• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Passwords: Security vs Usability

Passwords: Security vs Usability



This is my presentation from ROOTS 2012 in Bergen, Norway. It was presented on April 27, security track.

This is my presentation from ROOTS 2012 in Bergen, Norway. It was presented on April 27, security track.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Passwords: Security vs Usability Passwords: Security vs Usability Presentation Transcript

    • ROOTS 2012April 27, 2012Passwords:Security vs Usability?Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity Advisor
    • Introduction
    • About me Google picture search Website Software Security designer designer designer3
    • First day at work4
    • Security should be simple…Windows 8 - Picture Passwordhttps://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspxhttps://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx5
    • …but not stupid…6
    • Good? security usability does exist:But do remember: In general, 2-factor authentication is one thing you know and one thing you forgot at home.7
    • You should do risk analysis…(Your choice of methodology of course…)Page 8
    • [my personal clip art gallery](Mostly) Bad Examples
    • Tell everyone their new password in public10
    • be careful with your requirements…11
    • …but please do require something…12
    • …accept end-users for as they are…13
    • Store their credentials safely…14
    • … and give them simple but useful help…15
    • ... And «write down your password» can be smart:As long as you DO try to hide those POST-IT notes just a little bit!http://securitynirvana.blogspot.com/2010/03/write-down-your-password.html16
    • Hey, some actually do give sound advice!17
    • 18
    • 19
    • 20
    • 21
    • www.ssllabs.com22
    • Security questions are *hard* to do properly!www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/23
    • Do NOT e-mail me my password!Or else…..24
    • Hall of shame25
    • https://defuse.ca/password-policy-hall-of-shame.htm26
    • E-mail can be used for password resets…27
    • …but not everyone does it «correctly»28
    • Password meters are dangerous:http://securitynirvana.blogspot.com/2010/11/revisiting-password-meters.html29
    • No default passwords or backdoors, PLEASE!http://seclists.org/bugtraq/2012/Apr/18530
    • Front-end admin access? (ATM screenshot)31
    • Written Password Policies
    • Password policies should be simple to understand33
    • … or passwords may end up here:34
    • Our past is paved with bad examples…36
    • …. REALLY bad examples in fact.Page 37
    • Encrypt – or password protect? AES-128 with PBKDF2/SHA-138
    • Account lifecycle management • Register • Maintain • Monitor • REMOVE old accounts • CAPTCHA • OOB authentication • Password transmission o Plaintextoffenders.com o Passwordfail.com o Blog posts on multicase etc, + presseoppslag39
    • Now let me fix that password security for you…WITHOUT affecting UX AT ALL
    • Recommendations 3 Blog posts and 1 academic paper: 1. «Enough with the rainbow tables: what you need to know about secure password schemes» http://chargen.matasano.com/chargen/2007/9/7/enough-with-the- rainbow-tables-what-you-need-to-know-about-s.html 2. «Strong password hashing for ASP.NET» http://zetetic.net/blog/2012/3/29/strong-password-hashing-for- aspnet.html 3. «Why you should use Bcrypt to hash stored passwords» http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored- passwords/ 4. «The quest to replace passwords: a framework for comparative evaluation of web authentication schemes» http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta- password--oakland.pdf41
    • Rate-limiting online bruteforce attacks42
    • …Still want a password meter at your site?http://tech.dropbox.com/?p=165 & https://github.com/lowe/zxcvbn43
    • And to break it all down at the end:44
    • Thank you! Per Thorsheim securitynirvana.blogspot.com @thorsheim45