Buy now – 1000 SEK/day

Stockholm Waterfront 25-26 november 2019

Buy now – 1000 SEK/day

PasswordsCon – Part 1

Organized by PasswordsCon, 25 november 2019

A conference that’s all about passwords, PIN codes, and digital authentication. Passwords are the most prevalent form of authentication in the digital age.

Passwords (PasswordsCon) is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges surrounding digital authentication, and how to adequately address them.

While large mainstream conferences tend to focus on current hot topics in the information security industry, Passwords events explore fringe conversations on everything from analysis and education to creating, securing, cracking, and exploiting authentication solutions.And unlike other events where the speaker is rushed in and out, Passwords provides an intimate environment for participants to directly engage speakers before, during, and after their presentations.

A1 Språk engelska


  • danah boyd

    danah boyd   Sociala medier-expert

    danah boyd är expert på nätbaserad ungdomskultur och hur vi använder sociala medier, hon forskar i skärningspunkten mellan teknik, samhälle och politik. Läs mer


Length 15 & no change. Implementing NIST SP800-63B for real.

We implemented a simple password filter in Windows Active Directory, changed the minimum length setting to 15 and removed the regular forced change requirement. Then we ran for cover. You won't believe what happened next!

I'll quickly explain why we did it, how, reactions & findings and what remains to be done. After all, this never stops, right?

  • Per Thorsheim

    Founder of PasswordsCon

    Per Thorsheim has in writing from Cormac Herley that he is pathologically obsessed with Passwords. Per is very proud of that. The license plate of his Norwegian car says "Passord". You can probably guess what it means. He works as the CSO of Nordic Choice Hotels. Twitter: @thorsheim

Passwordless FTW!


  • Mads Grandt

    Specialist Adviser Global ICT Operations, Norwegian Refugee Council

    Mads Grandt turned his lifelong interest in technology and problem solving into a 20 year career in IT infrastructure and operations in large international organizations. Twitter: @madsmagr

What is the best password manager?

“What is the best password manager?” a review of password managers for enterprises from a user perspective.

Password fatigue threatens businesses, password managers can be a part of the solution if they are used. If not, they are an expensive waste of time and money, and may lead to even more insecure practice.

The talk is a review of password managers for enterprises from a user perspective, and gives an introduction to criteria and questions to ask when picking a password manager.

  • Cecilie Wian

    Senior Consultant at Knowit Consulting Bergen

    Passionate about technology, learning and life.
    Specialties: Testing and human-computer interaction.
    Master in digital culture, on e-learning, with focus on online collaboration and sharing culture.
    Twitter: @sinobell

Why magic login links are good for now


  • Lennart Liberg

    Software Engineer, Vyer

    Problem deconstructor, communication enthusiast, ballpark estimator, builder of things, proofreader, ideas collector, infosec fan, podcast addict, sustainability devotee, Twitter: @leliberg


A1 Språk engelska


  • David Rowan

    David Rowan   Teknologiguru

    David Rowan har varit chefredaktör för den brittiska upplagan av teknikmagasinet Wired, och är expert på tekniktrender och företagsinnovation. Läs mer

Better Password Entry On the Couch

Devices like games consoles are frequently used together with others. Therefore, whenever a password is entered, shoulder-surfing is a threat. To address this threat, we conducted the first investigation of shoulder-surfing resistant text password entry on gamepads.

  • Peter Mayer

    Doctoral Researcher, Karlsruhe Institute of Technology (KIT - AIFB - SECUSO)

    Peter Mayer is a doctoral researcher in the SECUSO Research Group of Prof. Dr. Melanie Volkamer at Karlsruhe Institute of Technology. His research focuses on security awareness and education, usable authentication, and password managers. Twitter: @secusoresearch

PUF-enabled hardware dependent password hashing

In this talk, I will present a hardware based approach to keyed password hashing designed to eliminate offline password cracking without direct access to the hardware. In particular, the talk will focus on the cryptographic primitives and techniques used in the hardware, which is PUF-enabled. The PUF implemented in the hardware is used to derive an unclonable cryptographic key which is used for processing passwords in the hardware. Thanks to an inherent property of PUF, the key is not stored anywhere in the hardware, thereby making offline password cracking difficult without access to the hardware.

  • Aysajan Abidin

    Researcher, Research group COSIC, KU LEUVEN

    Twitter: @aysajanabidin


Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

The talk will cover our research on the Risk-based Authentication (RBA) practices of eight popular online services. RBA is recommended in the NIST SP800-63B and protects against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks.

IFIP SEC slides:

Paper download (Open Access):

Paper website:

  • Stephan Wiefling

    PhD Student, Data & Application Security Group, TH Köln - University of Applied Sciences

    Stephan Wiefling is a PhD student from Cologne, Germany (Data- and Application Security Group, TH Köln). His current research spans areas of Authentication and Usability. Twitter: @SWiefling

Dealing with password reuse attacks in 2019

Password reuse attacks have been used for years in a very efficient way against most websites, and this trend is not going down. The online gambling market is particularly exposed as the accounts can be used for money laundering purpose. Kindred Group has been working for several years on that subject to reduce the risks faced by its customers. The Group Security team will present some of the tools and methods they use on a day to day basis to detect attacks, contain them and prevent accounts from being compromised and some of the difficulties they faced implementing them.

  • Pierre-Antoine Haidar-Bachminska

    Security Operations Line Lead, Kindred Group

    Member of team @Hashcat
    Twitter: @Hydraze

A1 Språk engelska


  • Max Schrems

    Max Schrems   Integritetsaktivist

    Max Schrems har utmanat nätjätten Facebook och ifrågasatt deras insamling av data från sina användare bland annat genom initiativ som "None of Your Business". Läs mer