Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Safe password storage: How Websites Get It Wrong

21 views

Published on

Webinar "15 Minutes w/Beeswax: Safe password storage: How Websites Get It Wrong," Thursday May 14, 2020

Published in: Engineering
  • Be the first to comment

Safe password storage: How Websites Get It Wrong

  1. 1. Safe Password Storage How Websites Get It Wrong
  2. 2. This Happened From: webmaster@jankymb.com To: Ron Rothman <ron@gmail.com> Subject: New Message at JankyMB! Dear rrothman, You have a new message waiting for you at jankymb.com! Login: rrothman Password: qwertymonkey Enjoy, The JankyMB Team http://www.jankymb.com/login
  3. 3. Then, This Happened Per your recent online request your Sprint Local online password has been reset. Your login information is below. Please make note of this information for future reference. User ID: rothman_ron Password: qwertymonkey
  4. 4. What's the Big Deal?
  5. 5. ⚠ Email is inherently insecure.
  6. 6. What's the Bigger Deal?
  7. 7. ⚠ Email is inherently insecure. ⚠ Websites should never store your password.
  8. 8. Storing Passwords, First Try
  9. 9. Storing Passwords, First Try user name password rrothman qwertymonkey john_blossom mysecret! alfredo83 PASSWORD123 ... ...
  10. 10. "Information such as customers' account Personal Identification Numbers (PINs) may have been compromised."
  11. 11. "Potentially affected information could include names, usernames, email addresses, passwords, and, if optionally provided to us, dates of birth, phone numbers, and mailing addresses."
  12. 12. Let's Encrypt
  13. 13. Let's Encrypt encrypt πŸ”‘ key 4450090E857E12E69 FCF676E2C27AA3A qwertymonkey decrypt Upon sign-up Upon login πŸ”‘ key
  14. 14. Let's Encrypt encrypt πŸ”‘ key 4450090E857E12E69 FCF676E2C27AA3A qwertymonkey Upon sign-up
  15. 15. Let's Encrypt 4450090E857E12E69 FCF676E2C27AA3A qwertymonkey decrypt Upon login πŸ”‘ key
  16. 16. Storing Passwords, Second Try user name password (encrypted) rrothman 4450090E857E12E69FCF676E2C2 7AA3A john_blossom B254D6E1A0336E43A8EAF3523A8 F716461 alfredo83 7AECFBE630FC0501C11B4DE95D1 53B9842B1F77C9F0E047B285CFF 398A0A6D44 ... ... πŸ”‘ key
  17. 17. Let's Hash
  18. 18. Let's Hash hash 4450090E857E12E69 FCF676E2C27AA3A qwertymonkey hash 4450090E857E12E69 FCF676E2C27AA3A qwertymonkey Upon sign-up Upon login match!
  19. 19. Storing Passwords, Third Try user name password (hashed) rrothman 2c200cbe66e5caab514e6ff28cc bfa885b497d1c john_blossom e234dfe7d6b680130064ad79d89 065c114ea9e8c alfredo83 23264aa6268488c2909ef81ead4 9e09e248d5d91 ... ...
  20. 20. Storing Passwords, Third Try user name password (hashed) rrothman 2c200cbe66e5caab514e6ff28cc bfa885b497d1c john_blossom e234dfe7d6b680130064ad79d89 065c114ea9e8c alfredo83 23264aa6268488c2909ef81ead4 9e09e248d5d91 ... ... supercool99 2c200cbe66e5caab514e6ff28cc bfa885b497d1c same
  21. 21. Let's Hash and Salt hash 76E244090E857E12E 7AA3A69FCF650C2 qwertymonkey hash 76E244090E857E12E 7AA3A69FCF650C2 qwertymonkey Upon sign-up Upon login salt salt match!
  22. 22. Storing Passwords, Fourth Try user name salt password (hashed & salted) rrothman d65f e7bb657153bcfe9c04da81d07e 2e0dce86b12925 john_blossom 0798 aa422dc60e5aa9e7199b5934be d67f597253b845 alfredo83 3b74 e8f3ba3e077869953b168ea5d6 7f5db87348a702 ... ... ... supercool99 09fa ccacc8b06be9779d5966af139f 2c56a5bf53a076 different different
  23. 23. ⚠ Email is inherently insecure.
  24. 24. ⚠ Email is inherently insecure. ⚠ Websites should never store your password.
  25. 25. ⚠ Email is inherently insecure. ⚠ Websites should never store your password. ⚠ Websites should never, ever email your password.
  26. 26. Thank You πŸ™πŸ» Ron Rothman ron@beeswax.com
  27. 27. References 1. Sprint customer accounts breached by hackers 2. Evite e-invite website admits security breach 3. Password Security: It’s Not That Hard (But You Still Can’t Get It Right)
  28. 28. Mitigations ● Don't use a common password. ● Don't reuse passwords. ● Use 2FA. ● Use SSO where possible. ● Self-salt.

Γ—