SlideShare a Scribd company logo
JIM MANICO Secure Coding Instructor www.manicode.com
Secure Password Policy and Storage
COPYRIGHT ©2019 MANICODE SECURITY
A little background dirt…
jim@manicode.com
@manicode
 Former OWASP Global Board Member
 Project manager of the
OWASP Cheat Sheet Series and
several other OWASP projects
 20+ years of software
development experience
 Author of "Iron-Clad Java,
Building Secure Web Applications”
from McGraw-Hill/Oracle-Press
 Kauai, Hawaii Resident
2
COPYRIGHT ©2019 MANICODE SECURITY 3
WARNING: Please do not attempt to hack any
computer system without legal permission to do so.
Unauthorized computer hacking is illegal and can
be punishable by a range of penalties including
loss of job, monetary fines and possible imprisonment.
ALSO: The Free and Open Source Software presented in these
materials are examples of good secure development tools and
techniques. You may have unknown legal, licensing or technical issues
when making use of Free and Open Source Software. You should consult
your company's policy on the use of Free and Open Source Software
before making use of any software referenced in this material.
COPYRIGHT ©2019 MANICODE SECURITY
Authentication: Where are we going?
4
Modern Password Policy
Importance of Password Storage
Hashing and Salting
Adaptive Storage Algorithms
Other Considerations
COPYRIGHT ©2019 MANICODE SECURITY
COPYRIGHT ©2019 MANICODE SECURITY
Modern Password Policy
6
COPYRIGHT ©2019 MANICODE SECURITY
Do Not Limit the Password Strength
 Limiting passwords to protect against
injection is doomed to failure
 Use query parameterization and other
defenses instead
 Be sure to at least limit password size.
Very long passwords can cause DoS
7
COPYRIGHT ©2019 MANICODE SECURITY
Use a Modern Password Policy Scheme
 Consider the password policy suggestions
from NIST
 Do not depend on passwords as a sole
credential. It's past time to move to MFA.
 Encourage and train your users to use a
password manager.
8
COPYRIGHT ©2019 MANICODE SECURITY
Credential Stuffing Safeguards
9
Stuffing Live Defense
 Block use of known username/password pairs from past breaches
 Implement Multi Factor Authentication (see below)
 Consider avoiding email addresses for username
 Bot Detection
3rd Party Password Breach Response
 Scan for use of known username/password pairs from new
breach against entire existing userbase
 Immediately invalidate user of existing username/password pairs
 Force password reset on effected users
COPYRIGHT ©2019 MANICODE SECURITY
Special Publication SP800-63-B: Digital AuthN Guidelines
Favor the user. To begin with, make your password policies
user friendly and put the burden on the verifier when possible.
10
At least 8 characters and allow up to 64 (16+ Better)
Throttle or otherwise manage brute force attempts
Don’t force unnatural password special character rules
Don’t use password security questions or hints
No more mandatory password expiration for the sake of it
Allow all printable ASCII characters including spaces, and should
accept all UNICODE characters, too… including emoji.
Do not limit the characters of passwords
Check against a list of common passwords
Block context-specific passwords like the username or service name
Check against a list breached username/password pairs
COPYRIGHT ©2019 MANICODE SECURITY
Password Management Summary
Core Password Policy Rules (NIST 800-63 inspired)
• Do not limit the characters or length of user password
• Use a modern password policy scheme
• Enforce password length of at least 8 characters and allow up to 64 or
more (16+ better)
• Check against a list of common passwords (new!)
• Check against a list of breached and exposed username/password pairs
(credential stuffing) (new!)
• Do not enforce special character type rules on passwords (new!)
• Do not force mandatory expiration unless there is a good reason (new!)
• Throttle or otherwise manage brute force attempts
Additional Considerations (Dr De Ryck Suggestions)
• Include a password strength meter
• Ensure your password system is compatibility with password managers
• Offer an option to show the password while typing for mobile devices
11
COPYRIGHT ©2019 MANICODE SECURITY
Credential Strength / Password Policy
 Users will make as simple passwords as you allow them to
 Users will use the same password on multiple websites
 Implement server-side enforcement
of password syntax and strength
– Minimum length
– Numbers/Symbols/Uppercase/Lowercase
– Ban commonly used passwords
– Ban passwords with dictionary words
– Ban commonly used password topologies
https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies
– Force multiple users to use different password topologies
– Require a minimum topology change between old and new passwords
 Also consider JavaScript password meters
Reference:
"Your password complexity requirements are worthless” https://www.youtube.com/watch?v=zUM7i8fsf0g
12
COPYRIGHT ©2019 MANICODE SECURITY
Password1!
13
COPYRIGHT ©2019 MANICODE SECURITY
Twitter Password Ban-List: August 2014
14
8675309
987654
nnnnnn
nop123
nop123
nopqrs
noteglh
npprff
npprff14
npgvba
nyoreg
nyoregb
nyrkvf
nyrwnaqen
nyrwnaqeb
nznaqn
nzngrhe
nzrevpn
naqern
naqerj
natryn
natryf
navzny
nagubal
ncbyyb
nccyrf
nefrany
neguhe
nfqstu
nfqstu
nfuyrl
nffubyr
nhthfg
nhfgva
onqobl
onvyrl
onanan
onearl
onfronyy
ongzna
orngevm
ornire
ornivf
ovtpbpx
ovtqnqql
ovtqvpx
ovtqbt
ovtgvgf
oveqvr
ovgpurf
ovgrzr
oynmre
oybaqr
oybaqrf
oybjwbo
oybjzr
obaq007
obavgn
obaavr
obbobb
obbtre
obbzre
obfgba
oenaqba
oenaql
oenirf
oenmvy
oebapb
oebapbf
ohyyqbt
ohfgre
ohggre
ohggurnq
pnyiva
pnzneb
pnzreba
pnanqn
pncgnva
pneybf
pnegre
pnfcre
puneyrf
puneyvr
purrfr
puryfrn
purfgre
puvpntb
puvpxra
pbpnpbyn
pbssrr
pbyyrtr
pbzcnd
pbzchgre
pbafhzre
pbbxvr
pbbcre
pbeirggr
pbjobl
pbjoblf
pelfgny
phzzvat
phzfubg
qnxbgn
qnyynf
qnavry
qnavryyr
qroovr
qraavf
qvnoyb
qvnzbaq
qbpgbe
qbttvr
qbycuva
qbycuvaf
qbanyq
qentba
qernzf
qevire
rntyr1
rntyrf
rqjneq
rvafgrva
rebgvp
rfgeryyn
rkgerzr
snypba
sraqre
sreenev
sveroveq
svfuvat
sybevqn
sybjre
sylref
sbbgonyy
sberire
serqql
serrqbz
shpxrq
shpxre
shpxvat
shpxzr
shpxlbh
tnaqnys
tngrjnl
tngbef
trzvav
trbetr
tvnagf
tvatre
tvmzbqb
tbyqra
tbysre
tbeqba
tertbel
thvgne
thaare
unzzre
unaanu
uneqpber
uneyrl
urngure
uryczr
uragnv
ubpxrl
ubbgref
ubearl
ubgqbt
uhagre
uhagvat
vprzna
vybirlbh
vagrearg
vjnagh
wnpxvr
wnpxfba
wnthne
wnfzvar
wnfcre
wraavsre
wrerzl
wrffvpn
wbuaal
wbuafba
wbeqna
wbfrcu
wbfuhn
whavbe
whfgva
xvyyre
xavtug
ynqvrf
ynxref
ynhera
yrngure
yrtraq
yrgzrva
yrgzrva
yvggyr
ybaqba
ybiref
znqqbt
znqvfba
znttvr
zntahz
znevar
znevcbfn
zneyobeb
znegva
zneiva
znfgre
zngevk
znggurj
znirevpx
znkjryy
zryvffn
zrzore
zreprqrf
zreyva
zvpunry
zvpuryyr
zvpxrl
zvqavtug
zvyyre
zvfgerff
zbavpn
zbaxrl
zbaxrl
zbafgre
zbetna
zbgure
zbhagnva
zhssva
zhecul
zhfgnat
anxrq
anfpne
anguna
anhtugl
app1701
arjlbex
avpubynf
avpbyr
avccyr
avccyrf
byvire
benatr
cnpxref
cnagure
cnagvrf
cnexre
cnffjbeq
cnffjbeq
cnffjbeq1
cnffjbeq12
cnffjbeq123
cngevpx
crnpurf
crnahg
crccre
cunagbz
cubravk
cynlre
cyrnfr
cbbxvr
cbefpur
cevapr
cevaprff
cevingr
checyr
chffvrf
dnmjfk
djregl
djreglhv
enoovg
enpury
enpvat
envqref
envaobj
enatre
enatref
erorppn
erqfxvaf
erqfbk
erqjvatf
evpuneq
eboreg
eboregb
ebpxrg
ebfrohq
ehaare
ehfu2112
ehffvn
fnznagun
fnzzl
fnzfba
fnaqen
fnghea
fpbbol
fpbbgre
fpbecvb
fpbecvba
fronfgvna
frperg
frkfrk
funqbj
funaaba
funirq
fvreen
fvyire
fxvccl
fynlre
fzbxrl
COPYRIGHT ©2019 MANICODE SECURITY
Why
Password
Storage?
15
COPYRIGHT ©2019 MANICODE SECURITY
"Researchers asked 43 freelance
developers to code the user registration for
a web app and assessed how they
implemented password storage. 26 devs
initially chose to leave passwords as
plaintext."
https://net.cs.uni-
bonn.de/fileadmin/user_upload/naiakshi/Nai
akshina_Password_Study.pdf
16
COPYRIGHT ©2019 MANICODE SECURITY
Why and
When
does
Password
Storage
Matter?
When considering password storage
strategies please note we are most
concerned about offline attacks.
Password Storage matters most after
your website is breached and attackers
have a copy of your stored password
data to analyze offline.
Attackers can achieve
supercomputing capability to discover
your password.
Using cloud services, computers with
many GPU's or custom hardware,
attackers can attempt trillions of
attempts per second to discover (or
"crack") stolen password data.
COPYRIGHT ©2019 MANICODE SECURITY 18
COPYRIGHT ©2019 MANICODE SECURITY
Password Storage Defense Overview
19
Offline Attacks Online Attacks
 Avoid Hashing or Encryption by itself
for password storage
 Use proper password hashing
 Use random and unique
per-user salts
– Less effective against targeted
attacks, but use them anyhow
 Strict Password Policy
 Ban top X commonly used passwords
 Ban top X commonly used passwords
 Rate limiting
 Multi-factor authentication
 Behavior Analysis
– Trojan Combat
 Anti-Phishing
– Early detection and takedown
 Good Network Security
Reference: http://www.openwall.com/presentations
COPYRIGHT ©2019 MANICODE SECURITY
Cha-Ching! Estimated cost of hardware to crack password in 1 year
20
KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text
DES CRYPT <$1 <$1 <$1 <$1 <$1 <$1
MD5 <$1 <$1 <$1 $1.1k $1 $1.5T
MD5 CRYPT <$1 <$1 $130 $1.1M $1.4k $1.5 x 1015
PBKDF2 (100ms) <$1 <$1 $18k $160M $200k $2.2 x 1017
Bcrypt (95 ms) <$1 $4 $130k $1.2B $1.5M $48B
Scrypt (64 ms) <$1 $150 $4.8M $43B $52M $6 x 1019
PBKDF2 (5.0 s) <$1 $29 $920k $8.3B $10M $11 x 1018
Bcrypt (3.0 s) <$1 $130 $4.3M $39B $47M $1.5T
Scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 1023
Research by Colin Percival, https://www.tarsnap.com/scrypt/scrypt.pdf,
STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS
COPYRIGHT ©2019 MANICODE SECURITY
Let’s Get Crackin’!
21
COPYRIGHT ©2019 MANICODE SECURITY
Wow.
Just… wow.
22
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours
COPYRIGHT ©2019 MANICODE SECURITY
Online
Hashcracking
Services
23
md5("86e39e7942c0password123!") = f3acf5189414860a9041a5e9ec1079ab
md5("password123!") = b7e283a09511d95d6eac86e39e7942c0
COPYRIGHT ©2019 MANICODE SECURITY
Password Storage Best Practices Overview
24
Store passwords as an
HMAC + good key
management as an extra
step
3
Use ARGON2i, bcrypt,
scrypt on the hash
2
Hash the salted password
using SHA2-512 or
another strong hash
1
COPYRIGHT ©2019 MANICODE SECURITY 25
Hash the Password
With a Strong Hash
 If you ONLY hash a password it will be discovered in
a very short amount of time, especially for short
passwords. This is just one of several steps.
– Long passwords can cause DOS
– bcrypt truncates long passwords to 72 bytes, reducing the
strength of passwords
 By applying the very fast algorithm SHA2-512 we can
quickly reduce long passwords to 512 bits, solving
both problems
 https://blogs.dropbox.com/tech/2016/09/how-
dropbox-securely-stores-your-passwords/
1
COPYRIGHT ©2019 MANICODE SECURITY 26
Leverage an Password Hasher
 bcrypt includes a work factor or time cost which defines
the execution time
 scrypt includes a time cost as well as a memory cost,
which defines the memory usage
 Argon2i includes a time cost, a memory cost and
a parallelism degree, which defines the number of
threads
 Make the work factor and memory cost as strong as you
can tolerate and increase it over time!
Imposes difficult verification on the attacker and defender!
2
Is hash cracking really that fast?
MD5 SHA1 BCRYPT(13)
Hashespersecond
200,000 million
68 million
390
@PhilippeDeRyckDR. PHILIPPE DE RYCK
Java bcrypt
iterationCount: at least 13
** Change Password at Iteration Count Change Time
@PhilippeDeRyckDR. PHILIPPE DE RYCK
COPYRIGHT ©2019 MANICODE SECURITY 29
bcrypt in PHP
bcrypt in .NET
 string password_hash
( string $password , integer $algo [, array $options ] )
 Uses the bcrypt algorithm (default as of PHP 5.5.0)
 https://github.com/BcryptNet/bcrypt.net
COPYRIGHT ©2019 MANICODE SECURITY
GPU Attacks on Modern Password KDF's
30
PBKDF2-HMAC-SHA-1
PBKDF2-HMAC-SHA-256
PBKDF2-HMAC-SHA-512
bcrypt
scrypt
STRONGER
Reference: Openwall and http://www.openwall.com/presentations/
COPYRIGHT ©2019 MANICODE SECURITY
ASIC/FPGA Attacks on Modern Password Hashes
31
PBKDF2-HMAC-SHA-1
PBKDF2-HMAC-SHA-256
PBKDF2-HMAC-SHA-512
scrypt below 16 MB
bcrypt (uses 4 KB)
scrypt at 16 MB
scrypt above 32 MB
STRONGER
Reference: Openwall and http://www.openwall.com/presentations/
COPYRIGHT ©2019 MANICODE SECURITY 32
Leverage Keyed Protection Solution
 AES or HMAC-SHA-256([key], [salt] + [credential])
 Protect this key as any private key using best
practices
 Store the key outside the credential store
 Isolate this process outside of your application layer
Imposes difficult verification on the attacker only!
3
COPYRIGHT ©2019 MANICODE SECURITY
YubiHSM: a USB Dongle for Servers
YubiHSM in a server’s internal USB port. Photo © Yubico, reproduced under the fair use doctrine.
33
COPYRIGHT ©2019 MANICODE SECURITY
HMAC’s in Action for YubiHSM
 KEY for HMAC stored in
local key database only,
not retrievable
 Key handle is the HSM ID
 Data is password or KDF
of Password
 HMAC @ Final is final
computed password hash
34
HMAC-SHA1
Key
Handle
Reset/F
inal
Data
Key Data
Base
HMAC @ Final
YubiHSM
Diagram © Yubico, reproduced under the fair use doctrine.
COPYRIGHT ©2019 MANICODE SECURITY
Facebook Password Storage "The Onion"
35
COPYRIGHT ©2019 MANICODE SECURITY
Basic Password Storage Workflow
(with hashing, bcrypt and AES)
Imposes difficult verification on the attacker and defender!
Also adds a keyed round!
36
pwHash = SHA-512(password);
adaptiveHash = bcrypt(512 bit pwHash, 13)
FinalCiphertext = AES-GCM(adaptiveHash, secretKey)
COPYRIGHT ©2019 MANICODE SECURITY
Basic Password Verification Workflow
(with hashing, bcrypt and AES)
37
submittedPWHash = SHA-512 (submittedPassword);
T/F = bcrypt_compare(submittedPWHash, adaptiveHashDatabase)
adaptiveHashDatabase = Decrypt AES-GCM(CiphertextDatabase, key)
Password Storage Summary
• Passwords are an attractive target in data breaches
Insecure backups or SQL injection vulnerabilities are the tip of the iceberg
Prepare for the worst.
Implement a secure password storage mechanism
• Legacy password storage mechanisms cannot withstand
modern attacks
Encryption can be broken by stealing the encryption key
Hashing can be broken by lookup tables or brute force attacks
• The proper way to store passwords is using a password-
hashing function like bcrypt, scrypt or Argon2
The variable cost factor makes the algorithm too expensive to brute force
• Legacy systems should be upgraded ASAP to a more
secure storage mechanism
@PhilippeDeRyckDR. PHILIPPE DE RYCK
COPYRIGHT ©2019 MANICODE SECURITY
Additional Topics
• How to upgrade legacy systems
• Storage of security questions, multi-factor
information and other authentication
verificatation information
• What to do in case of a breach
• Authentication mechanisms that do not
require passwords or password storage
• Performance and scale considerations
39
COPYRIGHT ©2019 MANICODE SECURITY
Other Considerations
40
COPYRIGHT ©2019 MANICODE SECURITY
Do Not Hardcode Passwords or Keys!
41
if ("DoTheStankyLeg1".equals(password)) {
//why the heck why not?
admin=true;
}
static final String DB_URL = "jdbc:mysql://192.168.1.45/";
static final String USER = "root";
static final String PASS = "BringBackJarJar99!";
 Hard Coded Passwords may expose elevated access to
critical systems to individuals who have product detail visibility
 Hard Coded Passwords may lead to back doors that can
weaken the system
Please store critical passwords in a application secrets vault!
COPYRIGHT ©2019 MANICODE SECURITY
Authentication: Where are we going?
42
Modern Password Policy
Importance of Password Storage
Hashing and Salting
Adaptive Storage Algorithms
Other Considerations
JIM MANICO Secure Coding Instructor www.manicode.com
It’s been a pleasure.
jim@manicode.com

More Related Content

What's hot

http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
Olatunji Adetunji
 
Brute force
Brute forceBrute force
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
Katy Slemon
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
drewz lin
 
Internet security tutorial
Internet security tutorialInternet security tutorial
Internet security tutorial
iuvmtech
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
Ishraq Al Fataftah
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
How to analyze cyber threats
How to analyze cyber threatsHow to analyze cyber threats
How to analyze cyber threats
AkankshaPathak27
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
jakobkorherr
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
StuartJDavidson.com
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
NowSecure
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
SecureAuth
 
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousandsIranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
isightpartners
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
Dean Bonehill ♠Technology for Business♠
 

What's hot (20)

http security response headers for web security
http security response headers for web securityhttp security response headers for web security
http security response headers for web security
 
Brute force
Brute forceBrute force
Brute force
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Internet security tutorial
Internet security tutorialInternet security tutorial
Internet security tutorial
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
 
BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!BSides Cincy: Active Defense - Helping threat actors hack themselves!
BSides Cincy: Active Defense - Helping threat actors hack themselves!
 
How to analyze cyber threats
How to analyze cyber threatsHow to analyze cyber threats
How to analyze cyber threats
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
How Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat DetectionHow Android and iOS Security Enhancements Complicate Threat Detection
How Android and iOS Security Enhancements Complicate Threat Detection
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't Enough
 
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousandsIranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
Iranian Cyber Espionage Using LinkedIn, Facebook, Twitter to target thousands
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
 

Similar to SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico

Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account ManagementChapter 11 Authentication and Account Management
Chapter 11 Authentication and Account Management
Dr. Ahmed Al Zaidy
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
Pixel Crayons
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Cybersecurity Interview Questions_Part1.pdf
Cybersecurity Interview Questions_Part1.pdfCybersecurity Interview Questions_Part1.pdf
Cybersecurity Interview Questions_Part1.pdf
infosec train
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
Klaus Drosch
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
Train Employees to Avoid Cybercrime
Train Employees to Avoid CybercrimeTrain Employees to Avoid Cybercrime
Train Employees to Avoid Cybercrime
Human Resources & Payroll
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
NowSecure
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
NowSecure
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
Gloria Stoilova
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
Nicholas Davis
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET-  	  Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET-  	  Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET Journal
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
ijistjournal
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
ShivamSharma909
 
Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +
infosec train
 

Similar to SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico (20)

Chapter 11 Authentication and Account Management
Chapter 11 Authentication and Account ManagementChapter 11 Authentication and Account Management
Chapter 11 Authentication and Account Management
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
How to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security ChecklistHow to Secure Web Apps — A Web App Security Checklist
How to Secure Web Apps — A Web App Security Checklist
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Cybersecurity Interview Questions_Part1.pdf
Cybersecurity Interview Questions_Part1.pdfCybersecurity Interview Questions_Part1.pdf
Cybersecurity Interview Questions_Part1.pdf
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Train Employees to Avoid Cybercrime
Train Employees to Avoid CybercrimeTrain Employees to Avoid Cybercrime
Train Employees to Avoid Cybercrime
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified — Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified — Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Cybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar AssociationsCybersecurity Fundamentals for Bar Associations
Cybersecurity Fundamentals for Bar Associations
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET-  	  Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET-  	  Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
 
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
Top Interview Questions to Master as a CompTIA Security+ Certified Profession...
 
Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +Top Interview Questions for CompTIA Security +
Top Interview Questions for CompTIA Security +
 

More from SBA Research

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
SBA Research
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Research
 

More from SBA Research (20)

SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
SBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computingSBA Live Academy, What the heck is secure computing
SBA Live Academy, What the heck is secure computing
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas KonradSBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad
 

Recently uploaded

QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 

Recently uploaded (20)

QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 

SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico

  • 1. JIM MANICO Secure Coding Instructor www.manicode.com Secure Password Policy and Storage
  • 2. COPYRIGHT ©2019 MANICODE SECURITY A little background dirt… jim@manicode.com @manicode  Former OWASP Global Board Member  Project manager of the OWASP Cheat Sheet Series and several other OWASP projects  20+ years of software development experience  Author of "Iron-Clad Java, Building Secure Web Applications” from McGraw-Hill/Oracle-Press  Kauai, Hawaii Resident 2
  • 3. COPYRIGHT ©2019 MANICODE SECURITY 3 WARNING: Please do not attempt to hack any computer system without legal permission to do so. Unauthorized computer hacking is illegal and can be punishable by a range of penalties including loss of job, monetary fines and possible imprisonment. ALSO: The Free and Open Source Software presented in these materials are examples of good secure development tools and techniques. You may have unknown legal, licensing or technical issues when making use of Free and Open Source Software. You should consult your company's policy on the use of Free and Open Source Software before making use of any software referenced in this material.
  • 4. COPYRIGHT ©2019 MANICODE SECURITY Authentication: Where are we going? 4 Modern Password Policy Importance of Password Storage Hashing and Salting Adaptive Storage Algorithms Other Considerations
  • 6. COPYRIGHT ©2019 MANICODE SECURITY Modern Password Policy 6
  • 7. COPYRIGHT ©2019 MANICODE SECURITY Do Not Limit the Password Strength  Limiting passwords to protect against injection is doomed to failure  Use query parameterization and other defenses instead  Be sure to at least limit password size. Very long passwords can cause DoS 7
  • 8. COPYRIGHT ©2019 MANICODE SECURITY Use a Modern Password Policy Scheme  Consider the password policy suggestions from NIST  Do not depend on passwords as a sole credential. It's past time to move to MFA.  Encourage and train your users to use a password manager. 8
  • 9. COPYRIGHT ©2019 MANICODE SECURITY Credential Stuffing Safeguards 9 Stuffing Live Defense  Block use of known username/password pairs from past breaches  Implement Multi Factor Authentication (see below)  Consider avoiding email addresses for username  Bot Detection 3rd Party Password Breach Response  Scan for use of known username/password pairs from new breach against entire existing userbase  Immediately invalidate user of existing username/password pairs  Force password reset on effected users
  • 10. COPYRIGHT ©2019 MANICODE SECURITY Special Publication SP800-63-B: Digital AuthN Guidelines Favor the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible. 10 At least 8 characters and allow up to 64 (16+ Better) Throttle or otherwise manage brute force attempts Don’t force unnatural password special character rules Don’t use password security questions or hints No more mandatory password expiration for the sake of it Allow all printable ASCII characters including spaces, and should accept all UNICODE characters, too… including emoji. Do not limit the characters of passwords Check against a list of common passwords Block context-specific passwords like the username or service name Check against a list breached username/password pairs
  • 11. COPYRIGHT ©2019 MANICODE SECURITY Password Management Summary Core Password Policy Rules (NIST 800-63 inspired) • Do not limit the characters or length of user password • Use a modern password policy scheme • Enforce password length of at least 8 characters and allow up to 64 or more (16+ better) • Check against a list of common passwords (new!) • Check against a list of breached and exposed username/password pairs (credential stuffing) (new!) • Do not enforce special character type rules on passwords (new!) • Do not force mandatory expiration unless there is a good reason (new!) • Throttle or otherwise manage brute force attempts Additional Considerations (Dr De Ryck Suggestions) • Include a password strength meter • Ensure your password system is compatibility with password managers • Offer an option to show the password while typing for mobile devices 11
  • 12. COPYRIGHT ©2019 MANICODE SECURITY Credential Strength / Password Policy  Users will make as simple passwords as you allow them to  Users will use the same password on multiple websites  Implement server-side enforcement of password syntax and strength – Minimum length – Numbers/Symbols/Uppercase/Lowercase – Ban commonly used passwords – Ban passwords with dictionary words – Ban commonly used password topologies https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies – Force multiple users to use different password topologies – Require a minimum topology change between old and new passwords  Also consider JavaScript password meters Reference: "Your password complexity requirements are worthless” https://www.youtube.com/watch?v=zUM7i8fsf0g 12
  • 13. COPYRIGHT ©2019 MANICODE SECURITY Password1! 13
  • 14. COPYRIGHT ©2019 MANICODE SECURITY Twitter Password Ban-List: August 2014 14 8675309 987654 nnnnnn nop123 nop123 nopqrs noteglh npprff npprff14 npgvba nyoreg nyoregb nyrkvf nyrwnaqen nyrwnaqeb nznaqn nzngrhe nzrevpn naqern naqerj natryn natryf navzny nagubal ncbyyb nccyrf nefrany neguhe nfqstu nfqstu nfuyrl nffubyr nhthfg nhfgva onqobl onvyrl onanan onearl onfronyy ongzna orngevm ornire ornivf ovtpbpx ovtqnqql ovtqvpx ovtqbt ovtgvgf oveqvr ovgpurf ovgrzr oynmre oybaqr oybaqrf oybjwbo oybjzr obaq007 obavgn obaavr obbobb obbtre obbzre obfgba oenaqba oenaql oenirf oenmvy oebapb oebapbf ohyyqbt ohfgre ohggre ohggurnq pnyiva pnzneb pnzreba pnanqn pncgnva pneybf pnegre pnfcre puneyrf puneyvr purrfr puryfrn purfgre puvpntb puvpxra pbpnpbyn pbssrr pbyyrtr pbzcnd pbzchgre pbafhzre pbbxvr pbbcre pbeirggr pbjobl pbjoblf pelfgny phzzvat phzfubg qnxbgn qnyynf qnavry qnavryyr qroovr qraavf qvnoyb qvnzbaq qbpgbe qbttvr qbycuva qbycuvaf qbanyq qentba qernzf qevire rntyr1 rntyrf rqjneq rvafgrva rebgvp rfgeryyn rkgerzr snypba sraqre sreenev sveroveq svfuvat sybevqn sybjre sylref sbbgonyy sberire serqql serrqbz shpxrq shpxre shpxvat shpxzr shpxlbh tnaqnys tngrjnl tngbef trzvav trbetr tvnagf tvatre tvmzbqb tbyqra tbysre tbeqba tertbel thvgne thaare unzzre unaanu uneqpber uneyrl urngure uryczr uragnv ubpxrl ubbgref ubearl ubgqbt uhagre uhagvat vprzna vybirlbh vagrearg vjnagh wnpxvr wnpxfba wnthne wnfzvar wnfcre wraavsre wrerzl wrffvpn wbuaal wbuafba wbeqna wbfrcu wbfuhn whavbe whfgva xvyyre xavtug ynqvrf ynxref ynhera yrngure yrtraq yrgzrva yrgzrva yvggyr ybaqba ybiref znqqbt znqvfba znttvr zntahz znevar znevcbfn zneyobeb znegva zneiva znfgre zngevk znggurj znirevpx znkjryy zryvffn zrzore zreprqrf zreyva zvpunry zvpuryyr zvpxrl zvqavtug zvyyre zvfgerff zbavpn zbaxrl zbaxrl zbafgre zbetna zbgure zbhagnva zhssva zhecul zhfgnat anxrq anfpne anguna anhtugl app1701 arjlbex avpubynf avpbyr avccyr avccyrf byvire benatr cnpxref cnagure cnagvrf cnexre cnffjbeq cnffjbeq cnffjbeq1 cnffjbeq12 cnffjbeq123 cngevpx crnpurf crnahg crccre cunagbz cubravk cynlre cyrnfr cbbxvr cbefpur cevapr cevaprff cevingr checyr chffvrf dnmjfk djregl djreglhv enoovg enpury enpvat envqref envaobj enatre enatref erorppn erqfxvaf erqfbk erqjvatf evpuneq eboreg eboregb ebpxrg ebfrohq ehaare ehfu2112 ehffvn fnznagun fnzzl fnzfba fnaqen fnghea fpbbol fpbbgre fpbecvb fpbecvba fronfgvna frperg frkfrk funqbj funaaba funirq fvreen fvyire fxvccl fynlre fzbxrl
  • 15. COPYRIGHT ©2019 MANICODE SECURITY Why Password Storage? 15
  • 16. COPYRIGHT ©2019 MANICODE SECURITY "Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext." https://net.cs.uni- bonn.de/fileadmin/user_upload/naiakshi/Nai akshina_Password_Study.pdf 16
  • 17. COPYRIGHT ©2019 MANICODE SECURITY Why and When does Password Storage Matter? When considering password storage strategies please note we are most concerned about offline attacks. Password Storage matters most after your website is breached and attackers have a copy of your stored password data to analyze offline. Attackers can achieve supercomputing capability to discover your password. Using cloud services, computers with many GPU's or custom hardware, attackers can attempt trillions of attempts per second to discover (or "crack") stolen password data.
  • 19. COPYRIGHT ©2019 MANICODE SECURITY Password Storage Defense Overview 19 Offline Attacks Online Attacks  Avoid Hashing or Encryption by itself for password storage  Use proper password hashing  Use random and unique per-user salts – Less effective against targeted attacks, but use them anyhow  Strict Password Policy  Ban top X commonly used passwords  Ban top X commonly used passwords  Rate limiting  Multi-factor authentication  Behavior Analysis – Trojan Combat  Anti-Phishing – Early detection and takedown  Good Network Security Reference: http://www.openwall.com/presentations
  • 20. COPYRIGHT ©2019 MANICODE SECURITY Cha-Ching! Estimated cost of hardware to crack password in 1 year 20 KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text DES CRYPT <$1 <$1 <$1 <$1 <$1 <$1 MD5 <$1 <$1 <$1 $1.1k $1 $1.5T MD5 CRYPT <$1 <$1 $130 $1.1M $1.4k $1.5 x 1015 PBKDF2 (100ms) <$1 <$1 $18k $160M $200k $2.2 x 1017 Bcrypt (95 ms) <$1 $4 $130k $1.2B $1.5M $48B Scrypt (64 ms) <$1 $150 $4.8M $43B $52M $6 x 1019 PBKDF2 (5.0 s) <$1 $29 $920k $8.3B $10M $11 x 1018 Bcrypt (3.0 s) <$1 $130 $4.3M $39B $47M $1.5T Scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 1023 Research by Colin Percival, https://www.tarsnap.com/scrypt/scrypt.pdf, STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS
  • 21. COPYRIGHT ©2019 MANICODE SECURITY Let’s Get Crackin’! 21
  • 22. COPYRIGHT ©2019 MANICODE SECURITY Wow. Just… wow. 22 http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours
  • 23. COPYRIGHT ©2019 MANICODE SECURITY Online Hashcracking Services 23 md5("86e39e7942c0password123!") = f3acf5189414860a9041a5e9ec1079ab md5("password123!") = b7e283a09511d95d6eac86e39e7942c0
  • 24. COPYRIGHT ©2019 MANICODE SECURITY Password Storage Best Practices Overview 24 Store passwords as an HMAC + good key management as an extra step 3 Use ARGON2i, bcrypt, scrypt on the hash 2 Hash the salted password using SHA2-512 or another strong hash 1
  • 25. COPYRIGHT ©2019 MANICODE SECURITY 25 Hash the Password With a Strong Hash  If you ONLY hash a password it will be discovered in a very short amount of time, especially for short passwords. This is just one of several steps. – Long passwords can cause DOS – bcrypt truncates long passwords to 72 bytes, reducing the strength of passwords  By applying the very fast algorithm SHA2-512 we can quickly reduce long passwords to 512 bits, solving both problems  https://blogs.dropbox.com/tech/2016/09/how- dropbox-securely-stores-your-passwords/ 1
  • 26. COPYRIGHT ©2019 MANICODE SECURITY 26 Leverage an Password Hasher  bcrypt includes a work factor or time cost which defines the execution time  scrypt includes a time cost as well as a memory cost, which defines the memory usage  Argon2i includes a time cost, a memory cost and a parallelism degree, which defines the number of threads  Make the work factor and memory cost as strong as you can tolerate and increase it over time! Imposes difficult verification on the attacker and defender! 2
  • 27. Is hash cracking really that fast? MD5 SHA1 BCRYPT(13) Hashespersecond 200,000 million 68 million 390 @PhilippeDeRyckDR. PHILIPPE DE RYCK
  • 28. Java bcrypt iterationCount: at least 13 ** Change Password at Iteration Count Change Time @PhilippeDeRyckDR. PHILIPPE DE RYCK
  • 29. COPYRIGHT ©2019 MANICODE SECURITY 29 bcrypt in PHP bcrypt in .NET  string password_hash ( string $password , integer $algo [, array $options ] )  Uses the bcrypt algorithm (default as of PHP 5.5.0)  https://github.com/BcryptNet/bcrypt.net
  • 30. COPYRIGHT ©2019 MANICODE SECURITY GPU Attacks on Modern Password KDF's 30 PBKDF2-HMAC-SHA-1 PBKDF2-HMAC-SHA-256 PBKDF2-HMAC-SHA-512 bcrypt scrypt STRONGER Reference: Openwall and http://www.openwall.com/presentations/
  • 31. COPYRIGHT ©2019 MANICODE SECURITY ASIC/FPGA Attacks on Modern Password Hashes 31 PBKDF2-HMAC-SHA-1 PBKDF2-HMAC-SHA-256 PBKDF2-HMAC-SHA-512 scrypt below 16 MB bcrypt (uses 4 KB) scrypt at 16 MB scrypt above 32 MB STRONGER Reference: Openwall and http://www.openwall.com/presentations/
  • 32. COPYRIGHT ©2019 MANICODE SECURITY 32 Leverage Keyed Protection Solution  AES or HMAC-SHA-256([key], [salt] + [credential])  Protect this key as any private key using best practices  Store the key outside the credential store  Isolate this process outside of your application layer Imposes difficult verification on the attacker only! 3
  • 33. COPYRIGHT ©2019 MANICODE SECURITY YubiHSM: a USB Dongle for Servers YubiHSM in a server’s internal USB port. Photo © Yubico, reproduced under the fair use doctrine. 33
  • 34. COPYRIGHT ©2019 MANICODE SECURITY HMAC’s in Action for YubiHSM  KEY for HMAC stored in local key database only, not retrievable  Key handle is the HSM ID  Data is password or KDF of Password  HMAC @ Final is final computed password hash 34 HMAC-SHA1 Key Handle Reset/F inal Data Key Data Base HMAC @ Final YubiHSM Diagram © Yubico, reproduced under the fair use doctrine.
  • 35. COPYRIGHT ©2019 MANICODE SECURITY Facebook Password Storage "The Onion" 35
  • 36. COPYRIGHT ©2019 MANICODE SECURITY Basic Password Storage Workflow (with hashing, bcrypt and AES) Imposes difficult verification on the attacker and defender! Also adds a keyed round! 36 pwHash = SHA-512(password); adaptiveHash = bcrypt(512 bit pwHash, 13) FinalCiphertext = AES-GCM(adaptiveHash, secretKey)
  • 37. COPYRIGHT ©2019 MANICODE SECURITY Basic Password Verification Workflow (with hashing, bcrypt and AES) 37 submittedPWHash = SHA-512 (submittedPassword); T/F = bcrypt_compare(submittedPWHash, adaptiveHashDatabase) adaptiveHashDatabase = Decrypt AES-GCM(CiphertextDatabase, key)
  • 38. Password Storage Summary • Passwords are an attractive target in data breaches Insecure backups or SQL injection vulnerabilities are the tip of the iceberg Prepare for the worst. Implement a secure password storage mechanism • Legacy password storage mechanisms cannot withstand modern attacks Encryption can be broken by stealing the encryption key Hashing can be broken by lookup tables or brute force attacks • The proper way to store passwords is using a password- hashing function like bcrypt, scrypt or Argon2 The variable cost factor makes the algorithm too expensive to brute force • Legacy systems should be upgraded ASAP to a more secure storage mechanism @PhilippeDeRyckDR. PHILIPPE DE RYCK
  • 39. COPYRIGHT ©2019 MANICODE SECURITY Additional Topics • How to upgrade legacy systems • Storage of security questions, multi-factor information and other authentication verificatation information • What to do in case of a breach • Authentication mechanisms that do not require passwords or password storage • Performance and scale considerations 39
  • 40. COPYRIGHT ©2019 MANICODE SECURITY Other Considerations 40
  • 41. COPYRIGHT ©2019 MANICODE SECURITY Do Not Hardcode Passwords or Keys! 41 if ("DoTheStankyLeg1".equals(password)) { //why the heck why not? admin=true; } static final String DB_URL = "jdbc:mysql://192.168.1.45/"; static final String USER = "root"; static final String PASS = "BringBackJarJar99!";  Hard Coded Passwords may expose elevated access to critical systems to individuals who have product detail visibility  Hard Coded Passwords may lead to back doors that can weaken the system Please store critical passwords in a application secrets vault!
  • 42. COPYRIGHT ©2019 MANICODE SECURITY Authentication: Where are we going? 42 Modern Password Policy Importance of Password Storage Hashing and Salting Adaptive Storage Algorithms Other Considerations
  • 43. JIM MANICO Secure Coding Instructor www.manicode.com It’s been a pleasure. jim@manicode.com