Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Passwords

2,857 views

Published on

2016/06/30 #ssmjp 2016/06

Published in: Technology
  • Be the first to comment

Protecting Passwords

  1. 1. PROTECTING PASSWORDS inaz2 #ssmjp 2016/06 2016/06/30
  2. 2. ABOUT ME • inaz2 • Security Engineer & Python Programmer • Blog: ももいろテクノロジー • http://inaz2.hatenablog.com/ 2
  3. 3. RECENT TOPICS ON PASSWORDS • http://d.hatena.ne.jp/Kango/20160123/1453546824 3
  4. 4. RECENT TOPICS ON PASSWORDS • http://d.hatena.ne.jp/Kango/20160518/1463586755 4
  5. 5. RECENT TOPICS ON PASSWORDS • http://block.fm/news/Deadmau5_SChack.html 5
  6. 6. RECENT TOPICS ON PASSWORDS • http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/ 6
  7. 7. https://www.ipa.go.jp/security/keihatsu/munekyun-pw/slideshow/index.html 7 ね ぇ … 私 の パ ス ワ ー ド 何 が い け な か っ た の か な
  8. 8. WHAT SHOULD WE DO? • Developers/Engineers • Securing your authentication infrastructure • Users • Use strong passwords and manage them • Researchers • Do what you want UNDER THE LAW 8
  9. 9. SECURING YOUR AUTHENTICATION INFRASTRUCTURE For Developers/Engineers 9
  10. 10. USING HTTPS • HTTP is insecure • Anyone can get plaintext passwords from captured packets • The login form and endpoint should be delivered only via HTTPS with valid certificate • Basic auth over HTTPS is acceptable • Use Digest auth for HTTP 10
  11. 11. MONITORING LOGIN FAILURE • Check authentication logs • Restrict maximum count of failures • Fail2ban: http://www.fail2ban.org/ 11
  12. 12. PASSWORD HASHING • Never store plaintext passwords • glibc’s crypt(3) supports salted SHA-256/512 • crypt.crypt (Python), String#crypt (Ruby), crypt (PHP) • Key Derivation Functions (KDF) are recommended • relatively long time to compute • hashlib.pbkdf2_hmac (Python, PBKDF2), OpenSSL::PKCS5 (Ruby, PBKDF2), password_hash (PHP, bcrypt) • scrypt: http://www.tarsnap.com/scrypt.html 12
  13. 13. IDENTITY AND ACCESS MANAGEMENT (IAM) • If you want the directory service, → Active Directory/LDAP • If you use data of Twitter, Facebook etc., → OAuth 2.0 • If the systems are various and large, → SAML/OpenID Connect • Cloud solution: Identification as a Service (IDaaS) 13
  14. 14. EXTRA: TWO-FACTOR AUTHENTICATION (2FA) • Combine password and card • Random number table, Smart card • Combine password and device implementing One-time password (OTP) algorithm • Mobile app (e.g. Google Authenticator), USB token (e.g. YubiKey) • HOTP (RFC 4226), TOTP (RFC 6238) • Combine password and biometric recognition • Fingerprint, Finger vein, Iris etc. 14
  15. 15. USING STRONG PASSWORDS AND MANAGING THEM For Users 15
  16. 16. TYPE OF ATTACKS • Indiscriminate • Attacking web services/servers • e.g. SNS, Forums, EC sites, SSH servers • Targeted • Attacking specific person • e.g. celebrities, VIPs, neighbors 16
  17. 17. ATTACK METHODS • Brute force (including mask/hybrid) • Hanako0101, Hanako0102, …, Hanako1231 • Dictionary • 123456, P@ssw0rd, letmein, qwerty, football, welcome, … • https://wiki.skullsecurity.org/Passwords • Default Credential • admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, … • https://github.com/danielmiessler/SecLists/blob/master/Passwords/de fault-passwords.csv • Breached Credential • Your breached Linkedin credential to Twitter, Facebook, iCloud, … • https://haveibeenpwned.com/ 17
  18. 18. ATTACK METHODS • Brute force (including mask/hybrid) • Hanako0101, Hanako0102, …, Hanako1231 • Dictionary • 123456, P@ssw0rd, letmein, qwerty, football, welcome, … • https://wiki.skullsecurity.org/Passwords • Default Credential • admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, … • https://github.com/danielmiessler/SecLists/blob/master/Passwords/de fault-passwords.csv • Breached Credential • Your breached Linkedin credential to Twitter, Facebook, iCloud, … • https://haveibeenpwned.com/ 18 Don’t use predictable rules Use unique passwords Change default passwords Use different passwords
  19. 19. HOW TO MAKE STRONG PASSWORDS? • http://windows.microsoft.com/en-US/windows-vista/tips-for- creating-a-strong-password • Is at least 8 characters long. • Does not contain your user name, real name, or company name. • Does not contain a complete word. • Is significantly different from previous passwords. • Contains characters from each of uppercase/lowercase/numbers/symbols 19
  20. 20. USING MULTIPLE WORDS • xkcd: Password Strength • https://xkcd.com/936/ • In my opinion, it is better to use non-English words (ex. Japanese) 20
  21. 21. EXAMPLE (DON’T USE THIS) AzunyanPeropero¥300!? 21
  22. 22. ANTI-PATTERN: USING REAL SECRETS • Actually, Azunyan is not my favorite character. • Your real favorite items/celebrities/characters/phrases are predictable. • i.e. weak against targeted attacks • Choose the password that is safe even if others see. • Systems may handle your passwords insecure. 22
  23. 23. RISK ASSESSMENT • Classify services • Bank / Public Services / SNS / Business / Oneshot • Very important / Important / Moderate / Less important • Use different passwords for different classes • Adding prefix/suffix can be a mitigation for Breached Credential attacks • TAzunyanPeropero¥300!?, FAzunyanPeropero¥300!?, … • Of course, the best is using completely different passwords 23
  24. 24. OTHER TOPICS • Two-factor authentication • Use as far as possible. • Password manager • Use if you want to. • Periodically password change • Do if you are forced to. • Nobody can make it perfect. Do what you can do comparing cost and benefit. 24
  25. 25. SOME FACTS For Researchers 25
  26. 26. HASH CRACKING USING GPU • oclHashcat benchmark • http://inaz2.hatenablog.com/entry/2016/05/20/011353 • https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270 c40 26 Amazon EC2 g2.2xlarge Nvidia GTX 1080 MD5 2,631,100,000 24,943,100,000 SHA-1 697,000,000 8,538,100,000 SHA-256 286,600,000 2,865,200,000 PBKDF2-HMAC-SHA256 114,800 1,173,100 scrypt 25,092 435,100 (hash/sec)
  27. 27. OBSERVING SSH ATTACKS • Observed login trials on my SSH honeypot (58000 records) • Most of trials was against root account • A specific IP address tried with 4800 different passwords • Some attackers tried with joe accounts • admin/admin, guest/guest, ubuntu/ubuntu, oracle/oracle, postgres/postgres, wordpress/wordpress, steam/steam etc. 27
  28. 28. RECAP • Passwords play an essential role of authentication scheme • Developers/engineers should secure their authentication infrastructure • HTTPS, Log monitoring, Password hashing, IAM, Two-factor auth • Users should use strong passwords and manage them properly • Don’t use passwords like “hanako0630” • Change default passwords 28
  29. 29. REFERENCES • Password strength - Wikipedia • https://en.wikipedia.org/wiki/Password_strength • チョコっとプラスパスワード|IPA 独立行政法人 情報処理推進機構 • http://www.ipa.go.jp/chocotto/pw.html • Password Guidance - Microsoft Research • https://www.microsoft.com/en-us/research/publication/password-guidance/ • Password guidance: simplifying your approach - GOV.UK • https://www.gov.uk/government/publications/password-policy-simplifying- your-approach 29
  30. 30. THANK YOU! inaz2 30

×