SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico

1. JIM MANICO Secure Coding Instructor www.manicode.com Secure Password Policy and Storage

2. COPYRIGHT ©2019 MANICODE SECURITY A little background dirt… jim@manicode.com @manicode  Former OWASP Global Board Member  Project manager of the OWASP Cheat Sheet Series and several other OWASP projects  20+ years of software development experience  Author of "Iron-Clad Java, Building Secure Web Applications” from McGraw-Hill/Oracle-Press  Kauai, Hawaii Resident 2

3. COPYRIGHT ©2019 MANICODE SECURITY 3 WARNING: Please do not attempt to hack any computer system without legal permission to do so. Unauthorized computer hacking is illegal and can be punishable by a range of penalties including loss of job, monetary fines and possible imprisonment. ALSO: The Free and Open Source Software presented in these materials are examples of good secure development tools and techniques. You may have unknown legal, licensing or technical issues when making use of Free and Open Source Software. You should consult your company's policy on the use of Free and Open Source Software before making use of any software referenced in this material.

7. COPYRIGHT ©2019 MANICODE SECURITY Do Not Limit the Password Strength  Limiting passwords to protect against injection is doomed to failure  Use query parameterization and other defenses instead  Be sure to at least limit password size. Very long passwords can cause DoS 7

8. COPYRIGHT ©2019 MANICODE SECURITY Use a Modern Password Policy Scheme  Consider the password policy suggestions from NIST  Do not depend on passwords as a sole credential. It's past time to move to MFA.  Encourage and train your users to use a password manager. 8

9. COPYRIGHT ©2019 MANICODE SECURITY Credential Stuffing Safeguards 9 Stuffing Live Defense  Block use of known username/password pairs from past breaches  Implement Multi Factor Authentication (see below)  Consider avoiding email addresses for username  Bot Detection 3rd Party Password Breach Response  Scan for use of known username/password pairs from new breach against entire existing userbase  Immediately invalidate user of existing username/password pairs  Force password reset on effected users

10. COPYRIGHT ©2019 MANICODE SECURITY Special Publication SP800-63-B: Digital AuthN Guidelines Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible. 10 At least 8 characters and allow up to 64 (16+ Better) Throttle or otherwise manage brute force attempts Don’t force unnatural password special character rules Don’t use password security questions or hints No more mandatory password expiration for the sake of it Allow all printable ASCII characters including spaces, and should accept all UNICODE characters, too… including emoji. Do not limit the characters of passwords Check against a list of common passwords Block context-specific passwords like the username or service name Check against a list breached username/password pairs

11. COPYRIGHT ©2019 MANICODE SECURITY Password Management Summary Core Password Policy Rules (NIST 800-63 inspired) • Do not limit the characters or length of user password • Use a modern password policy scheme • Enforce password length of at least 8 characters and allow up to 64 or more (16+ better) • Check against a list of common passwords (new!) • Check against a list of breached and exposed username/password pairs (credential stuffing) (new!) • Do not enforce special character type rules on passwords (new!) • Do not force mandatory expiration unless there is a good reason (new!) • Throttle or otherwise manage brute force attempts Additional Considerations (Dr De Ryck Suggestions) • Include a password strength meter • Ensure your password system is compatibility with password managers • Offer an option to show the password while typing for mobile devices 11

12. COPYRIGHT ©2019 MANICODE SECURITY Credential Strength / Password Policy  Users will make as simple passwords as you allow them to  Users will use the same password on multiple websites  Implement server-side enforcement of password syntax and strength – Minimum length – Numbers/Symbols/Uppercase/Lowercase – Ban commonly used passwords – Ban passwords with dictionary words – Ban commonly used password topologies https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies – Force multiple users to use different password topologies – Require a minimum topology change between old and new passwords  Also consider JavaScript password meters Reference: "Your password complexity requirements are worthless” https://www.youtube.com/watch?v=zUM7i8fsf0g 12

14. COPYRIGHT ©2019 MANICODE SECURITY Twitter Password Ban-List: August 2014 14 8675309 987654 nnnnnn nop123 nop123 nopqrs noteglh npprff npprff14 npgvba nyoreg nyoregb nyrkvf nyrwnaqen nyrwnaqeb nznaqn nzngrhe nzrevpn naqern naqerj natryn natryf navzny nagubal ncbyyb nccyrf nefrany neguhe nfqstu nfqstu nfuyrl nffubyr nhthfg nhfgva onqobl onvyrl onanan onearl onfronyy ongzna orngevm ornire ornivf ovtpbpx ovtqnqql ovtqvpx ovtqbt ovtgvgf oveqvr ovgpurf ovgrzr oynmre oybaqr oybaqrf oybjwbo oybjzr obaq007 obavgn obaavr obbobb obbtre obbzre obfgba oenaqba oenaql oenirf oenmvy oebapb oebapbf ohyyqbt ohfgre ohggre ohggurnq pnyiva pnzneb pnzreba pnanqn pncgnva pneybf pnegre pnfcre puneyrf puneyvr purrfr puryfrn purfgre puvpntb puvpxra pbpnpbyn pbssrr pbyyrtr pbzcnd pbzchgre pbafhzre pbbxvr pbbcre pbeirggr pbjobl pbjoblf pelfgny phzzvat phzfubg qnxbgn qnyynf qnavry qnavryyr qroovr qraavf qvnoyb qvnzbaq qbpgbe qbttvr qbycuva qbycuvaf qbanyq qentba qernzf qevire rntyr1 rntyrf rqjneq rvafgrva rebgvp rfgeryyn rkgerzr snypba sraqre sreenev sveroveq svfuvat sybevqn sybjre sylref sbbgonyy sberire serqql serrqbz shpxrq shpxre shpxvat shpxzr shpxlbh tnaqnys tngrjnl tngbef trzvav trbetr tvnagf tvatre tvmzbqb tbyqra tbysre tbeqba tertbel thvgne thaare unzzre unaanu uneqpber uneyrl urngure uryczr uragnv ubpxrl ubbgref ubearl ubgqbt uhagre uhagvat vprzna vybirlbh vagrearg vjnagh wnpxvr wnpxfba wnthne wnfzvar wnfcre wraavsre wrerzl wrffvpn wbuaal wbuafba wbeqna wbfrcu wbfuhn whavbe whfgva xvyyre xavtug ynqvrf ynxref ynhera yrngure yrtraq yrgzrva yrgzrva yvggyr ybaqba ybiref znqqbt znqvfba znttvr zntahz znevar znevcbfn zneyobeb znegva zneiva znfgre zngevk znggurj znirevpx znkjryy zryvffn zrzore zreprqrf zreyva zvpunry zvpuryyr zvpxrl zvqavtug zvyyre zvfgerff zbavpn zbaxrl zbaxrl zbafgre zbetna zbgure zbhagnva zhssva zhecul zhfgnat anxrq anfpne anguna anhtugl app1701 arjlbex avpubynf avpbyr avccyr avccyrf byvire benatr cnpxref cnagure cnagvrf cnexre cnffjbeq cnffjbeq cnffjbeq1 cnffjbeq12 cnffjbeq123 cngevpx crnpurf crnahg crccre cunagbz cubravk cynlre cyrnfr cbbxvr cbefpur cevapr cevaprff cevingr checyr chffvrf dnmjfk djregl djreglhv enoovg enpury enpvat envqref envaobj enatre enatref erorppn erqfxvaf erqfbk erqjvatf evpuneq eboreg eboregb ebpxrg ebfrohq ehaare ehfu2112 ehffvn fnznagun fnzzl fnzfba fnaqen fnghea fpbbol fpbbgre fpbecvb fpbecvba fronfgvna frperg frkfrk funqbj funaaba funirq fvreen fvyire fxvccl fynlre fzbxrl

16. COPYRIGHT ©2019 MANICODE SECURITY "Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext." https://net.cs.uni- bonn.de/fileadmin/user_upload/naiakshi/Nai akshina_Password_Study.pdf 16

17. COPYRIGHT ©2019 MANICODE SECURITY Why and When does Password Storage Matter? When considering password storage strategies please note we are most concerned about offline attacks. Password Storage matters most after your website is breached and attackers have a copy of your stored password data to analyze offline. Attackers can achieve supercomputing capability to discover your password. Using cloud services, computers with many GPU's or custom hardware, attackers can attempt trillions of attempts per second to discover (or "crack") stolen password data.

19. COPYRIGHT ©2019 MANICODE SECURITY Password Storage Defense Overview 19 Offline Attacks Online Attacks  Avoid Hashing or Encryption by itself for password storage  Use proper password hashing  Use random and unique per-user salts – Less effective against targeted attacks, but use them anyhow  Strict Password Policy  Ban top X commonly used passwords  Ban top X commonly used passwords  Rate limiting  Multi-factor authentication  Behavior Analysis – Trojan Combat  Anti-Phishing – Early detection and takedown  Good Network Security Reference: http://www.openwall.com/presentations

20. COPYRIGHT ©2019 MANICODE SECURITY Cha-Ching! Estimated cost of hardware to crack password in 1 year 20 KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text DES CRYPT <$1 <$1 <$1 <$1 <$1 <$1 MD5 <$1 <$1 <$1 $1.1k $1 $1.5T MD5 CRYPT <$1 <$1 $130 $1.1M $1.4k $1.5 x 1015 PBKDF2 (100ms) <$1 <$1 $18k $160M $200k $2.2 x 1017 Bcrypt (95 ms) <$1 $4 $130k $1.2B $1.5M $48B Scrypt (64 ms) <$1 $150 $4.8M $43B $52M $6 x 1019 PBKDF2 (5.0 s) <$1 $29 $920k $8.3B $10M $11 x 1018 Bcrypt (3.0 s) <$1 $130 $4.3M $39B $47M $1.5T Scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 1023 Research by Colin Percival, https://www.tarsnap.com/scrypt/scrypt.pdf, STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS

24. COPYRIGHT ©2019 MANICODE SECURITY Password Storage Best Practices Overview 24 Store passwords as an HMAC + good key management as an extra step 3 Use ARGON2i, bcrypt, scrypt on the hash 2 Hash the salted password using SHA2-512 or another strong hash 1

25. COPYRIGHT ©2019 MANICODE SECURITY 25 Hash the Password With a Strong Hash  If you ONLY hash a password it will be discovered in a very short amount of time, especially for short passwords. This is just one of several steps. – Long passwords can cause DOS – bcrypt truncates long passwords to 72 bytes, reducing the strength of passwords  By applying the very fast algorithm SHA2-512 we can quickly reduce long passwords to 512 bits, solving both problems  https://blogs.dropbox.com/tech/2016/09/how- dropbox-securely-stores-your-passwords/ 1

26. COPYRIGHT ©2019 MANICODE SECURITY 26 Leverage an Password Hasher  bcrypt includes a work factor or time cost which defines the execution time  scrypt includes a time cost as well as a memory cost, which defines the memory usage  Argon2i includes a time cost, a memory cost and a parallelism degree, which defines the number of threads  Make the work factor and memory cost as strong as you can tolerate and increase it over time! Imposes difficult verification on the attacker and defender! 2

27. Is hash cracking really that fast? MD5 SHA1 BCRYPT(13) Hashespersecond 200,000 million 68 million 390 @PhilippeDeRyckDR. PHILIPPE DE RYCK

28. Java bcrypt iterationCount: at least 13 ** Change Password at Iteration Count Change Time @PhilippeDeRyckDR. PHILIPPE DE RYCK

29. COPYRIGHT ©2019 MANICODE SECURITY 29 bcrypt in PHP bcrypt in .NET  string password_hash ( string $password , integer $algo [, array $options ] )  Uses the bcrypt algorithm (default as of PHP 5.5.0)  https://github.com/BcryptNet/bcrypt.net

30. COPYRIGHT ©2019 MANICODE SECURITY GPU Attacks on Modern Password KDF's 30 PBKDF2-HMAC-SHA-1 PBKDF2-HMAC-SHA-256 PBKDF2-HMAC-SHA-512 bcrypt scrypt STRONGER Reference: Openwall and http://www.openwall.com/presentations/

31. COPYRIGHT ©2019 MANICODE SECURITY ASIC/FPGA Attacks on Modern Password Hashes 31 PBKDF2-HMAC-SHA-1 PBKDF2-HMAC-SHA-256 PBKDF2-HMAC-SHA-512 scrypt below 16 MB bcrypt (uses 4 KB) scrypt at 16 MB scrypt above 32 MB STRONGER Reference: Openwall and http://www.openwall.com/presentations/

32. COPYRIGHT ©2019 MANICODE SECURITY 32 Leverage Keyed Protection Solution  AES or HMAC-SHA-256([key], [salt] + [credential])  Protect this key as any private key using best practices  Store the key outside the credential store  Isolate this process outside of your application layer Imposes difficult verification on the attacker only! 3

34. COPYRIGHT ©2019 MANICODE SECURITY HMAC’s in Action for YubiHSM  KEY for HMAC stored in local key database only, not retrievable  Key handle is the HSM ID  Data is password or KDF of Password  HMAC @ Final is final computed password hash 34 HMAC-SHA1 Key Handle Reset/F inal Data Key Data Base HMAC @ Final YubiHSM Diagram © Yubico, reproduced under the fair use doctrine.

36. COPYRIGHT ©2019 MANICODE SECURITY Basic Password Storage Workflow (with hashing, bcrypt and AES) Imposes difficult verification on the attacker and defender! Also adds a keyed round! 36 pwHash = SHA-512(password); adaptiveHash = bcrypt(512 bit pwHash, 13) FinalCiphertext = AES-GCM(adaptiveHash, secretKey)

37. COPYRIGHT ©2019 MANICODE SECURITY Basic Password Verification Workflow (with hashing, bcrypt and AES) 37 submittedPWHash = SHA-512 (submittedPassword); T/F = bcrypt_compare(submittedPWHash, adaptiveHashDatabase) adaptiveHashDatabase = Decrypt AES-GCM(CiphertextDatabase, key)

38. Password Storage Summary • Passwords are an attractive target in data breaches Insecure backups or SQL injection vulnerabilities are the tip of the iceberg Prepare for the worst. Implement a secure password storage mechanism • Legacy password storage mechanisms cannot withstand modern attacks Encryption can be broken by stealing the encryption key Hashing can be broken by lookup tables or brute force attacks • The proper way to store passwords is using a password- hashing function like bcrypt, scrypt or Argon2 The variable cost factor makes the algorithm too expensive to brute force • Legacy systems should be upgraded ASAP to a more secure storage mechanism @PhilippeDeRyckDR. PHILIPPE DE RYCK

39. COPYRIGHT ©2019 MANICODE SECURITY Additional Topics • How to upgrade legacy systems • Storage of security questions, multi-factor information and other authentication verificatation information • What to do in case of a breach • Authentication mechanisms that do not require passwords or password storage • Performance and scale considerations 39

41. COPYRIGHT ©2019 MANICODE SECURITY Do Not Hardcode Passwords or Keys! 41 if ("DoTheStankyLeg1".equals(password)) { //why the heck why not? admin=true; } static final String DB_URL = "jdbc:mysql://192.168.1.45/"; static final String USER = "root"; static final String PASS = "BringBackJarJar99!";  Hard Coded Passwords may expose elevated access to critical systems to individuals who have product detail visibility  Hard Coded Passwords may lead to back doors that can weaken the system Please store critical passwords in a application secrets vault!

43. JIM MANICO Secure Coding Instructor www.manicode.com It’s been a pleasure. jim@manicode.com