2012: Passw3rd


Published on

Credentials are not passed around when source code is shared.
Unintentional exposure of source code does not reveal credentials.
Read-access to source code can be much more permissive.
Source code can be checked into version control systems without concern for exposure of credentials.
It is easier to change credentials without having to worry about changing all instances.
Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • What is the ISO PCI password rotation?Who here does it?How?
  • Pause before showing tux
  • 2012: Passw3rd

    1. 1. Passw3rdNeil Matatall – neil@matatall.com - @nilematotleOWASP LANovember 30, 2011
    2. 2. Remember…
    3. 3. What is it?• Cross-platform, cross-language password management for applications• A tool that keeps passwords out of code and configuration files, but keeps them in encrypted files • Keys for development/test environments can be checked in to version control, production keys must be protected
    4. 4. Nerd stuff• Uses openssl to generate an AES-256 key and IV (configurable)• The keys are stored in a location protected by OS access controls• The password files are generated which store an encrypted version of the password• Encryption is done using the CBC and CFB modes of operation
    5. 5. Gotchas• EACH WEB APPLICATION MUST RUN AS A SEPARATE USER • But you already knew that • Why? Because one application can read any password file owned by the same user/group/etc.• Can’t protect from in memory access • Anyone can put a logger in and see the password…
    6. 6. Give me the run down• Generate keys: passw3rd –g <path> generated keys in /Users/neil(creates .passw3rd-encryptionIV and .passw3rd-encryptionKey)• Create a password file $ passw3rd –e file_name <-p path> <-k path> Enter the password: Wrote password to /Users/neil/file_name• Verify the password can be retrieved $ passw3rd –d file_name <-p path> <-k path> The password is: asdfAt the moment, there is only a ruby command line client. And Iintend to keep it that way. It’s just a pain to maintain.
    7. 7. Business model
    8. 8. Phase 1: Find Passwordsdevelopment: adapter: mysql database: rails_development username: app_user password: my super secret password
    9. 9. Phase 1: Collect Passwordsdevelopment: adapter: mysql database: rails_development username: app_user password: <%=get_password(’app’)%>
    10. 10. Phase 1: Ensure Safety• While you collect passwords, take note of accounts that do not have separate dev/prod accounts.• Passw3rd is useless if all of your passwords are the same in each environment.
    11. 11. Phase 2CHANGE ALL PASSWORDS!!!!
    12. 12. Phase 3: Profit• Need a password rotation? • Fine, just create a new password file for the affected accounts• Need a new server? • Just make the keys part of your build script• Need to rotate your key? • Trivial, decrypt with the old, encrypt with the new • Use the key rotation script Wait, hold on a second you can’t change… oh yeah that sounds like a good idea…
    13. 13. Performance$ time ruby -e "require passw3rd’; X.times{Passw3rd::PasswordService.get_password(asdf)}”• X = 100: 0.281s• X = 1,000: 0.359s• X = 10,000: 1.081s• X = 100,000: 8.372s• X = 1,000,000: 1m21.007sThis is without optimization, the file is opened and read during each iteration
    14. 14. Passw3rd Current Support The ruby library supports URIs, java not so much 
    15. 15. Passw3rd Future Support• Python• .NET• PHP• <your language here>• Passw3rd is an official OWASP project, so there is an entire community behind it https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About
    16. 16. Roadmap• Key rotation script• Cipher changing script• URI support • Client cert support coming• Audit logging• Clone password sets• Multi-key support???• Portable passw3rd profiles (one file per app)???• Load encrypted password files in memory for rapid sequential decryption???Be my guesthttps://github.com/oreoshake/passw3rd/issues
    17. 17. Go collect some underwear! http://www.itd.umich.edu/posters/
    18. 18. neil@matatall.com - @nilematotleQuestions?https://github.com/oreoshake/passw3rdhttps://github.com/oreoshake/passw3rd_java