SlideShare a Scribd company logo
@nickmalcolm
a recipe for
Password Storage.
Add Salt to Taste.
@nickmalcolm
345
@nickmalcolm
Recipe #1
Plaintext
@nickmalcolm
Ingredients:
Fruit(s) of choice
Preparation:
1. Put fruit on plate.
@nickmalcolm
To validate a user’s password,
just look at their password
@nickmalcolm
username password
bluesky98 111111
Kazoo96 password
jackals4 r1&N*L&10Pmf
Sunny2323 password123
@nickmalcolm
Why is this bad?
@nickmalcolm
Everyone in the kitchen can see
your guest’s secret ingredient(s)
@nickmalcolm
People reuse passwords
@nickmalcolm
But no company would actually
store passwords like that,
right?
@nickmalcolm
“The security of our users'
personal information has
always been a top priority
- Neopets, 2016
@nickmalcolm
26,892,897
accounts with plaintext passwords
@nickmalcolm
Recipe #1
Plaintext
@nickmalcolm
Recipe #2
Symmetric
Encryption
flic.kr/p/EvurHC
@nickmalcolm
Ingredients:
Fruit(s) of choice
Preparation:
1. Put fruit in fridge.
2. Lock fridge.
flic.kr/p/EvurHC
@nickmalcolm
username password
bluesky98 111111
Kazoo96 password
jackals4 r1&N*L&10Pmf
Sunny2323 password123
@nickmalcolm
Recipe #2: Encrypted (a real example)
username password hint
bluesky98 c57712e7eeadeb17 sixones
Kazoo96 94a012e6de4f1f0e 703c8f612c29f4a6
jackals4 Ca97753a79cbdf8f 2a8819ef021ce73a
Sunny2323 94a012e6de4f1f0e 6b4e6be23ec132f0 p+123
The Fridge
@nickmalcolm
To validate a user’s password,
unlock the fridge,
look at their password,
see if it matches
@nickmalcolm
Why is this bad
@nickmalcolm
People in your organisation
could unlock the fridge
when they’re not supposed to.
@nickmalcolm
Breaking the lock
or finding a key
gives access to all the passwords
@nickmalcolm
You can sometimes X-Ray the
fridge to learn more
about what’s inside
@nickmalcolm
Recipe #2: Encrypted (a real example)
username password hint
bluesky98 C57712e7eeadeb17 ________________ sixones
Kazoo96 94a012e6de4f1f0e 703c8f612c29f4a6 password
jackals4 Ca97753a79cbdf8f 2a8819ef021ce73a
Sunny2323 94a012e6de4f1f0e 6b4e6be23ec132f0 p+123
@nickmalcolm
But no one would actually
store passwords like that,
right?
@nickmalcolm
“We deeplyregret that
this incident occurred.
- Adobe, 2013
@nickmalcolm
152,445,165
accounts with 3DES-encrypted passwords
alongside plaintext hints
@nickmalcolm
Recipe #2
Symmetric
Encryption
flic.kr/p/EvurHC
@nickmalcolm
Recipe #3
Hashed
@nickmalcolm
Ingredients:
Your choice of fruits,
vegetables, etc.
Preparation:
1. Put ingredients in.
2. Blend.
@nickmalcolm
The way we “blend” passwords
is by using a
hashing function.
@nickmalcolm
Identical smoothie, given the
exact same ingredients.
Identical hashes, given the
same input.
@nickmalcolm
Very different smoothies, even
with very similar ingredients. (kinda)
Very different hashes, even
with very similar input.
@nickmalcolm
Fast to create a smoothie from even
the chunkiest ingredients.
Fast to create a hash from even the
longest or most complex input.
@nickmalcolm
Infeasible to get back the raw
ingredients.
Infeasible to recover the cleartext
input.
@nickmalcolm
Unlike a real smoothie…
the hash is always the same size,
regardless of the size of the input
@nickmalcolm
MD5
SHA1
SHA256
SHA384
BLAKE2...
@nickmalcolm
username password
bluesky98 111111
Kazoo96 password
jackals4 r1&N*L&10Pmf
Sunny2323 password123
hackerman12 password
@nickmalcolm
Recipe #3: Hashed with SHA1
username password
bluesky98 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d
Kazoo96 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
jackals4 f8a087448bcec30f97a46094e48df6e2c76bae58
Sunny2323 cbfdac6008f9cab4083784cbd1874f76618d2a97
hackerman12 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
@nickmalcolm
To validate a user’s password,
hash the provided input
and check it against the hash in the DB
@nickmalcolm
username password
bluesky98 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d
Kazoo96 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
“I’m Kazoo96, and my password is ‘password’”
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
@nickmalcolm
Why is this bad
@nickmalcolm
Users who have the same password
have identical hashes
@nickmalcolm
Recipe #3: Hashed with SHA1
username password
bluesky98 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d
Kazoo96 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
jackals4 f8a087448bcec30f97a46094e48df6e2c76bae58
Sunny2323 cbfdac6008f9cab4083784cbd1874f76618d2a97
hackerman12 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
@nickmalcolm
It’s also really fast to
pre-compute lists of
passwords.
These are called
Rainbow Tables
@nickmalcolm
1 123456 7c4a8d09ca3762af61e59520943dc26494f8941b
2 password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
3 12345678 7c222fb2927d828af22f592134e8932480637c0d
4 qwerty b1b3773a05c0ed0176787a4f1574ff0075f7521e
5 123456789 f7c3bc1d808e04732adf679965ccc34ca7ae3441
6 12345 8cb2237d0679ca88db6464eac60da96345513964
7 1234 7110eda4d09e062aa5e4a390b0a572ac0d2c0220
8 111111 3d4f2bf07dc1be38b20cd6e46949a1071f9d0e3d
9 1234567 20eabe5d64b0e216796e834f52d61fd0b70332fc
10 dragon af8978b1797b72acfff9595a5a2a373ec3d9106d
@nickmalcolm
Fast hashing functions
also means
fast brute-forcing
@nickmalcolm
So no one would actually
store passwords like that,
right?
@nickmalcolm
“We take the security of our
users veryseriously
- Last FM, 2012
@nickmalcolm
37,217,682
accounts with MD5’d passwords
@nickmalcolm
“We take the safety
and securityof our
members' accounts seriously.
- LinkedIn, 2016
@nickmalcolm
164,611,595
accounts with SHA1 passwords
@nickmalcolm
“the vast majority of passwords were
quickly cracked in the days following
the release of the data”
- Troy Hunt of HaveIBeenPwned.com
@nickmalcolm
@nickmalcolm
Recipe #3
Hashed
@nickmalcolm
Recipe #4
“Salted” Hash
@nickmalcolm
Ingredients:
Fruits, vegetables, etc.
Artisanal salt.
Preparation:
1. Put fruits in blender.
2. Add salt.
3. Blend.
@nickmalcolm
Different salt
for each diner,
chosen by the chef.
@nickmalcolm
The type of salt is
written on a label, and
stuck to their smoothie.
@nickmalcolm
To validate a user’s password,
hash the provided input
plus the salt you wrote
on the label of their last smoothie
@nickmalcolm
Plaintext isn’t recoverable, &
identical input has different output
This seems fine?
@nickmalcolm
Some blenders are
way too fast
@nickmalcolm
Some blenders are broken.
They can produce same smoothie,
even when given
very different ingredients.
@nickmalcolm
But no one would actually
store passwords like that,
right?
@nickmalcolm
“We take cyber security
veryseriously …
there’s no need to panic
- Zomato, 2017
@nickmalcolm
37,217,682
accounts w/ passwords stored as
MD5 with a 2 character(!!!) salt
@nickmalcolm
Recipe #4
“Salted” Hash
@nickmalcolm
Recipe #4.5
Salted Hash
using a good
blender.
@nickmalcolm
Ingredients:
Fruits, vegetables, etc.
Artisanal salt.
Preparation:
1. Put fruits and salt
in a good blender
2. Blend.
@nickmalcolm
Fast to create a smoothie,
but not too fast.
@nickmalcolm
Blend as slowly as your users will
tolerate.
Slow down your blender every now and
then.
@nickmalcolm
PBKDF2.
Bcrypt.
Scrypt.
Argon2.
@nickmalcolm
argon2id
is the algorithm of choice today
@nickmalcolm
How to change your blender?
@nickmalcolm
“Our customers’ privacy is of the
utmostconcern to us.
- Ashley Madison, 2015
@nickmalcolm
30,811,934
accounts with bcrypt’d passwords
but still kept 15M unsalted MD5 hashes around
@nickmalcolm
“A blogger who went after the the
bcrypt hashes recovered
only 4000 passwords in a week.
In contrast, CynoSure Prime recovered
the passwords for over 11 million of
the MD5 hashes in about 10 days.”
- Paul Ducklin of “Naked Security”
@nickmalcolm
So it’s fine to store passwords
when hashed with a good aglorithm?
@nickmalcolm
“
This is regrettable.
- Canva, 2019
@nickmalcolm
137,272,116
accounts with bcrypt’d passwords
@nickmalcolm
So it’s fine to store passwords like that?
Yes, but...
@nickmalcolm
An attacker can still (slowly)
brute-force passwords,
one at a time.
@nickmalcolm
Recipe #4.5
Salted Hash
using a good
blender.
@nickmalcolm
Recipe #5
Salted Hash,
with Pepper
@nickmalcolm
A pepper is a secret.
It’s the same for all passwords.
It’s stored far away from the passwords.
@nickmalcolm
When a user logs in you
take their password.
You fetch the pepper from the vault.
You “unlock” their hash,
hash their input + salt,
and compare.
Phew!
@nickmalcolm
An attacker needs to
know the secret pepper
before they can even start
brute-forcing salted hashes
@nickmalcolm
Hash & Salt the passwords.
Then symmetrically encrypt the hash
using the pepper as the secret.
@nickmalcolm
Dropbox,
after a breach of
68M passwords
@nickmalcolm
With or without a pepper,
salted hashes are the way to go.
@nickmalcolm
Password storage is only
a small
part of the problem.
@nickmalcolm
user education
password complexity
monitoring & alerting
phishing
multi-factor authentication
rate limiting
federated identity / single sign on
behavioural analytics
@nickmalcolm
345
@nickmalcolm
Never store the password itself.
Use a slow blender with built-in salt.
Add pepper if you can.
Then store the hash.
@nickmalcolm
OWASP Password Cheat Sheet
Wikipedia
google: “paragonie passwords 2016”
@nickmalcolm
Kia ora!
@nickmalcolm
nick.malcolm.net.nz
aurainfosec.com

More Related Content

Recently uploaded

Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
TanapatLimsaiprom1
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 
Incident Identification Approach and Managment
Incident Identification Approach and ManagmentIncident Identification Approach and Managment
Incident Identification Approach and Managment
Gaali1
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
TanapatLimsaiprom1
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
Edward Blurock
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
dilbaagsingh0898
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
cenocb
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
Lumiverse Solutions Pvt Ltd
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
SFC Today
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
Thierry TROUIN ☁
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
shamrisumri
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
Zsolt Nemeth
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
Sweet Potato Tec
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
pdfsubmission50
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
Bangladesh Network Operators Group
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
ssuser2f6682
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 

Recently uploaded (20)

Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 
Incident Identification Approach and Managment
Incident Identification Approach and ManagmentIncident Identification Approach and Managment
Incident Identification Approach and Managment
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
 
Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...Ontology for the semantic enhancement, database definition and management and...
Ontology for the semantic enhancement, database definition and management and...
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Shimla 000XX00000 Provide Best And Top Girl Service And No1 in City
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
 
Understanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat IntelligenceUnderstanding Threat Intelligence | What is Threat Intelligence
Understanding Threat Intelligence | What is Threat Intelligence
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
 
Portugal Dreamin 24 - How to easily use an API with Flows
Portugal Dreamin 24  - How to easily use an API with FlowsPortugal Dreamin 24  - How to easily use an API with Flows
Portugal Dreamin 24 - How to easily use an API with Flows
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
@Girls @Call Chennai 🛬 XXXXXXXXXX 🛬 available 24*7 cash payment book now pay ...
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
 
Rent remote desktop server mangohost .net
Rent remote desktop server mangohost .netRent remote desktop server mangohost .net
Rent remote desktop server mangohost .net
 
Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18Geolocation and Geofeed Implementation bdNOG18
Geolocation and Geofeed Implementation bdNOG18
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 

Featured

Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
Chiara Aliotta
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
SocialHRCamp
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Christy Abraham Joy
 

Featured (20)

Storytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design ProcessStorytelling For The Web: Integrate Storytelling in your Design Process
Storytelling For The Web: Integrate Storytelling in your Design Process
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
How to Leverage AI to Boost Employee Wellness - Lydia Di Francesco - SocialHR...
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 

A Recipe for Password Storage: Add Salt to Taste

Editor's Notes

  1. Thanks Pixabay and Unsplash for the photos!
  2. Using some cooking analogies we’ll learn about keeping secrets secret. Will our password-storing creation rise deliciously to the occasion, or will it fall flat in disappointing dispair. Don your chef hat, and come with me.
  3. As a chef, a new customer comes to you and says that their password is banana. You take their banana, and put it on a labelled plate in the kitchen.
  4. A week later that customer comes back, gives you a piece of fruit, you take it and compare it to the one you had before. If it’s a banana, they’re legit.
  5. The users table in your database is the plates of fruit. Each plate is labelled, and the fruit on the plate is just sitting there. Nothing fancy.
  6. All the chefs walking through the kitchen, and the wait staff, and the cleaners, they all can see the fruit people have put on their plates.
  7. No only that, customers probably use the same fruit at many restaurants - the same password on many websites. Someone who knows their fruit can walk to the restaurant down the street and get a meal on them.
  8. Yes, Neopets is still around!
  9. Now it’s not just people with access to the kitchen who have your guests’ passwords, it’s everyone!
  10. So that was….
  11. This is our plaintext password storage from the first recipe
  12. This method of storing passwords was actually used, but we’ll get to that in a moment. https://gchq.github.io/CyberChef/#recipe=Triple_DES_Encrypt(%7B'option':'UTF8','string':'passwordpasswordpassword'%7D,%7B'option':'UTF8','string':''%7D,'ECB','Raw','Hex')&input=MTExMTEx
  13. This is great! Now waitstaff, cleaners, other chefs, and lost guests can’t see the passwords. They’re still in plaintext inside the fridge, but you can’t get in.
  14. The same password will look the same. You can often tell roughly how long a password is.
  15. https://gchq.github.io/CyberChef/#recipe=Triple_DES_Encrypt(%7B'option':'UTF8','string':'passwordpasswordpassword'%7D,%7B'option':'UTF8','string':''%7D,'ECB','Raw','Hex')&input=MTExMTEx In this example of bad encryption, you can get information about the length of the plaintext entry. You can also see repetitions in the source data. Both Kazoo and Sunny have passwords which start with the same string - the word “password”. Also the company that stored passwords like this also decided to store plaintext password hints...
  16. The key was never breached, but you could look at hints to guess the password. If you figure out one password, you can see all the other users in the table who used the same password. Or, if your own password is in there you can look and see who else has a password that starts like yours does.
  17. Better, but still not very good.
  18. Hashing Specifically: Cryptographic Hashes.
  19. Deterministic
  20. Add a drop of hot sauce, and the smoothie will change drastically. (Not really, but…) Although the hashes are very different, the length is still the same. This means we’re not giving away any extra information. (Could also mention about locality-preserving hashes vs random output https://en.wikipedia.org/wiki/Locality-sensitive_hashing and https://en.wikipedia.org/wiki/Avalanche_effect)
  21. Also a problem, but we’ll get to that
  22. One-way
  23. Although the hashes are very different, the length is still the same. This means we’re not giving away any extra information. This is not how blenders work (more ingredients => more smoothie).
  24. Hashing
  25. Note that they are the same length!
  26. The customer comes to you with a banana, and instead of storing the banana on a plate or in a locked fridge, you blend it. When they come back later, they give you their fruit, you blend that too. Then you do a taste test
  27. Hash the pwd, compare it against the claimed user’s hashed password.
  28. We hashed passwords with SHA1, that sounds good right?
  29. Identical hashes is part of the built-in feature of hashes!
  30. Most smoothies have banana in them. Most passwords are “password”. In anticipation of a big breach, instead of trying to brute force them at the time, I could build up a list.
  31. https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100.txt
  32. http://blog.last.fm/2012/06/08/an-update-on-lastfm-password-security
  33. MD5d passwords Well that’s MD5, what about a different hash, a different blender?
  34. Not very seriously, like Last FM https://blog.linkedin.com/2016/05/18/protecting-our-members But they were breached in 2012, and either didn’t know or didn’t tell them!
  35. MD5d passwords
  36. https://haveibeenpwned.com/PwnedWebsites#LinkedIn
  37. Zuck used “dadada” as his LinkedIn password, and reused that password on Twitter and Pinterest.
  38. What could we do so that rainbow tables don’t work, and common passwords aren’t as obvious?
  39. It’s not chosen by the user. Two users with the same requested ingredients will get different smoothies.
  40. This way the chef doesn’t need to remember whether it was himalayan or rock salt.
  41. And check it against the hash in the DB. Storing the salt alongside the hash allows you to recompute the hash identically, assuming you’re given the same input at the start.
  42. Salts don’t do anything to stop brute forcing passwords. An attacker can’t use a pre-computed rainbow table, and they can’t see where folks have reused passwords, but if you’ve used a fast blender, they can crank through passwords one by one Especially if users use weak passwords.
  43. https://www.zomato.com/blog/security-notice https://www.zomato.com/blog/security-notice-update https://haveibeenpwned.com/PwnedWebsites
  44. Because it was MD5 it was incredibly easy for researchers to brute force the passwords. https://www.vice.com/en_us/article/z4j5g4/restaurant-app-zomato-says-your-stolen-password-is-fine-but-is-it
  45. This is called a “work factor”, or “rounds”. Different algorithms let you tune it in different ways.
  46. These four options are safe choices, give you a configurable work factor, and handle the salt for you. Don’t make your own blender. PBKDF2 will be familiar to .NET and Django developers. It’s getting a little old. One popular cryptographer called it “the worst of the acceptable options”. Bcrypt has been around since 1999. It’s pretty good and really easy to use, but doesn’t stand up against parallel or GPU - powered brute forcing as well as scrypt and argon2. It’s commonly found in rails and php apps. Scrypt addresses some of bcrypt’s issues, and is a solid choice, but not super common. Argon2 is the new kid on the block, and recommended as the best choice today.
  47. “Winner of a several year project to identify a successor to bcrypt/PBKDF/scrypt methods of securely storing passwords” Like bcrypt, Argon2id will choose the salt for you, let you customise and change how slowly it blends, and also has something extra we’ll get to soon.
  48. There are a few strategies for this that I don’t have time to go in to, But the OWASP password cheat sheet explores them. Just realise that some ways of changing are better than others
  49. https://haveibeenpwned.com/PwnedWebsites#AshleyMadison
  50. Side note: Canva’s response was actually pretty good. Better than others. (Still not great: https://www.smartcompany.com.au/startupsmart/analysis/canva-data-breach-response/) But the database is out there, and there will be people who are targeting specific accounts and trying to brute force those passwords.
  51. https://nakedsecurity.sophos.com/2015/09/10/11-million-ashley-madison-passwords-cracked-in-10-days/ In July 2017, Avid Life Media (renamed Ruby Corporation) agreed to settle two dozen lawsuits stemming from the breach for $11.2 million. https://en.wikipedia.org/wiki/Ashley_Madison_data_breach https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
  52. https://support.canva.com/contact/customer-support/may-24-security-incident-faqs/
  53. Side note: Canva’s response was actually pretty good. Better than others. (Still not great: https://www.smartcompany.com.au/startupsmart/analysis/canva-data-breach-response/) But the database is out there, and there will be people who are targeting specific accounts and trying to brute force those passwords.
  54. If the database server is misconfigured, if there’s SQL injection, if a backup goes missing, an attacker has access to a table of salted hashes.
  55. If not that, then what?
  56. Remember that salts were like a label stuck to a smoothie. They weren’t a secret, they just made hashes unique. A pepper is not stuck to the smoothie. It’s stored elsewhere, like KFC’s 11 Secret Herbs and Spices. You might store it in your app config, or in a hardware security module. All passwords are encrypted and decrypted by the application, using this secret.
  57. Like when you set a password on zip file, or your WiFi, or your password manager app. The same password lets you unlock the secrets each time.
  58. If you get SQLi, or find a misplaced backup, or steal the database’s harddisk, you’re stuck. You are missing the key. If you compromise a web app, maybe you can get the salted hashes from there. Again, not foolproof, but it’d stop many of the breaches we’ve discussed from being possible.
  59. Like when you set a password on zip file, or your WiFi, or your password manager app. The same password lets you unlock the secrets each time. Argon2id has native support for peppers.
  60. https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/ They adopted this model sometime after their breach of 68,648,009 passwords, half of which were SHA1 and half were bcrypt. Dropbox was breached in 2012, because an employee who had access to the password records was reusing a password exposed in the LinkedIn dump!
  61. You’re basically buying your users time to change their passwords if there’s a breach. A determined attacker can still try to brute force a pepper,
  62. We’ve focused on storage, but there are lots of other factors when it comes to good authentication. All these could be their own topics
  63. What we have talked about is how to store passwords properly, if that’s what we need to do
  64. In summary
  65. Cheat sheet has examples and references For the blender you’re using, how to set it to the right blend-time. Wikipedia can give you insight into the mechanics of the blenders, how they work, the actual values they store in the database, etc The paragonie blog has legit code snippets for argon2, bcrypt, and scrypt, for PHP, Node, .Net, Ruby, Java, Python
  66. Adobe Breach https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ https://filippo.io/analyzing-the-adobe-leaked-passwords/ Argon2 https://medium.com/@mpreziuso/password-hashing-pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e Code snippets for password storage for PHP, .Net, Java, and Ruby https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016