SlideShare a Scribd company logo

Passwords good badugly181212-2

Iftach Ian Amit
Iftach Ian Amit
Technology
1 of 22
Download to read offline
Passwords The Good, The Bad and The Ugly or How To Secure Your Passwords Adir Abraham adir@computer.org
What is a password? ● Secret characters used for authentication or access approval ● May be machine generated, allocated by the provider of the service or user-generated.
Problems with storing passwords ● Many users – lots of troubles ● Simple passwords (used by majority) ● Data is physically accessible ● Data is virtually accessible
Storing passwords in a server ● Simple authentication method – checking if both user and password are correct by saving user-password list in the database ● Many times, these user-password lists are saved as plain text in big companies.
Some Success Stories ● Sony 77M users’ database (including passwords, e-mails, home addresses and date of birth) was fully accessible as plain text
Some Success Stories ● 0xOmar was a KSA hacker who published credit card numbers of tens thousands of Israelis ● These numbers were (illegally) stored in many Israeli websites. They were fully matched as plain text with their users, and passwords.
Danger for both the users and the companies ● Many users use the same (simple or complicated) password in many sites. ● Which means that if one site is hacked, you have to change your password in many other sites as well. ● What about secret questions and answers? ● What if the website owner doesn’t even know that his site was hacked?
The Solution: encrypt your passwords ● We need to find a way to be able to authenticate the real password of a specific user, without storing the password as plain text. ● If you hack my site or attempt to hack, you will not be able to get my users (and passwords) list.
First Step: Hash Functions ● Hash function is a function that maps large data sets called keys, to smaller data sets of fixed length. ● Since the data set is smaller, the image is smaller, hence collisions (i.e. Two different keys which get the same value) may occur. ● Hash functions uses one-way-function, which is a function that is “easy” to compute on every input, but “hard” to invert given the image (data) of a random input.
Cryptographic Hash Function ● Since naive mapping can be done quite easily, we will want a cryptographic hash function which will manipulate the value s.t. any change will make a change in the hash value itself. ● The hash result is based on a one-way-function, hence it is “hard” to guess what the source is. ● Examples for such functions are MD5, SHA-1, SHA-2 and SHA-3 which was recently declared.
Cryptographic Hash Function ● Example (notice the changes in a single character)
But Hash Functions Are Not Enough ● Hash Functions will make a hard time for the cracker, but today using enough (distributed) power, you can easily hack 8-characters password, which is considered quite strong. ● Since guessing might take a long time, crackers use lists which already have a string and its hash result, for low amount of characters. ● Crackers also use rainbow tables which include pre- computed tables. In this list, we will check for the closest value in a series of reductions until we find a match.
Second Step: Use SALT ● SALT is a static, (very) long string which is chosen by the admin. ● It is concatenated to each password before using the hash function. ● It is a secret. Only the admin should know it. The user only has to remember his password. Suppose the user’s password is 8 characters long and the SALT is 100 characters long – this makes a 108 characters “password”, while 100 of them are not known to anyone else (including the user). ● This way, it makes using the methods described in the first step to hack the system, impractical.
Bonus Step: Use Double Salt ● Once someone knows the SALT of your system, it becomes an easier mission (using similar methods mentioned at the first step) to get your users and passwords list. ● If your systems are very sensitive and you can Trust No One, you can use Double Salt. ● Double Salt uses an extra Salt, a dynamic one. Each user ID gets its own 2nd (dynamic) Salt, making it even harder to guess since you have to guess the right Salt for the right user. ● In addition to that, splitting the hashing process to another server (where it will be computer), may also help, since another server has to be cracked in order to get the rest of the list (suppose the passwords list are in one server and users list is in another server)
Bonus Step: Use Key Stretching ● When someone tries to hack our system, it can take a lot of resources from our server, adding extra computational operations leading to Denial of Service. ● Regular cryptographic hash functions allow the attacker to get the results quickly, hence result in Denial of Service. ● Suppose we can “slow down” the hashing operation, now, the attacker will have to wait for years until he gets the results.
Bonus Step: Use Key Stretching ● Using bcrypt which is based on BLOWFISH, allows us to add a “slow down” timer. Suppose each guess of user takes at least 3 seconds, guessing 1000 times one user will take him 3000 seconds (for each user). For example, in PHP: ● $hashed_input = crypt( $input, '$2a$10$'.$system_salt ); ● $2a to choose bcrypt, $10 is 2^10 ● This way we cause delaying and keep our system safe. ● If we delay it too much, we may damage the user experience, cause a Denial of Service of our own system.
Which Cryptographic Hash Function to Use? ● The most popular hash functions nowadays are MD5, SHA-1, SHA-2, Whirlpool, bcrypt, scrypt and PBKDF2. ● The rule is to use the function which makes the most difficulties to the attacker. Today, MD5 and SHA-1 have weaknesses which make them exploitable, while SHA-2 and Whirlpool are considered safe, according to the National Institute of Standards and Technology (NIST) ● PBKDF2, bcrypt, and scrypt all use large random "salt" values to make sure that each user's password is hashed uniquely. Attacking 100 password hashes will take 100 times longer than attacking one hash. Attacking a million will take a million times longer, etc. With SHA-2, the attacker can try to crack thousands or millions of hashes at the same time with very little slow down.
Simple HOWTOs ● Hashing the passwords is easily done using one SQL query. For example: ● Mysql: UPDATE users SET password = SHA2(CONCAT('myRandomS4lt', password, user_id), 512); ● Microsoft SQL SERVER: UPDATE users SET password = HASHBYTES('SHA2_256', CONCAT('myRandomS4lt', password, user_id)); ● In this example we use a static SALT (user_id) and a dynamic one (“myRandomS4lt) for each user.
Simple HOWTOs ● Bcrypt and scrupt are not supported by SQL, hence we will have to do some conversion, using PHP, for example: // Get users details from DB $results = $con->query("SELECT user_id, password FROM users"); $users = $results->fetch_all(MYSQLI_ASSOC); // Set the hashed password for every user foreach ($users as $user) { $plain_pass = $user['password']; // Hash the password using the static salt // and the user ID as dynamic salt $hashed_pass = crypt( $plain_pass, '$2a$10$' ...
In Short ● Don’t use Plain Text passwords (including in papers) ● Use cryptographic hash functions which are considered safe (SHA-2 family, Whirlpool) and don’t use cryptographic hash functions which are considered weak (SHA-1, MD5) ● Use SALT and/or Double SALT ● Consider using key stretching to slow down the hashing operation, giving an attacker a hard time while trying to crack your system.
Use The Guide ● The lecture slides are based on the passwords security guide of the Israeli Internet Society (ISOC-IL), available for both developers and managers here: http://www.isoc.org.il/techinfo/ref_pas_guide.html ● In that guide you get a more detailed explanation, including more code examples and references to more useful sites. ● Feel free to share that guide (and these lecture slides), based on CC BY 2.5 ● Enjoy protecting your environment :-)
Questions?

Recommended

Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
async_io
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
Will Alexander
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
DefCamp
 
Esperwhispering
EsperwhisperingEsperwhispering
Esperwhispering
Theo Schlossnagle
 

Recommended

Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
async_io
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
cgvwzq
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
Will Alexander
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
DefCamp
 
Esperwhispering
EsperwhisperingEsperwhispering
Esperwhispering
Theo Schlossnagle
 
User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
tladesignz
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Charles Southerland
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
Enrico Zimuel
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing Algorithms
IRJET Journal
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and Salting
Rahul Singh
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
ssuser020436
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSH
Juraj Bednar
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
Royce Davis
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET Journal
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
Niranjanaa Ragupathy
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
UC San Diego
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
Great Wide Open
 
Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
Iftach Ian Amit
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
Iftach Ian Amit
 

More Related Content

Similar to Passwords good badugly181212-2

Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
ssuser020436
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
fangjiafu
 
Open source security
Open source securityOpen source security
Open source security
lrigknat
 

Similar to Passwords good badugly181212-2 (20)

User Credential handling in Web Applications done right
User Credential handling in Web Applications done rightUser Credential handling in Web Applications done right
User Credential handling in Web Applications done right
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing Algorithms
 
An Introduction to Hashing and Salting
An Introduction to Hashing and SaltingAn Introduction to Hashing and Salting
An Introduction to Hashing and Salting
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSH
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Open source security
Open source securityOpen source security
Open source security
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Using Cryptography Properly in Applications
Using Cryptography Properly in ApplicationsUsing Cryptography Properly in Applications
Using Cryptography Properly in Applications
 

More from Iftach Ian Amit

"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
Iftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
Iftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
Iftach Ian Amit
 

More from Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python Bytecode
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Passwords good badugly181212-2

  • 1. Passwords The Good, The Bad and The Ugly or How To Secure Your Passwords Adir Abraham adir@computer.org
  • 2. What is a password? ● Secret characters used for authentication or access approval ● May be machine generated, allocated by the provider of the service or user-generated.
  • 3. Problems with storing passwords ● Many users – lots of troubles ● Simple passwords (used by majority) ● Data is physically accessible ● Data is virtually accessible
  • 4. Storing passwords in a server ● Simple authentication method – checking if both user and password are correct by saving user-password list in the database ● Many times, these user-password lists are saved as plain text in big companies.
  • 5. Some Success Stories ● Sony 77M users’ database (including passwords, e-mails, home addresses and date of birth) was fully accessible as plain text
  • 6. Some Success Stories ● 0xOmar was a KSA hacker who published credit card numbers of tens thousands of Israelis ● These numbers were (illegally) stored in many Israeli websites. They were fully matched as plain text with their users, and passwords.
  • 7. Danger for both the users and the companies ● Many users use the same (simple or complicated) password in many sites. ● Which means that if one site is hacked, you have to change your password in many other sites as well. ● What about secret questions and answers? ● What if the website owner doesn’t even know that his site was hacked?
  • 8. The Solution: encrypt your passwords ● We need to find a way to be able to authenticate the real password of a specific user, without storing the password as plain text. ● If you hack my site or attempt to hack, you will not be able to get my users (and passwords) list.
  • 9. First Step: Hash Functions ● Hash function is a function that maps large data sets called keys, to smaller data sets of fixed length. ● Since the data set is smaller, the image is smaller, hence collisions (i.e. Two different keys which get the same value) may occur. ● Hash functions uses one-way-function, which is a function that is “easy” to compute on every input, but “hard” to invert given the image (data) of a random input.
  • 10. Cryptographic Hash Function ● Since naive mapping can be done quite easily, we will want a cryptographic hash function which will manipulate the value s.t. any change will make a change in the hash value itself. ● The hash result is based on a one-way-function, hence it is “hard” to guess what the source is. ● Examples for such functions are MD5, SHA-1, SHA-2 and SHA-3 which was recently declared.
  • 11. Cryptographic Hash Function ● Example (notice the changes in a single character)
  • 12. But Hash Functions Are Not Enough ● Hash Functions will make a hard time for the cracker, but today using enough (distributed) power, you can easily hack 8-characters password, which is considered quite strong. ● Since guessing might take a long time, crackers use lists which already have a string and its hash result, for low amount of characters. ● Crackers also use rainbow tables which include pre- computed tables. In this list, we will check for the closest value in a series of reductions until we find a match.
  • 13. Second Step: Use SALT ● SALT is a static, (very) long string which is chosen by the admin. ● It is concatenated to each password before using the hash function. ● It is a secret. Only the admin should know it. The user only has to remember his password. Suppose the user’s password is 8 characters long and the SALT is 100 characters long – this makes a 108 characters “password”, while 100 of them are not known to anyone else (including the user). ● This way, it makes using the methods described in the first step to hack the system, impractical.
  • 14. Bonus Step: Use Double Salt ● Once someone knows the SALT of your system, it becomes an easier mission (using similar methods mentioned at the first step) to get your users and passwords list. ● If your systems are very sensitive and you can Trust No One, you can use Double Salt. ● Double Salt uses an extra Salt, a dynamic one. Each user ID gets its own 2nd (dynamic) Salt, making it even harder to guess since you have to guess the right Salt for the right user. ● In addition to that, splitting the hashing process to another server (where it will be computer), may also help, since another server has to be cracked in order to get the rest of the list (suppose the passwords list are in one server and users list is in another server)
  • 15. Bonus Step: Use Key Stretching ● When someone tries to hack our system, it can take a lot of resources from our server, adding extra computational operations leading to Denial of Service. ● Regular cryptographic hash functions allow the attacker to get the results quickly, hence result in Denial of Service. ● Suppose we can “slow down” the hashing operation, now, the attacker will have to wait for years until he gets the results.
  • 16. Bonus Step: Use Key Stretching ● Using bcrypt which is based on BLOWFISH, allows us to add a “slow down” timer. Suppose each guess of user takes at least 3 seconds, guessing 1000 times one user will take him 3000 seconds (for each user). For example, in PHP: ● $hashed_input = crypt( $input, '$2a$10$'.$system_salt ); ● $2a to choose bcrypt, $10 is 2^10 ● This way we cause delaying and keep our system safe. ● If we delay it too much, we may damage the user experience, cause a Denial of Service of our own system.
  • 17. Which Cryptographic Hash Function to Use? ● The most popular hash functions nowadays are MD5, SHA-1, SHA-2, Whirlpool, bcrypt, scrypt and PBKDF2. ● The rule is to use the function which makes the most difficulties to the attacker. Today, MD5 and SHA-1 have weaknesses which make them exploitable, while SHA-2 and Whirlpool are considered safe, according to the National Institute of Standards and Technology (NIST) ● PBKDF2, bcrypt, and scrypt all use large random "salt" values to make sure that each user's password is hashed uniquely. Attacking 100 password hashes will take 100 times longer than attacking one hash. Attacking a million will take a million times longer, etc. With SHA-2, the attacker can try to crack thousands or millions of hashes at the same time with very little slow down.
  • 18. Simple HOWTOs ● Hashing the passwords is easily done using one SQL query. For example: ● Mysql: UPDATE users SET password = SHA2(CONCAT('myRandomS4lt', password, user_id), 512); ● Microsoft SQL SERVER: UPDATE users SET password = HASHBYTES('SHA2_256', CONCAT('myRandomS4lt', password, user_id)); ● In this example we use a static SALT (user_id) and a dynamic one (“myRandomS4lt) for each user.
  • 19. Simple HOWTOs ● Bcrypt and scrupt are not supported by SQL, hence we will have to do some conversion, using PHP, for example: // Get users details from DB $results = $con->query("SELECT user_id, password FROM users"); $users = $results->fetch_all(MYSQLI_ASSOC); // Set the hashed password for every user foreach ($users as $user) { $plain_pass = $user['password']; // Hash the password using the static salt // and the user ID as dynamic salt $hashed_pass = crypt( $plain_pass, '$2a$10$' ...
  • 20. In Short ● Don’t use Plain Text passwords (including in papers) ● Use cryptographic hash functions which are considered safe (SHA-2 family, Whirlpool) and don’t use cryptographic hash functions which are considered weak (SHA-1, MD5) ● Use SALT and/or Double SALT ● Consider using key stretching to slow down the hashing operation, giving an attacker a hard time while trying to crack your system.
  • 21. Use The Guide ● The lecture slides are based on the passwords security guide of the Israeli Internet Society (ISOC-IL), available for both developers and managers here: http://www.isoc.org.il/techinfo/ref_pas_guide.html ● In that guide you get a more detailed explanation, including more code examples and references to more useful sites. ● Feel free to share that guide (and these lecture slides), based on CC BY 2.5 ● Enjoy protecting your environment :-)