observed user behavior to prevent malicious login attempts. Correctly configured, RBA holds the opportunity to increase the overall security without burdening the user by limiting unnecessary security prompts to a minimum.

In a study, we let 28 system administrators configure RBA using a mock-up system modeled after Amazon Cognito. In subsequent interviews, we asked them about the intentions behind their configurations and experiences with the RBA system.

Based on these findings, we give recommendations for service providers who offer risk-based authentication to ensure both usable and secure logins for everyone.
Profile picture of Philipp Markert
Philipp Markert
Philipp is a final-year PhD student in the Department of Computer Science at Ruhr University Bochum, Germany, and Member of the Mobile Security Group. Philipp’s research interests include computer security and human-computer interaction (HCI), with a focus on usable security and authentication.

Something Is Rotten in the State of California: How Users React to Sign-in Emails

“Hi, we noticed a new sign-in to your account. If it was you, you can safely ignore this email. If it wasn’t you, please change your password immediately to secure your account.” While reading these lines, you probably remembered receiving an email just like this because numerous services send them to inform users about new sign-ins to their accounts.

In two user studies, we explored how users understand sign-in emails and react when receiving them. We tested two cases, a sign-in email sent for a login users initiated themselves or sent when a malicious actor logs in. We find that users feel relatively confident identifying legitimate logins but demonstrate various risky and insecure behaviors when it comes to malicious sign-ins. We discuss the identified problems, depict which pitfalls service providers should avoid, and what the perfect sign-in email should look like.
Profile picture of Kirsi Helkala
Kirsi Helkala
Kirsi Helkala is a professor at the Norwegian Defence Cyber Academy (Cyberingeniørskolen), which is part of the Norwegian Defence University College. She is also research professor at the Peace Research Institute Oslo (PRIO). She holds a Master of Science degree in mathematics from the University of Joensuu, Finland, and a PhD within information security from the University of Oslo, Norway. She teaches mathematics and supervises information and cyber security related student workshops, term papers and thesis. Her research interest lays on human factor in cyber security.


Accessible authentication – a current status

Technology has evolved greatly over the past decades; however, authentication methods have not really changed. Authentication methods that are currently dominant can be difficult to use and the needs of users with disabilities are not always met. In our earlier works, we have used disability classification identified by the World Health Organization as well as the principles of universal design to examine usability and security of authentication methods.
This talk will summarise our earlier works by showing some examples of the difficulties disabled people are facing, presenting an assessment of different forms of user authentication in terms of usability and security and giving some recommendations and suggestions to reach inclusivity in the authentication context.
Profile photo of Ashley Sheil
Ashley Sheil
Maynooth University PhD candidate

Guessing PINs, One Partial PIN at a time.

A Partial PIN is used in some Banks as a form of (often secondary) authentication where you are requested to input asubset of randomly chosen positions from your personal identification number (PIN). We wanted to explore the success rate of guessing a PIN via its partial PIN compared to that of guessing the full PIN. 

An in-the-wild example could look like the following scenario: you attempt to guess your (not very close) friends bank PIN via their phone. Each day you have a certain number of guesses per day before being locked out. How many guesses do you need to recover the full PIN? If you correctly guess one partial PIN, you now have the requested positions digits and your chances of guessing the full PIN increases on guessing again. For example, if the full PIN is six-digits and the partial PIN is three-digits, guessing the partial PIN correctly reduces this probability from one in a million to a much more manageable one in a thousand. 
This begs the question whether partial PINs are less secure than full PINs? And how many guesses would it take to brute force a full PIN by guessing its partial PIN at each log in?  
In this talk I will show how we went about answering these questions by simulating the guessing process on different length PINs with different length partial PINs. I will also talk about the four different guessing strategies we created to compare their guessing efficacy and present our results.  
Profile picture of Collins Munyendo
Collins Munyendo
PhD Student in Computer Science, The George Washington University

“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 digits.

With the goal of improving security, companies like Apple have moved from requiring 4-digit PINs to 6-digit PINs in contexts like smartphone unlocking. Users with a 4-digit PIN thus must “upgrade” to a 6-digit PIN for the same device or account. In an online user study (n = 1 010 ), we explore the security of such upgrades. Participants used their own smartphone to first select a 4-digit PIN. They were then directed to select a 6-digit PIN with one of five randomly assigned justifications. In an online attack that guesses a small number of common PINs (10–30), we observe that 6-digit PINs are, at best, marginally more secure than 4-digit PINs.

To understand the relationship between 4- and 6-digit PINs, we then model targeted attacks for PIN upgrades. We find that attackers who know a user’s previous 4-digit PIN perform significantly better than those who do not at guessing their 6-digit PIN in only a few guesses using basic heuristics (e.g., appending digits to the 4-digit PIN). Participants who selected a 6-digit PIN when given a “device upgrade” justification selected 6-digit PINs that were the easiest to guess in a targeted attack, with the attacker successfully guessing over 25% of the PINs in just 10 attempts, and more than 30% in 30 attempts.

Our results indicate that forcing users to upgrade to 6-digit PINs offers limited security improvements despite adding usability burdens. System designers should thus carefully consider this tradeoff before requiring upgrades.
Profile picture of Sanchari Das
Sanchari Das
Assistant Professor, University of Denver (Inclusive Security and Privacy-focused Innovative Research in Information Technology: Inspirit Lab)



@[email protected]
“Too Cute of a Toy”
Evaluating the Usability of Multi-Factor Authentication Security Keys for Athletes

Multi-Factor Authentication (MFA) is increasingly important in today’s digital landscape, particularly as sensitive information is being transmitted and stored online. Security keys like YubiKeys have become a popular form of MFA as they require physical possession to authenticate a user’s identity. However, little attention has been given to the usability of MFA tools among athletes, who may face unique challenges due to the physical demands of their sport, including Traumatic Brain Injuries (TBI). 

To address this gap, we conducted a comparative study was conducted with five athletes and five non-athletes, using a think-aloud protocol, to gain insights into their understanding of the YubiKey and any difficulties encountered. The study revealed specific areas of difficulty related to website navigation and comprehension of the YubiKey’s purpose, which are critical for effective use of the tool. The findings highlight the importance of considering the unique needs and limitations of different user groups, including athletes, when developing MFA tools to safeguard personal and professional information. 
Profile photo of Mackenzie Jackson
Mackenzie Jackson
Security Advocate @ GitGuardian

Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learned first-hand how critical it is to build secure applications with robust developer operations.
Today as a Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.


Gaining access through leaked credentials – How attackers discover and exploit secrets

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on The report also showed that nearly 5% of docker images contain at least one plain text secret.

This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.
Profile picture of Per Thorsheim
Per Thorsheim

Per is the founder of PasswordsCon.
I just might have something to say… Watch this space!