First presented at OWASP NZ 2020.
https://owasp.org/www-event-2020-NewZealandDay/
Storing passwords is as simple as following a recipe when developers use their frameworks, but there are sometimes choices to make when it comes to ingredients and amounts. Argon, PBKDF2? What’s a Salt? How many rounds?
Join me on this cooking-themed presentation on password storage!
Every time a website gets breached you hope to hear “your password was salted and hashed” instead of “your passwords were stored in plain text” - but what does that actually mean, and why is it a good thing?
Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We’ll learn a bit about cryptography and one-way functions (that’s the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!
First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams.
There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business.
As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams.
By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation.
If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
All aboard the Cyber Security Rollercoaster!Nick Malcolm
Originally presented at ITx 2016: https://itx.nz/Programme/68/All-aboard-the-Cyber-Security-Rollercoaster
Not a day goes by where we don't hear of a website being hacked, a few hundred thousand user details being exposed, or another organisation scammed out of a pretty penny. The world of cyber security is hurtling along at break neck pace.
Nick Malcolm will push the pause button and look back at the highs and lows of the last year's major security incidents, and see what we can learn from them.
He will look at our current position, and in to the future. What are the threat trends and emerging risks we face awaiting us around the bend?
He will then show some of technologies and innovations which are helping to keep the web secure, educate the public, and empower IT professionals.
It's a rollercoaster, but it doesn't have to be scary - climb aboard and learn how to enjoy the ride!
This talk, originally given at WellRailed, dives in to what timing attacks are, some examples, and how to defend against them.
A timing attack is when an attacker can figure out stuff they shouldn’t by asking questions and measuring how long it takes for you to respond.
Originally presented on 26 May 2016: www.meetup.com/wellrailed/events/231113047/
We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API.
This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/
Adding Two Factor Authentication to your App with AuthyNick Malcolm
This talk explains what two factor authentication is, and how to implement it in a Ruby on Rails app with Authy.
Originally presented at Auckland Ruby Nights on April 23 2015: http://www.meetup.com/aucklandruby/events/221958178/
A short overview of why ThisData uses CloudFlare, and what web app developers can get if they too use CloudFlare.
This was originally presented at Auckland Ruby Nights on Dec 16 2015: http://www.meetup.com/aucklandruby/events/227131243/
2024 State of Marketing Report – by HubspotMarius Sescu
https://www.hubspot.com/state-of-marketing
· Scaling relationships and proving ROI
· Social media is the place for search, sales, and service
· Authentic influencer partnerships fuel brand growth
· The strongest connections happen via call, click, chat, and camera.
· Time saved with AI leads to more creative work
· Seeking: A single source of truth
· TLDR; Get on social, try AI, and align your systems.
· More human marketing, powered by robots
First presented at AISA Cyber Conference AU in 2018. How to “Speak Developer” and Create a Winning Security Culture in Your Software Development Teams.
There aren’t enough security people in the workforce to scale to the demands of our business needs, but there’s an untapped resource already sitting within our organisations: developers and testers. In this session we’ll learn how to speak their language and create a security culture which will support secure development and ultimately enable innovative practices within the business.
As security professionals we often battle to make ourselves understood with developers. Maybe we’re too risk oriented. Perhaps we’re only confident talking at a network level. Or our business has adopted an agile methodology and our old practices are being seen as road blockers. Whatever the reason, we need to change the way we interact with development teams.
By understanding their context, speaking their language, enabling them with tools, and being seen as a trusted advisor – not the enemy – we can move at a pace and scale where security is baked in to our development culture across the organisation.
If you’re a security professional working within an organisation that does software development, or an IT manager looking to make the most of limited resources, this session is for you.
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
All aboard the Cyber Security Rollercoaster!Nick Malcolm
Originally presented at ITx 2016: https://itx.nz/Programme/68/All-aboard-the-Cyber-Security-Rollercoaster
Not a day goes by where we don't hear of a website being hacked, a few hundred thousand user details being exposed, or another organisation scammed out of a pretty penny. The world of cyber security is hurtling along at break neck pace.
Nick Malcolm will push the pause button and look back at the highs and lows of the last year's major security incidents, and see what we can learn from them.
He will look at our current position, and in to the future. What are the threat trends and emerging risks we face awaiting us around the bend?
He will then show some of technologies and innovations which are helping to keep the web secure, educate the public, and empower IT professionals.
It's a rollercoaster, but it doesn't have to be scary - climb aboard and learn how to enjoy the ride!
This talk, originally given at WellRailed, dives in to what timing attacks are, some examples, and how to defend against them.
A timing attack is when an attacker can figure out stuff they shouldn’t by asking questions and measuring how long it takes for you to respond.
Originally presented on 26 May 2016: www.meetup.com/wellrailed/events/231113047/
We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API.
This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/
Adding Two Factor Authentication to your App with AuthyNick Malcolm
This talk explains what two factor authentication is, and how to implement it in a Ruby on Rails app with Authy.
Originally presented at Auckland Ruby Nights on April 23 2015: http://www.meetup.com/aucklandruby/events/221958178/
A short overview of why ThisData uses CloudFlare, and what web app developers can get if they too use CloudFlare.
This was originally presented at Auckland Ruby Nights on Dec 16 2015: http://www.meetup.com/aucklandruby/events/227131243/
2024 State of Marketing Report – by HubspotMarius Sescu
https://www.hubspot.com/state-of-marketing
· Scaling relationships and proving ROI
· Social media is the place for search, sales, and service
· Authentic influencer partnerships fuel brand growth
· The strongest connections happen via call, click, chat, and camera.
· Time saved with AI leads to more creative work
· Seeking: A single source of truth
· TLDR; Get on social, try AI, and align your systems.
· More human marketing, powered by robots
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ChatGPT is a revolutionary addition to the world since its introduction in 2022. A big shift in the sector of information gathering and processing happened because of this chatbot. What is the story of ChatGPT? How is the bot responding to prompts and generating contents? Swipe through these slides prepared by Expeed Software, a web development company regarding the development and technical intricacies of ChatGPT!
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
The realm of product design is a constantly changing environment where technology and style intersect. Every year introduces fresh challenges and exciting trends that mold the future of this captivating art form. In this piece, we delve into the significant trends set to influence the look and functionality of product design in the year 2024.
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
Mental health has been in the news quite a bit lately. Dozens of U.S. states are currently suing Meta for contributing to the youth mental health crisis by inserting addictive features into their products, while the U.S. Surgeon General is touring the nation to bring awareness to the growing epidemic of loneliness and isolation. The country has endured periods of low national morale, such as in the 1970s when high inflation and the energy crisis worsened public sentiment following the Vietnam War. The current mood, however, feels different. Gallup recently reported that national mental health is at an all-time low, with few bright spots to lift spirits.
To better understand how Americans are feeling and their attitudes towards mental health in general, ThinkNow conducted a nationally representative quantitative survey of 1,500 respondents and found some interesting differences among ethnic, age and gender groups.
Technology
For example, 52% agree that technology and social media have a negative impact on mental health, but when broken out by race, 61% of Whites felt technology had a negative effect, and only 48% of Hispanics thought it did.
While technology has helped us keep in touch with friends and family in faraway places, it appears to have degraded our ability to connect in person. Staying connected online is a double-edged sword since the same news feed that brings us pictures of the grandkids and fluffy kittens also feeds us news about the wars in Israel and Ukraine, the dysfunction in Washington, the latest mass shooting and the climate crisis.
Hispanics may have a built-in defense against the isolation technology breeds, owing to their large, multigenerational households, strong social support systems, and tendency to use social media to stay connected with relatives abroad.
Age and Gender
When asked how individuals rate their mental health, men rate it higher than women by 11 percentage points, and Baby Boomers rank it highest at 83%, saying it’s good or excellent vs. 57% of Gen Z saying the same.
Gen Z spends the most amount of time on social media, so the notion that social media negatively affects mental health appears to be correlated. Unfortunately, Gen Z is also the generation that’s least comfortable discussing mental health concerns with healthcare professionals. Only 40% of them state they’re comfortable discussing their issues with a professional compared to 60% of Millennials and 65% of Boomers.
Race Affects Attitudes
As seen in previous research conducted by ThinkNow, Asian Americans lag other groups when it comes to awareness of mental health issues. Twenty-four percent of Asian Americans believe that having a mental health issue is a sign of weakness compared to the 16% average for all groups. Asians are also considerably less likely to be aware of mental health services in their communities (42% vs. 55%) and most likely to seek out information on social media (51% vs. 35%).
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
This article is all about what AI trends will emerge in the field of creative operations in 2024. All the marketers and brand builders should be aware of these trends for their further use and save themselves some time!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ChatGPT is a revolutionary addition to the world since its introduction in 2022. A big shift in the sector of information gathering and processing happened because of this chatbot. What is the story of ChatGPT? How is the bot responding to prompts and generating contents? Swipe through these slides prepared by Expeed Software, a web development company regarding the development and technical intricacies of ChatGPT!
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
The realm of product design is a constantly changing environment where technology and style intersect. Every year introduces fresh challenges and exciting trends that mold the future of this captivating art form. In this piece, we delve into the significant trends set to influence the look and functionality of product design in the year 2024.
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
Mental health has been in the news quite a bit lately. Dozens of U.S. states are currently suing Meta for contributing to the youth mental health crisis by inserting addictive features into their products, while the U.S. Surgeon General is touring the nation to bring awareness to the growing epidemic of loneliness and isolation. The country has endured periods of low national morale, such as in the 1970s when high inflation and the energy crisis worsened public sentiment following the Vietnam War. The current mood, however, feels different. Gallup recently reported that national mental health is at an all-time low, with few bright spots to lift spirits.
To better understand how Americans are feeling and their attitudes towards mental health in general, ThinkNow conducted a nationally representative quantitative survey of 1,500 respondents and found some interesting differences among ethnic, age and gender groups.
Technology
For example, 52% agree that technology and social media have a negative impact on mental health, but when broken out by race, 61% of Whites felt technology had a negative effect, and only 48% of Hispanics thought it did.
While technology has helped us keep in touch with friends and family in faraway places, it appears to have degraded our ability to connect in person. Staying connected online is a double-edged sword since the same news feed that brings us pictures of the grandkids and fluffy kittens also feeds us news about the wars in Israel and Ukraine, the dysfunction in Washington, the latest mass shooting and the climate crisis.
Hispanics may have a built-in defense against the isolation technology breeds, owing to their large, multigenerational households, strong social support systems, and tendency to use social media to stay connected with relatives abroad.
Age and Gender
When asked how individuals rate their mental health, men rate it higher than women by 11 percentage points, and Baby Boomers rank it highest at 83%, saying it’s good or excellent vs. 57% of Gen Z saying the same.
Gen Z spends the most amount of time on social media, so the notion that social media negatively affects mental health appears to be correlated. Unfortunately, Gen Z is also the generation that’s least comfortable discussing mental health concerns with healthcare professionals. Only 40% of them state they’re comfortable discussing their issues with a professional compared to 60% of Millennials and 65% of Boomers.
Race Affects Attitudes
As seen in previous research conducted by ThinkNow, Asian Americans lag other groups when it comes to awareness of mental health issues. Twenty-four percent of Asian Americans believe that having a mental health issue is a sign of weakness compared to the 16% average for all groups. Asians are also considerably less likely to be aware of mental health services in their communities (42% vs. 55%) and most likely to seek out information on social media (51% vs. 35%).
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
This article is all about what AI trends will emerge in the field of creative operations in 2024. All the marketers and brand builders should be aware of these trends for their further use and save themselves some time!
A report by thenetworkone and Kurio.
The contributing experts and agencies are (in an alphabetical order): Sylwia Rytel, Social Media Supervisor, 180heartbeats + JUNG v MATT (PL), Sharlene Jenner, Vice President - Director of Engagement Strategy, Abelson Taylor (USA), Alex Casanovas, Digital Director, Atrevia (ES), Dora Beilin, Senior Social Strategist, Barrett Hoffher (USA), Min Seo, Campaign Director, Brand New Agency (KR), Deshé M. Gully, Associate Strategist, Day One Agency (USA), Francesca Trevisan, Strategist, Different (IT), Trevor Crossman, CX and Digital Transformation Director; Olivia Hussey, Strategic Planner; Simi Srinarula, Social Media Manager, The Hallway (AUS), James Hebbert, Managing Director, Hylink (CN / UK), Mundy Álvarez, Planning Director; Pedro Rojas, Social Media Manager; Pancho González, CCO, Inbrax (CH), Oana Oprea, Head of Digital Planning, Jam Session Agency (RO), Amy Bottrill, Social Account Director, Launch (UK), Gaby Arriaga, Founder, Leonardo1452 (MX), Shantesh S Row, Creative Director, Liwa (UAE), Rajesh Mehta, Chief Strategy Officer; Dhruv Gaur, Digital Planning Lead; Leonie Mergulhao, Account Supervisor - Social Media & PR, Medulla (IN), Aurelija Plioplytė, Head of Digital & Social, Not Perfect (LI), Daiana Khaidargaliyeva, Account Manager, Osaka Labs (UK / USA), Stefanie Söhnchen, Vice President Digital, PIABO Communications (DE), Elisabeth Winiartati, Managing Consultant, Head of Global Integrated Communications; Lydia Aprina, Account Manager, Integrated Marketing and Communications; Nita Prabowo, Account Manager, Integrated Marketing and Communications; Okhi, Web Developer, PNTR Group (ID), Kei Obusan, Insights Director; Daffi Ranandi, Insights Manager, Radarr (SG), Gautam Reghunath, Co-founder & CEO, Talented (IN), Donagh Humphreys, Head of Social and Digital Innovation, THINKHOUSE (IRE), Sarah Yim, Strategy Director, Zulu Alpha Kilo (CA).
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
The search marketing landscape is evolving rapidly with new technologies, and professionals, like you, rely on innovative paid search strategies to meet changing demands.
It’s important that you’re ready to implement new strategies in 2024.
Check this out and learn the top trends in paid search advertising that are expected to gain traction, so you can drive higher ROI more efficiently in 2024.
You’ll learn:
- The latest trends in AI and automation, and what this means for an evolving paid search ecosystem.
- New developments in privacy and data regulation.
- Emerging ad formats that are expected to make an impact next year.
Watch Sreekant Lanka from iQuanti and Irina Klein from OneMain Financial as they dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape.
If you’re looking to assess your paid search strategy and design an industry-aligned plan for 2024, then this webinar is for you.
5 Public speaking tips from TED - Visualized summarySpeakerHub
From their humble beginnings in 1984, TED has grown into the world’s most powerful amplifier for speakers and thought-leaders to share their ideas. They have over 2,400 filmed talks (not including the 30,000+ TEDx videos) freely available online, and have hosted over 17,500 events around the world.
With over one billion views in a year, it’s no wonder that so many speakers are looking to TED for ideas on how to share their message more effectively.
The article “5 Public-Speaking Tips TED Gives Its Speakers”, by Carmine Gallo for Forbes, gives speakers five practical ways to connect with their audience, and effectively share their ideas on stage.
Whether you are gearing up to get on a TED stage yourself, or just want to master the skills that so many of their speakers possess, these tips and quotes from Chris Anderson, the TED Talks Curator, will encourage you to make the most impactful impression on your audience.
See the full article and more summaries like this on SpeakerHub here: https://speakerhub.com/blog/5-presentation-tips-ted-gives-its-speakers
See the original article on Forbes here:
http://www.forbes.com/forbes/welcome/?toURL=http://www.forbes.com/sites/carminegallo/2016/05/06/5-public-speaking-tips-ted-gives-its-speakers/&refURL=&referrer=#5c07a8221d9b
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
Everyone is in agreement that ChatGPT (and other generative AI tools) will shape the future of work. Yet there is little consensus on exactly how, when, and to what extent this technology will change our world.
Businesses that extract maximum value from ChatGPT will use it as a collaborative tool for everything from brainstorming to technical maintenance.
For individuals, now is the time to pinpoint the skills the future professional will need to thrive in the AI age.
Check out this presentation to understand what ChatGPT is, how it will shape the future of work, and how you can prepare to take advantage.
A brief introduction to DataScience with explaining of the concepts, algorithms, machine learning, supervised and unsupervised learning, clustering, statistics, data preprocessing, real-world applications etc.
It's part of a Data Science Corner Campaign where I will be discussing the fundamentals of DataScience, AIML, Statistics etc.
Time Management & Productivity - Best PracticesVit Horky
Here's my presentation on by proven best practices how to manage your work time effectively and how to improve your productivity. It includes practical tips and how to use tools such as Slack, Google Apps, Hubspot, Google Calendar, Gmail and others.
The six step guide to practical project managementMindGenius
The six step guide to practical project management
If you think managing projects is too difficult, think again.
We’ve stripped back project management processes to the
basics – to make it quicker and easier, without sacrificing
the vital ingredients for success.
“If you’re looking for some real-world guidance, then The Six Step Guide to Practical Project Management will help.”
Dr Andrew Makar, Tactical Project Management
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
During this webinar, Anand Bagmar demonstrates how AI tools such as ChatGPT can be applied to various stages of the software development life cycle (SDLC) using an eCommerce application case study. Find the on-demand recording and more info at https://applitools.info/b59
Key takeaways:
• Learn how to use ChatGPT to add AI power to your testing and test automation
• Understand the limitations of the technology and where human expertise is crucial
• Gain insight into different AI-based tools
• Adopt AI-based tools to stay relevant and optimize work for developers and testers
* ChatGPT and OpenAI belong to OpenAI, L.L.C.
76. @nickmalcolm
“A blogger who went after the the
bcrypt hashes recovered
only 4000 passwords in a week.
In contrast, CynoSure Prime recovered
the passwords for over 11 million of
the MD5 hashes in about 10 days.”
- Paul Ducklin of “Naked Security”
84. @nickmalcolm
A pepper is a secret.
It’s the same for all passwords.
It’s stored far away from the passwords.
85. @nickmalcolm
When a user logs in you
take their password.
You fetch the pepper from the vault.
You “unlock” their hash,
hash their input + salt,
and compare.
Phew!
Using some cooking analogies we’ll learn about keeping secrets secret.
Will our password-storing creation rise deliciously to the occasion, or will it fall flat in disappointing dispair.
Don your chef hat, and come with me.
As a chef, a new customer comes to you and says that their password is banana.
You take their banana, and put it on a labelled plate in the kitchen.
A week later that customer comes back, gives you a piece of fruit, you take it and compare it to the one you had before. If it’s a banana, they’re legit.
The users table in your database is the plates of fruit. Each plate is labelled, and the fruit on the plate is just sitting there. Nothing fancy.
All the chefs walking through the kitchen, and the wait staff, and the cleaners, they all can see the fruit people have put on their plates.
No only that, customers probably use the same fruit at many restaurants - the same password on many websites.
Someone who knows their fruit can walk to the restaurant down the street and get a meal on them.
Yes, Neopets is still around!
Now it’s not just people with access to the kitchen who have your guests’ passwords, it’s everyone!
So that was….
This is our plaintext password storage from the first recipe
This method of storing passwords was actually used, but we’ll get to that in a moment.
https://gchq.github.io/CyberChef/#recipe=Triple_DES_Encrypt(%7B'option':'UTF8','string':'passwordpasswordpassword'%7D,%7B'option':'UTF8','string':''%7D,'ECB','Raw','Hex')&input=MTExMTEx
This is great! Now waitstaff, cleaners, other chefs, and lost guests can’t see the passwords.
They’re still in plaintext inside the fridge, but you can’t get in.
The same password will look the same. You can often tell roughly how long a password is.
https://gchq.github.io/CyberChef/#recipe=Triple_DES_Encrypt(%7B'option':'UTF8','string':'passwordpasswordpassword'%7D,%7B'option':'UTF8','string':''%7D,'ECB','Raw','Hex')&input=MTExMTEx
In this example of bad encryption, you can get information about the length of the plaintext entry.
You can also see repetitions in the source data.
Both Kazoo and Sunny have passwords which start with the same string - the word “password”.
Also the company that stored passwords like this also decided to store plaintext password hints...
The key was never breached, but you could look at hints to guess the password. If you figure out one password, you can see all the other users in the table who used the same password.Or, if your own password is in there you can look and see who else has a password that starts like yours does.
Better, but still not very good.
Hashing
Specifically: Cryptographic Hashes.
Deterministic
Add a drop of hot sauce, and the smoothie will change drastically. (Not really, but…)
Although the hashes are very different, the length is still the same. This means we’re not giving away any extra information.
(Could also mention about locality-preserving hashes vs random output https://en.wikipedia.org/wiki/Locality-sensitive_hashing and https://en.wikipedia.org/wiki/Avalanche_effect)
Also a problem, but we’ll get to that
One-way
Although the hashes are very different, the length is still the same. This means we’re not giving away any extra information.
This is not how blenders work (more ingredients => more smoothie).
Hashing
Note that they are the same length!
The customer comes to you with a banana, and instead of storing the banana on a plate or in a locked fridge, you blend it.
When they come back later, they give you their fruit, you blend that too.
Then you do a taste test
Hash the pwd, compare it against the claimed user’s hashed password.
We hashed passwords with SHA1, that sounds good right?
Identical hashes is part of the built-in feature of hashes!
Most smoothies have banana in them.
Most passwords are “password”.
In anticipation of a big breach, instead of trying to brute force them at the time, I could build up a list.
MD5d passwords
Well that’s MD5, what about a different hash, a different blender?
Not very seriously, like Last FM
https://blog.linkedin.com/2016/05/18/protecting-our-members
But they were breached in 2012, and either didn’t know or didn’t tell them!
MD5d passwords
https://haveibeenpwned.com/PwnedWebsites#LinkedIn
Zuck used “dadada” as his LinkedIn password, and reused that password on Twitter and Pinterest.
What could we do so that rainbow tables don’t work, and common passwords aren’t as obvious?
It’s not chosen by the user. Two users with the same requested ingredients will get different smoothies.
This way the chef doesn’t need to remember whether it was himalayan or rock salt.
And check it against the hash in the DB.
Storing the salt alongside the hash allows you to recompute the hash identically, assuming you’re given the same input at the start.
Salts don’t do anything to stop brute forcing passwords.
An attacker can’t use a pre-computed rainbow table,
and they can’t see where folks have reused passwords,but if you’ve used a fast blender, they can crank through passwords one by one
Especially if users use weak passwords.
Because it was MD5 it was incredibly easy for researchers to brute force the passwords.
https://www.vice.com/en_us/article/z4j5g4/restaurant-app-zomato-says-your-stolen-password-is-fine-but-is-it
This is called a “work factor”, or “rounds”. Different algorithms let you tune it in different ways.
These four options are safe choices, give you a configurable work factor, and handle the salt for you.
Don’t make your own blender.
PBKDF2 will be familiar to .NET and Django developers. It’s getting a little old. One popular cryptographer called it “the worst of the acceptable options”.
Bcrypt has been around since 1999. It’s pretty good and really easy to use, but doesn’t stand up against parallel or GPU - powered brute forcing as well as scrypt and argon2. It’s commonly found in rails and php apps.
Scrypt addresses some of bcrypt’s issues, and is a solid choice, but not super common.
Argon2 is the new kid on the block, and recommended as the best choice today.
“Winner of a several year project to identify a successor to bcrypt/PBKDF/scrypt methods of securely storing passwords”
Like bcrypt, Argon2id will choose the salt for you, let you customise and change how slowly it blends, and also has something extra we’ll get to soon.
There are a few strategies for this that I don’t have time to go in to,
But the OWASP password cheat sheet explores them.
Just realise that some ways of changing are better than others
Side note: Canva’s response was actually pretty good. Better than others. (Still not great: https://www.smartcompany.com.au/startupsmart/analysis/canva-data-breach-response/)
But the database is out there, and there will be people who are targeting specific accounts and trying to brute force those passwords.
https://nakedsecurity.sophos.com/2015/09/10/11-million-ashley-madison-passwords-cracked-in-10-days/
In July 2017, Avid Life Media (renamed Ruby Corporation) agreed to settle two dozen lawsuits stemming from the breach for $11.2 million.
https://en.wikipedia.org/wiki/Ashley_Madison_data_breach
https://arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
Side note: Canva’s response was actually pretty good. Better than others. (Still not great: https://www.smartcompany.com.au/startupsmart/analysis/canva-data-breach-response/)
But the database is out there, and there will be people who are targeting specific accounts and trying to brute force those passwords.
If the database server is misconfigured, if there’s SQL injection, if a backup goes missing, an attacker has access to a table of salted hashes.
If not that, then what?
Remember that salts were like a label stuck to a smoothie. They weren’t a secret, they just made hashes unique.
A pepper is not stuck to the smoothie. It’s stored elsewhere, like KFC’s 11 Secret Herbs and Spices.
You might store it in your app config, or in a hardware security module.
All passwords are encrypted and decrypted by the application, using this secret.
Like when you set a password on zip file, or your WiFi, or your password manager app.
The same password lets you unlock the secrets each time.
If you get SQLi, or find a misplaced backup, or steal the database’s harddisk, you’re stuck.
You are missing the key.
If you compromise a web app, maybe you can get the salted hashes from there.
Again, not foolproof, but it’d stop many of the breaches we’ve discussed from being possible.
Like when you set a password on zip file, or your WiFi, or your password manager app.
The same password lets you unlock the secrets each time.
Argon2id has native support for peppers.
https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-stores-your-passwords/
They adopted this model sometime after their breach of 68,648,009 passwords, half of which were SHA1 and half were bcrypt.
Dropbox was breached in 2012, because an employee who had access to the password records was reusing a password exposed in the LinkedIn dump!
You’re basically buying your users time to change their passwords if there’s a breach.
A determined attacker can still try to brute force a pepper,
We’ve focused on storage, but there are lots of other factors when it comes to good authentication.
All these could be their own topics
What we have talked about is how to store passwords properly, if that’s what we need to do
In summary
Cheat sheet has examples and references
For the blender you’re using, how to set it to the right blend-time.
Wikipedia can give you insight into the mechanics of the blenders, how they work, the actual values they store in the database, etc
The paragonie blog has legit code snippets for argon2, bcrypt, and scrypt, for PHP, Node, .Net, Ruby, Java, Python
Adobe Breach
https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
https://filippo.io/analyzing-the-adobe-leaked-passwords/
Argon2
https://medium.com/@mpreziuso/password-hashing-pbkdf2-scrypt-bcrypt-and-argon2-e25aaf41598e
Code snippets for password storage for PHP, .Net, Java, and Ruby
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016