The document discusses passwords and password security. It summarizes that common password practices like complexity rules and frequent changes actually decrease security by making passwords harder to remember. Instead, it recommends using very long, easy to remember passwords and only changing them when truly necessary. It also discusses how password cracking tools like rainbow tables and hashcat can crack hashed passwords, but proper defenses like salting and slow hashing functions provide effective protection.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
Passwords associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc.
Hashes are one-way functions —mathematical operation that is easy to perform, but very difficult to reverse engineer.
Hash functions turns readable data into a random string of fixed length size.
Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
Passwords associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc.
Hashes are one-way functions —mathematical operation that is easy to perform, but very difficult to reverse engineer.
Hash functions turns readable data into a random string of fixed length size.
Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But cryptography means security? Absolutely not, especially if developers do not,especially if developers do not use it properly. In this talk I would like to present some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
Целевое управление доступом в сети. Техническое решение для финансовых органи...SelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 2
Электронное взаимодействие на финансовых рынках
Кушнарев Александр Николаевич, технический консультант по решениям ИБ, Netwell
Источник: http://ural.ib-bank.ru/materials_2015
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
ExpertsLiveEurope The New Era Of Endpoint SecurityAlexander Benoit
Cyber Security & Defense is the emerging topic of the IT industry these days. A secure environment is no longer just a well-maintained firewall or a well-managed network. Rather, it is made up of several layers. However, most companies are „reactive“ instead of „proactive“, or neither, when it comes to securing their IT environments and detecting security breaches. In addition to this, the product portfolio and the security market is changing rapidly, and these changes make our jobs as IT Professionals significantly more difficult. But how can we deal with this challenge? In my session I will take a look into supposed “obvious“ security threats and how the Microsoft Cyber security stack can help to detect attackers and threats that have evaded our defenses.
Целевое управление доступом в сети. Техническое решение для финансовых органи...SelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 2
Электронное взаимодействие на финансовых рынках
Кушнарев Александр Николаевич, технический консультант по решениям ИБ, Netwell
Источник: http://ural.ib-bank.ru/materials_2015
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
Обеспечение информационной безопасности в облачных бизнес-приложениях и дата-...SelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 3
Аутсорсинг ИБ. Облачные сервисы и другие технологии
Шабанов Алексей Алексеевич, эксперт по информационной безопасности SAP
Источник: http://ural.ib-bank.ru/materials_2015
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Encrypted Negative Password using for Authenticationijtsrd
Password authentication is one of most likely used authentication techniques. Secure password storage is the most difficult process. In this paper, we propose a password confirmations structure that is intended for secure password storage and could be effectively coordinated into existing authentication systems. In this project, first we receive the plain text from the user then hashed through a cryptographic function. The next step, hashed password is converted into a negative password. Finally, the negative password is encrypted into an Encrypted Negative Password using encryption algorithm. Challenge–response authentication and multi factor authentication could be employed to further improve security. Priya K P | Dr. Lakshmi J. V. N "Encrypted Negative Password using for Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-6 , October 2020, URL: https://www.ijtsrd.com/papers/ijtsrd35711.pdf Paper Url: https://www.ijtsrd.com/computer-science/computer-security/35711/encrypted-negative-password-using-for-authentication/priya-k-p
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
2. The compliance chickenoregg
It irritates users. Makes it hard
to remember passwords.
Six is not good but seven is?
Increases the number of
possible values. Complexity
rules lead to ugly passwords.
If not compromised, what’s
the risk if you reuse?
3. ► In February 2011 Anonymous carried out a SQL injection
attack against HBGary Federal.
► They acquired three MD5 hashes and sent them to the gang
at Hashkiller.com.
► Back came 4036d5fe575fb46f48ffcd5d7aeeb5af:kibafo33
► kibafo33 was the password for email/Facebook/twitter/ and who-
know-how-many-other accounts of Aaron Barr, CEO of HB Geary
Federal.
► Anonymous was off to the races.
Cracking a password in real life
4. One of
many sites
that offers
tables of
hashes of
passwords
plus
discussion
forums
So what is this hashkiller.com?
5. ► The attacker either works with the password as entered by
the user or as stored by the authenticator.
► For the former, one can either social engineer for some good
guesses, sniff it, or brute force by submitting passwords from
a dictionary, a big list of possible passwords.
► The latter can be done in parallel.
► Should be slowed or blocked by system reaction to successive failed
attempts.
Determining a password
THC
Hydra
6. User
supplies
Password
in
Plaintext
authen7cator’s
System
Hash
Func7on
Authen7cator’s
storage
Hashed
Password
…should be cryptographically protected.
Passwords stored at authenticator
8.
~
a
half
million
hashes
264
=
456,976
Policy
=
4
lower
case
characters
—let’s do a hypotheticalThey are not being reversed
Not difficult to build table of all possible hash values
Hashes are not broken
9. ► PCI DSS 8.5.10 & 11 say at least seven alphabetic and
numeric.
► Microsoft says at least eight also including special characters.
► Failure codified into compliance standards.
Put more possibilities in the set
11. ► If Lan Manager is enabled
► Password converted to all uppercase;
► Password padded to 14 characters;
► Split into two 7-character parts, i.e. 56 bits;
► Each part padded with a byte of zeros;
► Each part used as a DES key to encrypt“KGS!@#$%”to produce two
“hash”values.
► If you cannot turn off LM hashing, choose a password whose
length is over 14 characters.
Backward compatibility is killing security
13. ► You would need a large table to hold all the possible hashes for a
large set of passwords.
► Rainbow tables provide a way to efficiently store the passwords
and associated hashes.
► More time to“search”but less memory
► Tuples are associated in chains using reductions, i.e. a
transformation of the hash into plaintext.
► ophcrack was first; RainbowCrack latest
► Salting hashes makes tables of
hashed passwords useless.
At the end of the
RainbowCrack
14. ► Add a salt into the hashing process.
► Using different salt values gives different hash values for the same
password.
► hashcat can use GPU, e.g. AMD Radeon HD 7970, to produce
hashes very quickly.
► 4.7 billion MD5 hashes per second
► 2.2 billion SHA-1 hashes per second
► Not fast enough for salting exhaustive dictionary unless constant salt
used by target.
► Fast enough for salting selective dictionary.
1st line of defense—salt
15. ► At the Passwords^12 conference in December, Jeremi
Gosney demonstrated his implementation of hashcat
running on multiple GPUs
► 25 AMD Radeon GPUs
► VirtualOpenCL (VCL) was extended to support 128 GPUs
► Generates
► 348 billion NTLM hashes per second
► 180 billion MD5 hashes per second
► 63 billion SHA1 hashes per second
► 20 billion LM hashes per second
► Six minutes to generate all possibilities
hashcat on roids
16. ► SHA-256 is not the answer
► You want an algorithm that is fast enough to avoid a
perceptible delay to the user, but…
► Makes the computing of a large number of hashes
untenable.
► Fortunately, you don’t need
to write this yourself.
► bcrypt, PBKDF2
► multiple iterations
► adaptable to future hardware
2nd line of defense—difficulty
21. Password Management Guideline
“Changed on a periodic
basis to counter the
possibility of undetected
password compromise.
…changed often enough
… acceptably low
probability of compromise
during a password’s
lifetime.”
22. ► For a continuous series of logon attempts are you hoping
the new password is one that has already been submitted?
► If the hash table attack software has the hash of your current
password, it’s very likely that it also has the hash of the
replacement password (and the password you’ll use a year
from now).
► Longer passwords kept for a longer time is a better defense.
► Only change passwords when
► there is a known or suspected compromise; or,
► you want a stronger password.
The effectiveness of a prophylactic password change
23. Password Management Guideline
• date and time of
user’s last login,
• location of user at last
login; and,
• unsuccessful login
attempts since last
login.
Upon successful login
notify user of:
24. ► Requiring unmemorable passwords.
► six-characters with at least one upper-case, one-lower case, one
numeral, and one special character.
► Requiring a password change unless suspected or known to
be compromised.
► Inadequately protecting stored passwords.
► There’s little excuse for not using a function that’s been around since
1999.
We shouldn’t be doing these at all
25. The compliance chickenoregg
What is this preventing? But
difficult to convince auditor.
Auditor will accept very long
passwords.
It will be difficult to convince
auditor that length is enough.
What is this preventing? But
difficult to convince auditor.