Passwords: Security vs Usability
•
2 likes•1,355 views
This is my presentation from ROOTS 2012 in Bergen, Norway. It was presented on April 27, security track.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Passwords: Security vs Usability
Similar to Passwords: Security vs Usability (20)
More from Per Thorsheim
More from Per Thorsheim (11)
Recently uploaded
Recently uploaded (20)
Passwords: Security vs Usability
- 1. ROOTS 2012 April 27, 2012 Passwords: Security vs Usability? Per Thorsheim CISA, CISM, CISSP-ISSAP Security Advisor
- 2. Introduction
- 3. About me Google picture search Website Software Security designer designer designer 3
- 4. First day at work 4
- 5. Security should be simple… Windows 8 - Picture Password https://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx https://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx 5
- 7. Good? security usability does exist: But do remember: In general, 2-factor authentication is one thing you know and one thing you forgot at home. 7
- 8. You should do risk analysis… (Your choice of methodology of course…) Page 8
- 9. [my personal clip art gallery] (Mostly) Bad Examples
- 10. Tell everyone their new password in public 10
- 11. be careful with your requirements… 11
- 12. …but please do require something… 12
- 13. …accept end-users for as they are… 13
- 14. Store their credentials safely… 14
- 15. … and give them simple but useful help… 15
- 16. ... And «write down your password» can be smart: As long as you DO try to hide those POST-IT notes just a little bit! http://securitynirvana.blogspot.com/2010/03/write-down-your-password.html 16
- 17. Hey, some actually do give sound advice! 17
- 18. 18
- 19. 19
- 20. 20
- 21. 21
- 23. Security questions are *hard* to do properly! www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/ 23
- 24. Do NOT e-mail me my password! Or else….. 24
- 25. Hall of shame 25
- 27. E-mail can be used for password resets… 27
- 28. …but not everyone does it «correctly» 28
- 29. Password meters are dangerous: http://securitynirvana.blogspot.com/2010/11/revisiting-password-meters.html 29
- 30. No default passwords or backdoors, PLEASE! http://seclists.org/bugtraq/2012/Apr/185 30
- 31. Front-end admin access? (ATM screenshot) 31
- 33. Password policies should be simple to understand 33
- 34. … or passwords may end up here: 34
- 36. Our past is paved with bad examples… 36
- 37. …. REALLY bad examples in fact. Page 37
- 38. Encrypt – or password protect? AES-128 with PBKDF2/SHA-1 38
- 39. Account lifecycle management • Register • Maintain • Monitor • REMOVE old accounts • CAPTCHA • OOB authentication • Password transmission o Plaintextoffenders.com o Passwordfail.com o Blog posts on multicase etc, + presseoppslag 39
- 40. Now let me fix that password security for you… WITHOUT affecting UX AT ALL
- 41. Recommendations 3 Blog posts and 1 academic paper: 1. «Enough with the rainbow tables: what you need to know about secure password schemes» http://chargen.matasano.com/chargen/2007/9/7/enough-with-the- rainbow-tables-what-you-need-to-know-about-s.html 2. «Strong password hashing for ASP.NET» http://zetetic.net/blog/2012/3/29/strong-password-hashing-for- aspnet.html 3. «Why you should use Bcrypt to hash stored passwords» http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored- passwords/ 4. «The quest to replace passwords: a framework for comparative evaluation of web authentication schemes» http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta- password--oakland.pdf 41
- 42. Rate-limiting online bruteforce attacks 42
- 43. …Still want a password meter at your site? http://tech.dropbox.com/?p=165 & https://github.com/lowe/zxcvbn 43
- 44. And to break it all down at the end: 44
- 45. Thank you! Per Thorsheim securitynirvana.blogspot.com @thorsheim 45