Upload
jennifer-trinanes
View
285
Download
0
Embed Size (px)
Citation preview
PASSWORD SECURITY
FUNDAMENTALS
J E N T R I Ñ A N E SS R . . N E T D E V E LO P E R – V F T S G LO B A L
PA S S W O R D S T O RAG E
PA S S W O R D R E S E T
PA S S W O R D C O M P L E X I T YA G E N D A
Click icon to add pictureADOBE HACK – OCTOBER 2013153 million Adobe accounts were breached each containing internal ID, username, email, ENCRYPTED password and password hint in plain text.Password encryption was poorly done and many were quickly resolved back to plain text.
Click icon to add pictureSONY PICTURES HACK – DECEMBER 2014
In Sony’s biggest security breach, it was discovered that thousands of passwords were not even encrypted. Passwords were stored in plain text in a folder named ‘Password’.
Click icon to add picture000WEBHOST HACK – MARCH 201513 million customer records were breached. The data breach include names, email addresses and plain text passwords.The data was sold and traded before 000webhost was informed in October.
SECURE PASSWORD STORAGE GUIDANCE• NEVER, EVER STORE PASSWORDS IN PLAIN TEXT!
• UNSALTED HASH = BAD
• CONSIDERED WEAK HASHING ALGORITHMS:– MD5– SHA1 (LINKEDIN USED FOR PASSWORD ENCRYPTION BEFORE THE HACK)
• SHA256 / SHA512 ARE GOOD, BUT NOT SLOW BY DESIGN
SECURE PASSWORD STORAGE GUIDANCE• NIST RECOMMENDS PASSWORD-BASED KEY DERIVATION FUNCTION 2 (PBKDF2)
HASH = PBKDF2(PSEUDORANDOM() + SENSITIVE DATA + SALT + ITERATION)(HIGHER ITERATION == SLOWER == BETTER)
• .NET IMPLEMENTATION: RFC2898DERIVEBYTES CLASS
• USED BY ASP.NET IDENTITY
• IOS 4 USED 10K ITERATIONS, LASTPASS USED 5K ITERATIONS FOR JS AND 100K FOR SERVER-SIDE HASHING
• OTHER STRONG HASHING ALGORITHM FLAVORS: – BCRYPT– SCRYPT
Click icon to add picture
DID YOU JUST EMAIL ME BACK MY OWN PASSWORD?!
SECURE PASSWORD RESET GUIDANCE• IMPLEMENT A SECURE PASSWORD RESET – NOT RETRIEVAL!
• MUST BE TOKEN-BASED AND TIME-SENSITIVE
• DESIGN FOR 2 DISTINCT PHASES:– TOKEN REQUEST– TOKEN VALIDATION
Click icon to add picture
TOKEN REQUEST• GUID is already sufficient
for a random, unpredictable token
• Set at least 1 hour window for password reset.
START
User enters email address in a
password reset form and resolves
CAPTCHA
CAPTCHA resolved
?END
N
Y
Email address found in database
?
Display “If your
account exists, you will be sent
an email with further instructions
”
N
1. Generate a random token w/ timestamp
2. Store the token and timestamp in database
3. Send an email w/ the token
Y
Click icon to add pictureTOKEN VALIDATION
START
User enters username /
account ID and resolves CAPTCHA
CAPTCHA resolved
?END
N
Y
Is token valid and unexpire
d?
Display “Invalid
reset token”
N
1. User enters his new password
2. Set the token and timestamp to null
3. Send an email acknowledging the password change
Y
Click icon to add pictureTOP 20 MOST COMMON PASSWORDS OF 2015
Password reuse is rampant (social media, email, banking, corporate accounts, etc.)
PASSWORD STRENGTH GUIDANCE• PASSWORD LENGTH
– LONGER PASSWORDS PROVIDE GREATER COMBINATION OF CHARACTERS AND MORE DIFFICULT FOR AN ATTACKER TO GUESS
– YOU CAN ENCOURAGE USERS TO SET PASSPHRASES
• ENFORCE PASSWORD COMPLEXITY
• DOT NOT LET THE USER REUSE HIS PASSWORD. ENFORCE THE USER TO CHANGE HIS PASSWORD EVERY n DAYS
Click icon to add pictureHOW STRONG IS STRONG PASSWORD?
Click icon to add pictureHOW LONG DOES IT TAKE TO CRACK MY PASSWORD?
Click icon to add pictureYOU CAN’T REMEMBER ALL YOUR PASSWORDS
Use an offline password manager like 1Password
Click icon to add pictureOTHER SECURITY CONSIDERATIONS
Only serve login, registration and any forms that can POST sensitive data over TLS or other strong support
THANK YOU!