SlideShare a Scribd company logo
Password Storage 
(And Attacking) 
In PHP 
Anthony Ferrara
“Anyone, from the most 
clueless amateur to the 
best cryptographer, can 
create an algorithm that 
he himself can't break.” 
- Bruce Schneier
Github URL 
Follow Along: 
github.com/ircmaxell/password-bad-web-app 
A "Bad Web App" 
- Has Known Vulnerabilities 
- Only Use For Education!!! 
- Requires only Apache + PHP 
- Has Composer Dependencies
Let's Start 
From The 
Beginning
Plain-Text Storage 
git checkout plaintext 
Stores passwords in Plain-Text 
What's wrong with this picture?
Plain-Text Storage 
What happens if we have a SQL-Injection 
Vulnerability? 
localhost/sqli 
Simulates: 
?offset=0'+UNION+SELECT+*+FROM+users
Plain-Text Storage 
Problem! 
Any attack vector results in leakage of ALL 
credentials!
We Can Do Better
MD5 
git checkout md5 
Uses the MD5 Cryptographic Hash function. 
md5($password) 
hash('md5', $password)
Wait, 
What Is A Hash?
What's A Cryptographic Hash? 
Like a fingerprint. 
One-way. 
- Easy and efficient to compute 
- Very inefficient to reverse 
- (Practically impossible) 
- Very hard to create collision 
- (new input with same output)
MD5 
What's the problem now? 
SQL-Injection still gives us hash 
But the hash is one-way, how can we attack it?
Enter: 
Lookup Tables
Lookup Table 
Google is a great example 
Maps hash to password directly 
Database Table: 
hash | password 
--------------+----------- 
"5f4dcc3b..." | "password" 
"acbd18db..." | "foo"
Lookup Table 
Lookups are CPU efficient. 
Require a LOT of storage space 
- (Very space inefficient) 
All passwords <= 7 chars (95^7, 70 Trillion) 
Requires 1.5 PetaBytes 
- In Most Optimal Storage Format
We Can Do Better
Lookup Table 
Password 
Hash 
a4fef...
Rainbow Table 
Seed 
Hash 
Reduce 
Hash 
a4fef... 
Reduce 
New 
Password 
b741...
Chained Table 
Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
Rainbow Table 
Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash 
Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
Using A Rainbow Table 
Seed 1 Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash 
a4fef... 
b741... 
b741... 
b741...
Using A Rainbow Table 
Seed 1 Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash 
a4fef... 
b741... 
b741... 
b741...
Using A Rainbow Table 
Seed 1 Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash 
a4fef... 
b741... 
b741... 
b741... 
Reduce Hash
Using A Rainbow Table 
Seed 1 Hash Reduce Hash Reduce Hash 
Seed 2 Hash Reduce Hash Reduce Hash 
Seed 3 Hash Reduce Hash Reduce Hash 
a4fef... 
b741... 
b741... 
b741... 
Reduce 
Reduce Hash 
Hash
Rainbow Table 
Time/Space Tradeoff 
- Slower than a Lookup Table 
- Uses Much less storage 
Most (99.9%) passwords <= 7 chars 
Requires only 64 GB 
- Chain length of 71,000
Defense!
Salted MD5 
git checkout salted-md5 
Uses the MD5 Cryptographic Hash function. 
But adds a random salt UNIQUE per user. 
md5($salt . $password) 
hash('md5', $salt . $password)
Salts 
Must be unique! 
- Per Hash 
- Globally 
Should be random 
- Strong!!! 
- Reasonably long (at least 64 bits)
Salted MD5 
What's the problem now? 
SQL-Injection still gives us hash 
- And the salt 
But the salt defeats rainbow tables...
Can Anyone See 
The Problem?
What's A Cryptographic Hash? 
Like a fingerprint. 
One-way. 
- Easy and efficient to compute 
- Very inefficient to reverse 
- (Practically impossible) 
- Very hard to create collision 
- (new input with same output)
What's A Cryptographic Hash? 
Like a fingerprint. 
One-way. 
- Easy and efficient to compute 
- Very inefficient to reverse 
- (Practically impossible) 
- Very hard to create collision 
- (new input with same output)
Hash Functions 
Are Made To Be 
FAST
Brute Forcing 
Several Tools Available 
- John The Ripper 
- OCIHashCat 
A Lot Faster Than You May Think
Brute Forcing 
Multiple Ways To Attack 
- Mask Based (permutations) 
- Dictionary Based 
- Combinator Based 
- Combinations of dictionary words 
- Fingerprint Based 
- Combinators applied with permutations 
- Rule Based 
- Takes input password and transforms it
Brute Forcing 
Salted MD5 
2012 Macbook Pro: 
- md5: 33 million per second 
- sha256: 20 million per second 
Mask Attack: 
6 char passwords: 5 hours 
7 char passwords: 22 days 
Entire English Language: 1.8 seconds 
"LEET" Permutations: 1 hour
We Can Do Better
Brute Forcing 
Salted MD5 
25 GPU Cluster 
- md5: 180 Billion per second 
- < US$50,000 
6 char passwords: 4 seconds 
7 char passwords: 6 minutes 
8 char passwords: 10 hours 
Entire English Language: 
"LEET" Permutations:
Brute Forcing 
Salted MD5 
25 GPU Cluster 
- md5: 180 Billion per second 
- < US$50,000 
6 char passwords: 4 seconds 
7 char passwords: 6 minutes 
8 char passwords: 10 hours 
Entire English Language: yeah... 
"LEET" Permutations: 0.7 seconds
But Wait, 
I Thought MD5 
Was Broken?
MD5 IS Broken! 
But No Other Primitive Hash Is Not!!! 
sha1≈ md5 
sha256 ≈ md5 
sha512 ≈ md5 
whirlpool ≈ md5 
ALL raw primitive hashes are broken for 
password storage.
So, How Can We 
Combat Such 
Hardware?
Iterated MD5 
git checkout iterated-md5 
Uses the MD5 Cryptographic Hash function. 
But adds a random salt UNIQUE per user. 
And iterates a lot of times 
do { 
$h = md5($h . $salt . $password) 
} while($i++ < 1000);
We're 
Intentionally 
Slowing It Down
Brute Forcing 
Iterated MD5 
25 GPU Cluster 
- md5: 70 million per second 
6 char passwords: 17 minutes 
7 char passwords: 1 day 
8 char passwords: 124 days 
Entire English Language: 0.8 seconds
We Can Do Better
PBKDF2 
git checkout pbkdf2 
Uses the standard PBKDF2 algo 
- With SHA512 primitive 
Slower, and harder to use on GPU 
pbkdf2($pass, $salt, 10000, 40)
Brute Forcing 
PBKDF2 
25 GPU Cluster 
- PBKDF2(sha512): 300,000 per second 
6 char passwords: 28 days 
7 char passwords: 7 years 
8 char passwords: 700 years 
Entire English Language: 3 minutes
We Can Still 
Do Better
BCrypt 
git checkout bcrypt 
Uses the standard BCrypt algo 
- based on Blowfish cipher 
Same execution time, 
Much harder to run on GPU 
crypt $2a$
Brute Forcing 
BCrypt 
25 GPU Cluster 
- BCrypt: 70,000 per second 
6 char passwords: 120 days 
7 char passwords: 31 years 
8 char passwords: 3000 years 
Entire English Language: 14 minutes
A Note On Cost 
BCrypt accepts a "cost" parameter 
Must be tuned per server! 
- Target about 0.1 to 0.25 second runtime 
- Cost of 10 is a good baseline 
- Cost of 11 or 12 is better 
- Only if you have good hardware.
PHP 5.5 Password Hashing API 
git checkout password-compat 
A thin wrapper over crypt() 
- Simplifies implmentation 
- Strong random salt generation 
- Can specify cost as int option 
password_hash($pass, $algo, [$opts]) 
password_verify($pass, $hash) 
github.com/ircmaxell/password_compat
We Can Do 
Even Better!
Let's Encrypt 
As Well!
Encrypted BCrypt 
git checkout bcrypt-with-encryption 
Hash with BCrypt, 
Then encrypt result with AES-128. 
Requires key storage for the app. 
- Not trivial 
Use only if needed! 
- BCrypt alone is typically sufficient
Brute Forcing 
Encrypted BCrypt 
Attack requires low level server compromise! 
- SQL Injection is not enough! 
localhost/codeinject 
- Simulates code injection that reads source 
Any low level compromise 
Is No Worse than raw BCrypt 
- BCrypt is the baseline.
The Future
The Future 
scrypt 
- Sequential Memory Hard 
- Uses a LOT of memory (> 4mb / hash) 
- MUCH Harder to brute-force than bcrypt 
- IFF setup correctly
The Future 
Password Hashing Competition 
- Currently being setup 
- Aims to pick "standard" password hashing 
algorithm 
- A community effort
The Future 
Brute Forcing Word Lists 
- Complex combinations of words 
- "horse correct battery staple" 
Brute Forcing Grammar 
- "I don't want no cookies" 
Brute Forcing Structures 
- URLs, Email Addresses, URLs, etc
“Few false ideas have more firmly 
gripped the minds of so many 
intelligent men than the one 
that, if they just tried, they could 
invent a cipher that no one could 
break.” 
- David Kahn
A Note On 
Protecting 
Yourself
xkcd.com/936/
BAD ADVICE 
xkcd.com/936/
Use True Random 
Passwords
Use A Password 
Manager
Anthony Ferrara 
@ircmaxell 
me@ircmaxell.com 
blog.ircmaxell.com 
youtube.com/ircmaxell

More Related Content

What's hot

Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codec
moai kids
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 

What's hot (20)

Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Concept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized ApplicationConcept of BlockChain & Decentralized Application
Concept of BlockChain & Decentralized Application
 
Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codec
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Cryptography With PHP
Cryptography With PHPCryptography With PHP
Cryptography With PHP
 
Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)Cryptography with PHP (Workshop)
Cryptography with PHP (Workshop)
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
Importance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesImportance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devices
 
Importance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesImportance of SSHFP for Network Devices
Importance of SSHFP for Network Devices
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
Web security
Web securityWeb security
Web security
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
Redis - Usability and Use Cases
Redis - Usability and Use CasesRedis - Usability and Use Cases
Redis - Usability and Use Cases
 
DASP Top10 for OWASP Thailand Chapter by s111s
DASP Top10 for OWASP Thailand Chapter by s111s DASP Top10 for OWASP Thailand Chapter by s111s
DASP Top10 for OWASP Thailand Chapter by s111s
 
동시성과 병렬성
동시성과 병렬성동시성과 병렬성
동시성과 병렬성
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Redis SoCraTes 2014
Redis SoCraTes 2014Redis SoCraTes 2014
Redis SoCraTes 2014
 

Viewers also liked

Rainbow facts 2
Rainbow facts 2Rainbow facts 2
Rainbow facts 2
twebb101
 

Viewers also liked (17)

What is a Rainbow Table?
What is a Rainbow Table?What is a Rainbow Table?
What is a Rainbow Table?
 
Rainbow facts 2
Rainbow facts 2Rainbow facts 2
Rainbow facts 2
 
Beyond design patterns phpnw14
Beyond design patterns   phpnw14Beyond design patterns   phpnw14
Beyond design patterns phpnw14
 
Git Makes Me Angry Inside
Git Makes Me Angry InsideGit Makes Me Angry Inside
Git Makes Me Angry Inside
 
Development By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionDevelopment By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo Edition
 
Development by the numbers
Development by the numbersDevelopment by the numbers
Development by the numbers
 
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueDon't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
 
Ophcrack
OphcrackOphcrack
Ophcrack
 
Don't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionDon't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo Edition
 
Protecting Passwords
Protecting PasswordsProtecting Passwords
Protecting Passwords
 
Kanishka_3D Passwords
Kanishka_3D PasswordsKanishka_3D Passwords
Kanishka_3D Passwords
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords  while drinking your  juice/smoozie in the HoodHow-to crack 43kk passwords  while drinking your  juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
 
Be a Happier Developer with Git / Productive Team #gettinggitright
Be a Happier Developer with Git / Productive Team #gettinggitright Be a Happier Developer with Git / Productive Team #gettinggitright
Be a Happier Developer with Git / Productive Team #gettinggitright
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPC
 
Death to Passwords SXSW 15
Death to Passwords SXSW 15Death to Passwords SXSW 15
Death to Passwords SXSW 15
 
Optativa catala (1)
Optativa catala (1)Optativa catala (1)
Optativa catala (1)
 
Store-Passwords
Store-PasswordsStore-Passwords
Store-Passwords
 

Similar to Password Storage And Attacking In PHP - PHP Argentina

Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
Joseph Scott
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
Nipun Joshi
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
fangjiafu
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
Antiy Labs
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & Scalability
Joseph Scott
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
Jonathan Katz
 

Similar to Password Storage And Attacking In PHP - PHP Argentina (20)

Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Redis — memcached on steroids
Redis — memcached on steroidsRedis — memcached on steroids
Redis — memcached on steroids
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
A rough guide to JavaScript Performance
A rough guide to JavaScript PerformanceA rough guide to JavaScript Performance
A rough guide to JavaScript Performance
 
Redis overview for Software Architecture Forum
Redis overview for Software Architecture ForumRedis overview for Software Architecture Forum
Redis overview for Software Architecture Forum
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & Scalability
 
Ekon24 from Delphi to AVX2
Ekon24 from Delphi to AVX2Ekon24 from Delphi to AVX2
Ekon24 from Delphi to AVX2
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015
 
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGWHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
 
Streaming 101: Hello World
Streaming 101:  Hello WorldStreaming 101:  Hello World
Streaming 101: Hello World
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
Hashing Considerations In Web Applications
Hashing Considerations In Web ApplicationsHashing Considerations In Web Applications
Hashing Considerations In Web Applications
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Transforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UXTransforming The New York Times: Empowering Evolution through UX
Transforming The New York Times: Empowering Evolution through UX
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Server-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at PricelineServer-Driven User Interface (SDUI) at Priceline
Server-Driven User Interface (SDUI) at Priceline
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 

Password Storage And Attacking In PHP - PHP Argentina

  • 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  • 2. “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.” - Bruce Schneier
  • 3. Github URL Follow Along: github.com/ircmaxell/password-bad-web-app A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
  • 4.
  • 5. Let's Start From The Beginning
  • 6. Plain-Text Storage git checkout plaintext Stores passwords in Plain-Text What's wrong with this picture?
  • 7. Plain-Text Storage What happens if we have a SQL-Injection Vulnerability? localhost/sqli Simulates: ?offset=0'+UNION+SELECT+*+FROM+users
  • 8.
  • 9. Plain-Text Storage Problem! Any attack vector results in leakage of ALL credentials!
  • 10. We Can Do Better
  • 11. MD5 git checkout md5 Uses the MD5 Cryptographic Hash function. md5($password) hash('md5', $password)
  • 12. Wait, What Is A Hash?
  • 13.
  • 14. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 15. MD5 What's the problem now? SQL-Injection still gives us hash But the hash is one-way, how can we attack it?
  • 16.
  • 18.
  • 19. Lookup Table Google is a great example Maps hash to password directly Database Table: hash | password --------------+----------- "5f4dcc3b..." | "password" "acbd18db..." | "foo"
  • 20. Lookup Table Lookups are CPU efficient. Require a LOT of storage space - (Very space inefficient) All passwords <= 7 chars (95^7, 70 Trillion) Requires 1.5 PetaBytes - In Most Optimal Storage Format
  • 21. We Can Do Better
  • 22. Lookup Table Password Hash a4fef...
  • 23. Rainbow Table Seed Hash Reduce Hash a4fef... Reduce New Password b741...
  • 24. Chained Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  • 25. Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  • 26. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
  • 27. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741...
  • 28. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Hash
  • 29. Using A Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash a4fef... b741... b741... b741... Reduce Reduce Hash Hash
  • 30. Rainbow Table Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage Most (99.9%) passwords <= 7 chars Requires only 64 GB - Chain length of 71,000
  • 32.
  • 33. Salted MD5 git checkout salted-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. md5($salt . $password) hash('md5', $salt . $password)
  • 34. Salts Must be unique! - Per Hash - Globally Should be random - Strong!!! - Reasonably long (at least 64 bits)
  • 35. Salted MD5 What's the problem now? SQL-Injection still gives us hash - And the salt But the salt defeats rainbow tables...
  • 36.
  • 37. Can Anyone See The Problem?
  • 38. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 39. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 40. Hash Functions Are Made To Be FAST
  • 41. Brute Forcing Several Tools Available - John The Ripper - OCIHashCat A Lot Faster Than You May Think
  • 42. Brute Forcing Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
  • 43. Brute Forcing Salted MD5 2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second Mask Attack: 6 char passwords: 5 hours 7 char passwords: 22 days Entire English Language: 1.8 seconds "LEET" Permutations: 1 hour
  • 44. We Can Do Better
  • 45.
  • 46. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: "LEET" Permutations:
  • 47. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < US$50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: yeah... "LEET" Permutations: 0.7 seconds
  • 48. But Wait, I Thought MD5 Was Broken?
  • 49. MD5 IS Broken! But No Other Primitive Hash Is Not!!! sha1≈ md5 sha256 ≈ md5 sha512 ≈ md5 whirlpool ≈ md5 ALL raw primitive hashes are broken for password storage.
  • 50. So, How Can We Combat Such Hardware?
  • 51. Iterated MD5 git checkout iterated-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. And iterates a lot of times do { $h = md5($h . $salt . $password) } while($i++ < 1000);
  • 53. Brute Forcing Iterated MD5 25 GPU Cluster - md5: 70 million per second 6 char passwords: 17 minutes 7 char passwords: 1 day 8 char passwords: 124 days Entire English Language: 0.8 seconds
  • 54. We Can Do Better
  • 55. PBKDF2 git checkout pbkdf2 Uses the standard PBKDF2 algo - With SHA512 primitive Slower, and harder to use on GPU pbkdf2($pass, $salt, 10000, 40)
  • 56.
  • 57. Brute Forcing PBKDF2 25 GPU Cluster - PBKDF2(sha512): 300,000 per second 6 char passwords: 28 days 7 char passwords: 7 years 8 char passwords: 700 years Entire English Language: 3 minutes
  • 58. We Can Still Do Better
  • 59. BCrypt git checkout bcrypt Uses the standard BCrypt algo - based on Blowfish cipher Same execution time, Much harder to run on GPU crypt $2a$
  • 60.
  • 61. Brute Forcing BCrypt 25 GPU Cluster - BCrypt: 70,000 per second 6 char passwords: 120 days 7 char passwords: 31 years 8 char passwords: 3000 years Entire English Language: 14 minutes
  • 62. A Note On Cost BCrypt accepts a "cost" parameter Must be tuned per server! - Target about 0.1 to 0.25 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - Only if you have good hardware.
  • 63. PHP 5.5 Password Hashing API git checkout password-compat A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option password_hash($pass, $algo, [$opts]) password_verify($pass, $hash) github.com/ircmaxell/password_compat
  • 64. We Can Do Even Better!
  • 66. Encrypted BCrypt git checkout bcrypt-with-encryption Hash with BCrypt, Then encrypt result with AES-128. Requires key storage for the app. - Not trivial Use only if needed! - BCrypt alone is typically sufficient
  • 67.
  • 68. Brute Forcing Encrypted BCrypt Attack requires low level server compromise! - SQL Injection is not enough! localhost/codeinject - Simulates code injection that reads source Any low level compromise Is No Worse than raw BCrypt - BCrypt is the baseline.
  • 69.
  • 71. The Future scrypt - Sequential Memory Hard - Uses a LOT of memory (> 4mb / hash) - MUCH Harder to brute-force than bcrypt - IFF setup correctly
  • 72. The Future Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
  • 73. The Future Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple" Brute Forcing Grammar - "I don't want no cookies" Brute Forcing Structures - URLs, Email Addresses, URLs, etc
  • 74. “Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break.” - David Kahn
  • 75. A Note On Protecting Yourself
  • 78. Use True Random Passwords
  • 79. Use A Password Manager
  • 80. Anthony Ferrara @ircmaxell me@ircmaxell.com blog.ircmaxell.com youtube.com/ircmaxell