Credentials are not passed around when source code is shared. Unintentional exposure of source code does not reveal credentials. Read-access to source code can be much more permissive. Source code can be checked into version control systems without concern for exposure of credentials. It is easier to change credentials without having to worry about changing all instances. Leaving credentials in source code leads to poor password management in general. If changing a credential requires you to change code, you are less likely to want to do it.

1. Passw3rd
Neil Matatall – neil@matatall.com - @nilematotle
OWASP LA
November 30, 2011

2. Remember…

3. What is it?
• Cross-platform, cross-language password management for
applications
• A tool that keeps passwords out of code and configuration
files, but keeps them in encrypted files
• Keys for development/test environments can be checked in to
version control, production keys must be protected

4. Nerd stuff
• Uses openssl to generate an AES-256 key and IV (configurable)
• The keys are stored in a location protected by OS access
controls
• The password files are generated which store an encrypted
version of the password
• Encryption is done using the CBC and CFB modes of operation

5. Gotchas
• EACH WEB APPLICATION MUST RUN AS A SEPARATE USER
• But you already knew that
• Why? Because one application can read any password file owned
by the same user/group/etc.
• Can’t protect from in memory access
• Anyone can put a logger in and see the password…

6. Give me the run down
• Generate keys:
passw3rd –g <path>
generated keys in /Users/neil
(creates .passw3rd-encryptionIV and .passw3rd-encryptionKey)
• Create a password file
$ passw3rd –e file_name <-p path> <-k path>
Enter the password:
Wrote password to /Users/neil/file_name
• Verify the password can be retrieved
$ passw3rd –d file_name <-p path> <-k path>
The password is: asdf
At the moment, there is only a ruby command line client. And I
intend to keep it that way. It’s just a pain to maintain.

7. Business model

8. Phase 1: Find Passwords
development:
adapter: mysql
database: rails_development
username: app_user
password: my super secret password

9. Phase 1: Collect Passwords
development:
adapter: mysql
database: rails_development
username: app_user
password: <%=get_password(’app’)%>

10. Phase 1: Ensure Safety
• While you collect passwords, take note of accounts that do
not have separate dev/prod accounts.
• Passw3rd is useless if all of your passwords are the same in
each environment.

11. Phase 2
CHANGE ALL PASSWORDS!!!!

12. Phase 3: Profit
• Need a password rotation?
• Fine, just create a new password file for the affected accounts
• Need a new server?
• Just make the keys part of your build script
• Need to rotate your key?
• Trivial, decrypt with the old, encrypt with the new
• Use the key rotation script
Wait, hold on a second you can’t change…
oh yeah that sounds like a good idea…

13. Performance
$ time ruby -e "require 'passw3rd’; X.times
{Passw3rd::PasswordService.get_password('asdf')}”
• X = 100: 0.281s
• X = 1,000: 0.359s
• X = 10,000: 1.081s
• X = 100,000: 8.372s
• X = 1,000,000: 1m21.007s
This is without optimization, the file is opened and read during
each iteration

14. Passw3rd Current Support
The ruby library supports URIs, java not so much 

15. Passw3rd Future Support
• Python
• .NET
• PHP
• <your language here>
• Passw3rd is an official OWASP project, so there is an entire
community behind it
https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About

16. Roadmap
• Key rotation script
• Cipher changing script
• URI support
• Client cert support coming
• Audit logging
• Clone password sets
• Multi-key support???
• Portable passw3rd profiles (one file per
app)???
• Load encrypted password files in memory for
rapid sequential decryption???
Be my guest
https://github.com/oreoshake/passw3rd/issues

17. Go collect some underwear!
http://www.itd.umich.edu/posters/

18. neil@matatall.com - @nilematotle
Questions?
https://github.com/oreoshake/passw3rd
https://github.com/oreoshake/passw3rd_java