The document discusses best practices for password security and the importance of implementing robust authentication methods to prevent breaches, citing various high-profile password leaks. It emphasizes the need for strong hashing algorithms, the correct use of salts, and multi-factor authentication to enhance security. The document also outlines common password attack methods and the corresponding prevention techniques to safeguard sensitive information.

1. InfoSec in Practice
for
Product & Engineering
“SECURING PASSWORDS”
Mandeep Singh

2. Password Breaches (just a fraction)
Prior
• Yahoo: 3 Billion (Bcrypt
and MD5 hash)
• LinkedIn: 6 million (SHA1
hashed, unsalted)
• Twitter: 250,000
(hashed, salted)
• Adobe: 38 million
password hints, and
hashed passwords
2015
LastPass:
master
passwords
(PBKDF2 and
salts)
2016
Dropbox: 68
million (SHA1
and bcrypt
hashes, salts)
2017
Equifax
(plaintext and
defaults)
2018
Facebook
(plaintext)
2019
Capitol One
(pending?)

3. IEEE Secure Design – Top 10
1. Never assume trust 6. Use cryptography correctly
2. Use authentication that cannot be bypassed or
tampered
7. Identify sensitive data and how they should be
handled
3. Use authentication that cannot be bypassed or
tampered
8. Always consider the users
4. Strictly separate data and control 9. Understand how integrating external components
changes your attack surface
5. Ensure all data is explicitly validated 10. Be flexible when considering future changes to
objects and actors

4. Password Attack Approaches
Target Attack Methods Prevention Methods
Application Databases Brute Force
Dictionary
Rainbow Tables
Offline Cracking
Better Implementation
Multifactor
Network Man in the Middle
Certificate High jacking
Secure Protocols
Human Emotions Phishing / Malware Anti-virus/Anti-Malware
Firewall
Multifactor
Human Emotions Social Engineering
Shoulder Surfing,
Guess
Training / Education
Awareness of Surroundings
Multifactor
Corporate Literature Spidering Password Managers
Multifactor
What is the drawback of internet based password protection tools?

5. Password Hashes
MD5
SHA, SHA256, SHA512, …
PBKDF2
Bcrypt
Scrypt
Argon2 (Winner 2015 password hash competition)
Stronger Algorithms consider:
◦ Time cost, which defines the execution time
◦ Memory cost, which defines the memory/storage usage
◦ Parallelism degree, which defines the number of threads

6. What are Rainbow Tables?
Precomputed hash chains
Simple cracking to search-and-compare operation on the table.
The exact password string isn’t necessary (Hash Collisions)
Makes it trivial to crack password hashes
How to defeat?
◦ Use of salts

7. Salt Implementations
Good
• Random number using
standard libraries
• Make salts same length as
hash output
• Hash on server side
Bad
• Keys that cannot be changed
• Same salt for new password
• DO NOT write your own hash
• MD5( SHA1(password,salt))
• SHA1(SHA1(password,salt))

8. Two Factor / Multi-Factor
• Different Factors
• What you know (passwords)
• What you have (Certificates, RSA FOB, Yubikey)
• Who you are (fingerprint, retina, face, voice, walking,
DNA, etc.)
• Where you are (Location, IP address)
Based On
• Two or more in the same factor type
• Face + fingerprint
Not
Based On

9. Password less Authentication
Known Devices
• Yubikeys
• PKI Auth
Who you are?
• Using Fingerprints
• Facial Recognition
• Voice Recognition
Where you are?
• IP Address
• Takes into account impossible travel

10. Takeaway
Do’s
• Build security in at design stage
• Your company standard hash for all
apps
• Large Service account passwords (26
characters)
• Best practices for Salts
• Multi-factor authentication,
whenever possible
• Encrypt all data transport
Don’ts
• Invent your own hashing algorithm
(Kerckhoffs’ principle - 1883)
• Embed db/file passwords in your
applications or databases
• Share service passwords or keys
• Log private data such as passwords,
not even for debugging