Passwords: Security vs Usability

1,518
-1

Published on

This is my presentation from ROOTS 2012 in Bergen, Norway. It was presented on April 27, security track.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,518
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
20
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Passwords: Security vs Usability

  1. 1. ROOTS 2012April 27, 2012Passwords:Security vs Usability?Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity Advisor
  2. 2. Introduction
  3. 3. About me Google picture search Website Software Security designer designer designer3
  4. 4. First day at work4
  5. 5. Security should be simple…Windows 8 - Picture Passwordhttps://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspxhttps://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx5
  6. 6. …but not stupid…6
  7. 7. Good? security usability does exist:But do remember: In general, 2-factor authentication is one thing you know and one thing you forgot at home.7
  8. 8. You should do risk analysis…(Your choice of methodology of course…)Page 8
  9. 9. [my personal clip art gallery](Mostly) Bad Examples
  10. 10. Tell everyone their new password in public10
  11. 11. be careful with your requirements…11
  12. 12. …but please do require something…12
  13. 13. …accept end-users for as they are…13
  14. 14. Store their credentials safely…14
  15. 15. … and give them simple but useful help…15
  16. 16. ... And «write down your password» can be smart:As long as you DO try to hide those POST-IT notes just a little bit!http://securitynirvana.blogspot.com/2010/03/write-down-your-password.html16
  17. 17. Hey, some actually do give sound advice!17
  18. 18. 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. www.ssllabs.com22
  23. 23. Security questions are *hard* to do properly!www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/23
  24. 24. Do NOT e-mail me my password!Or else…..24
  25. 25. Hall of shame25
  26. 26. https://defuse.ca/password-policy-hall-of-shame.htm26
  27. 27. E-mail can be used for password resets…27
  28. 28. …but not everyone does it «correctly»28
  29. 29. Password meters are dangerous:http://securitynirvana.blogspot.com/2010/11/revisiting-password-meters.html29
  30. 30. No default passwords or backdoors, PLEASE!http://seclists.org/bugtraq/2012/Apr/18530
  31. 31. Front-end admin access? (ATM screenshot)31
  32. 32. Written Password Policies
  33. 33. Password policies should be simple to understand33
  34. 34. … or passwords may end up here:34
  35. 35. Our past is paved with bad examples…36
  36. 36. …. REALLY bad examples in fact.Page 37
  37. 37. Encrypt – or password protect? AES-128 with PBKDF2/SHA-138
  38. 38. Account lifecycle management • Register • Maintain • Monitor • REMOVE old accounts • CAPTCHA • OOB authentication • Password transmission o Plaintextoffenders.com o Passwordfail.com o Blog posts on multicase etc, + presseoppslag39
  39. 39. Now let me fix that password security for you…WITHOUT affecting UX AT ALL
  40. 40. Recommendations 3 Blog posts and 1 academic paper: 1. «Enough with the rainbow tables: what you need to know about secure password schemes» http://chargen.matasano.com/chargen/2007/9/7/enough-with-the- rainbow-tables-what-you-need-to-know-about-s.html 2. «Strong password hashing for ASP.NET» http://zetetic.net/blog/2012/3/29/strong-password-hashing-for- aspnet.html 3. «Why you should use Bcrypt to hash stored passwords» http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored- passwords/ 4. «The quest to replace passwords: a framework for comparative evaluation of web authentication schemes» http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta- password--oakland.pdf41
  41. 41. Rate-limiting online bruteforce attacks42
  42. 42. …Still want a password meter at your site?http://tech.dropbox.com/?p=165 & https://github.com/lowe/zxcvbn43
  43. 43. And to break it all down at the end:44
  44. 44. Thank you! Per Thorsheim securitynirvana.blogspot.com @thorsheim45

×