Uploaded bytladesignz
ODP, PPTX19,148 views

User Credential handling in Web Applications done right

The document discusses best practices for handling user credentials in web applications, emphasizing the dangers of poor storage and transmission methods for passwords. It advocates for using strong hashing algorithms, salting, key derivation functions, and secure transmission protocols like SSL/TLS to protect user data. Additionally, it recommends educating users about password strength and proper handling of web services to mitigate security risks.

Embed presentation

Download as ODP, PPTX
User Credential handling in Web Applications done right Benjamin Erhart be@benjaminerhart.com
Often seen situations ● Passwords are stored in cleartext (EEEEVIL!) ● Passwords are stored as MD5 hash (slightly less evil, but not much...) ● Passwords are sent as GET query parameters over unencrypted connections
Why Care? Your mama will leak your database https://www.youtube.com/watch?v=aPWN683KsqU Need rainbow tables? https://www.google.com/search?q=md5+5f4dcc3b5aa
Rainbows, Brony? Cute! ● Rainbow Tables are precalculated reverse lookup tables for hash digests. ● Just ask Google for the easy ones. ● Find more specialized tables on shady sites. ● Calculate your own, while you're not mining for BitCoins. ● Having the proper RT enables attackers to find your users passwords in minutes!
So, now? The bare minimum for your everyday inhouse app: use Digest::SHA qw(sha256); sub authenticate { my ($self, $password) = @_; if ( $self->password_digest eq sha256( $self->salt . $self->system->salt . $password ) ) { return 1; } return 0; } Add salts to your user's passwords! TWO OF THEM! And fuckin' use state-of-the-art hashing algorithms!
User Salt ● Generated on password creation/update ● Unique per user ● Store with the user in the database (own column or within password digest column using some delimiter) ● Use as much randomness as you can get! (Quick bet: UUIDs) ● This effectively destroys attackers possibility of using a single rainbow table.
System Salt ● Generated once for your application ● Lives outside the database (e.g. config file) ● Destroys the attackers ability to brute-force the passwords easily, when they already have the database dump.
For your brand new web 2.0 social app: KDF ● Kraft Durch Freude? ● Key Derivation Functions! ● Hashing functions are designed to be fast. ● We don't process passwords by the millions normally. ● We don't need it fast! ● KDFs are about doing it slowly, so to make it harder for the attacker to crack our passwords.
(PB)KDF self-made sub kdf { my ($password, $salt, $algo, $iter) = @_; my $digest = $password; for (my $i = 0; $i < $iter; $i++) { $digest = $algo( $salt . $digest ); } return $digest; } You can store the number of needed iterations with the user. Vary, if you want, but use many! (>1000) Should I mention that? Use standard KDF libraries of your language of choice!
Transmitting Passwords ● We ain't gonna transmit passwords in the clear in 2012! ● Bring yourself up to speed, how to configure your environment for SSL/TLS! Use CAcert for inhouse apps. (I can assure you, if you want.) ● StartSSL issues free certs which most browsers recognize without warning.
Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
But I can't log in with other credentials for debugging now! ● That's really NOT a good reason to save passwords in the clear. ● Add a feature which allows your admin users to impersonate any other user on the system!
Password Strength ● Educate your users ● Show password strength meters in your change-password-forms ● Disallow weak passwords (server side!!)
Web Services ● Do not use username/password credentials, especially, if you can't use encryption on transport. ● Treating web services like users gives another attack vector. And there's always this one place, where you broke your authorization... ● Treat them with different mechanisms, give out API keys for them, restrict them to IP adresses, domain names, time constraints...

More Related Content

PDF
Very Xd
byYi-Ting Cheng
 
PDF
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
byBookNet Canada
 
PPTX
Ch7(publishing my sql data on the web)
byChhom Karath
 
PPTX
Novajs
bywearefractal
 
PDF
Scaling Twitter
byBlaine
 
PDF
Responsive Design with WordPress
byJoe Casabona
 
PDF
Practical django secuirty
byAndy Dai
 
PPTX
Django Web Application Security
bylevigross
 
Very Xd
byYi-Ting Cheng
 
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
byBookNet Canada
 
Ch7(publishing my sql data on the web)
byChhom Karath
 
Novajs
bywearefractal
 
Scaling Twitter
byBlaine
 
Responsive Design with WordPress
byJoe Casabona
 
Practical django secuirty
byAndy Dai
 
Django Web Application Security
bylevigross
 

What's hot

PPT
Responsive Design with WordPress (WCPHX)
byJoe Casabona
 
PDF
OUTDATED (Encore)
byStefan Adolf
 
PDF
브라우저에 날개를 달자
byNAVER SHOPPING
 
PDF
Learning jQuery @ MIT
byjeresig
 
PDF
The Dean wants to Make this WordPress Site Responsive
byJoe Casabona
 
PDF
WCCHS: Responsive Design with WordPress
byJoe Casabona
 
PDF
Node.js & Twitter Bootstrap Crash Course
byAaron Silverman
 
KEY
Optimizing Your Site
byrtvenge
 
PDF
Optimizing AngularJS Application
byMd. Ziaul Haq
 
PDF
Asynchronous JavaScript loading
byyay w00t
 
PDF
Node intro
byVishal Sharma
 
PDF
Real-time search in Drupal. Meet Elasticsearch
byAlexei Gorobets
 
PDF
Introduction to REST API with Node.js
byYoann Gotthilf
 
PPTX
DevNexus 2016
byStephanie Brubaker
 
PPTX
An Overview on Nuxt.js
bySquash Apps Pvt Ltd
 
ZIP
On Demand Javascript - Scalecamp 2009
byMichael Mahemoff
 
PPTX
Lecture: Webpack 4
bySergei Iastrebov
 
PPTX
A slightly advanced introduction to node.js
bySudar Muthu
 
PDF
Hello npm
byMuyuu Fujita
 
PDF
Ng init | EPI Sousse
byHamdi Hmidi
 
Responsive Design with WordPress (WCPHX)
byJoe Casabona
 
OUTDATED (Encore)
byStefan Adolf
 
브라우저에 날개를 달자
byNAVER SHOPPING
 
Learning jQuery @ MIT
byjeresig
 
The Dean wants to Make this WordPress Site Responsive
byJoe Casabona
 
WCCHS: Responsive Design with WordPress
byJoe Casabona
 
Node.js & Twitter Bootstrap Crash Course
byAaron Silverman
 
Optimizing Your Site
byrtvenge
 
Optimizing AngularJS Application
byMd. Ziaul Haq
 
Asynchronous JavaScript loading
byyay w00t
 
Node intro
byVishal Sharma
 
Real-time search in Drupal. Meet Elasticsearch
byAlexei Gorobets
 
Introduction to REST API with Node.js
byYoann Gotthilf
 
DevNexus 2016
byStephanie Brubaker
 
An Overview on Nuxt.js
bySquash Apps Pvt Ltd
 
On Demand Javascript - Scalecamp 2009
byMichael Mahemoff
 
Lecture: Webpack 4
bySergei Iastrebov
 
A slightly advanced introduction to node.js
bySudar Muthu
 
Hello npm
byMuyuu Fujita
 
Ng init | EPI Sousse
byHamdi Hmidi
 

Similar to User Credential handling in Web Applications done right

PPTX
Password Storage Sucks!
bynerdybeardo
 
PPTX
Securing Passwords
byMandeep Singh
 
PDF
Passwords good badugly181212-2
byIftach Ian Amit
 
PPTX
FYP1 Presentation
byfaeezfez
 
PPTX
Secure passwords-theory-and-practice
byAkash Mahajan
 
PPT
Kieon secure passwords theory and practice 2011
byKieon
 
ODP
All Your Password Are Belong To Us
byCharles Southerland
 
PDF
Getting authentication right
byAndre N. Klingsheim
 
PDF
Password (in)security
byEnrico Zimuel
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PDF
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
PDF
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
PDF
Ch 6: Attacking Authentication
bySam Bowne
 
PPTX
Hashing Considerations In Web Applications
byIslam Heggo
 
PDF
Password hashing, salting, bycrpt
byAhmad karawash
 
PPTX
Web application Security
byLee C
 
PPT
Defcon9 Presentation2001
byMiguel Ibarra
 
PPT
Web Application Security - "In theory and practice"
byJeremiah Grossman
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PDF
The slower the stronger a story of password hash migration
byOWASP
 
Password Storage Sucks!
bynerdybeardo
 
Securing Passwords
byMandeep Singh
 
Passwords good badugly181212-2
byIftach Ian Amit
 
FYP1 Presentation
byfaeezfez
 
Secure passwords-theory-and-practice
byAkash Mahajan
 
Kieon secure passwords theory and practice 2011
byKieon
 
All Your Password Are Belong To Us
byCharles Southerland
 
Getting authentication right
byAndre N. Klingsheim
 
Password (in)security
byEnrico Zimuel
 
Session4-Authentication
byzakieh alizadeh
 
CNIT 129S - Ch 6a: Attacking Authentication
bySam Bowne
 
CNIT 129S: Ch 6: Attacking Authentication
bySam Bowne
 
Ch 6: Attacking Authentication
bySam Bowne
 
Hashing Considerations In Web Applications
byIslam Heggo
 
Password hashing, salting, bycrpt
byAhmad karawash
 
Web application Security
byLee C
 
Defcon9 Presentation2001
byMiguel Ibarra
 
Web Application Security - "In theory and practice"
byJeremiah Grossman
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
The slower the stronger a story of password hash migration
byOWASP
 

Recently uploaded

PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
AI in the Real World: From University to Industry
byDarvan Shvan
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Logical Optimal Actions – Towards Knowledge-based Reinforcement Learning with...
byMichiaki Tatsubori
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Bringing AI into R&D, Taking a Human-Centric Approach / Haim Yadid
byHaim Yadid
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
AI in the Real World: From University to Industry
byDarvan Shvan
 

User Credential handling in Web Applications done right

  • 1.
    User Credential handling in Web Applications done right Benjamin Erhart be@benjaminerhart.com
  • 2.
    Often seen situations ● Passwords are stored in cleartext (EEEEVIL!) ● Passwords are stored as MD5 hash (slightly less evil, but not much...) ● Passwords are sent as GET query parameters over unencrypted connections
  • 3.
    Why Care? Your mama will leak your database https://www.youtube.com/watch?v=aPWN683KsqU Need rainbow tables? https://www.google.com/search?q=md5+5f4dcc3b5aa
  • 4.
    Rainbows, Brony? Cute! ● Rainbow Tables are precalculated reverse lookup tables for hash digests. ● Just ask Google for the easy ones. ● Find more specialized tables on shady sites. ● Calculate your own, while you're not mining for BitCoins. ● Having the proper RT enables attackers to find your users passwords in minutes!
  • 5.
    So, now? Thebare minimum for your everyday inhouse app: use Digest::SHA qw(sha256); sub authenticate { my ($self, $password) = @_; if ( $self->password_digest eq sha256( $self->salt . $self->system->salt . $password ) ) { return 1; } return 0; } Add salts to your user's passwords! TWO OF THEM! And fuckin' use state-of-the-art hashing algorithms!
  • 6.
    User Salt ● Generated on password creation/update ● Unique per user ● Store with the user in the database (own column or within password digest column using some delimiter) ● Use as much randomness as you can get! (Quick bet: UUIDs) ● This effectively destroys attackers possibility of using a single rainbow table.
  • 7.
    System Salt ● Generated once for your application ● Lives outside the database (e.g. config file) ● Destroys the attackers ability to brute-force the passwords easily, when they already have the database dump.
  • 8.
    For your brandnew web 2.0 social app: KDF ● Kraft Durch Freude? ● Key Derivation Functions! ● Hashing functions are designed to be fast. ● We don't process passwords by the millions normally. ● We don't need it fast! ● KDFs are about doing it slowly, so to make it harder for the attacker to crack our passwords.
  • 9.
    (PB)KDF self-made sub kdf{ my ($password, $salt, $algo, $iter) = @_; my $digest = $password; for (my $i = 0; $i < $iter; $i++) { $digest = $algo( $salt . $digest ); } return $digest; } You can store the number of needed iterations with the user. Vary, if you want, but use many! (>1000) Should I mention that? Use standard KDF libraries of your language of choice!
  • 10.
    Transmitting Passwords ● We ain't gonna transmit passwords in the clear in 2012! ● Bring yourself up to speed, how to configure your environment for SSL/TLS! Use CAcert for inhouse apps. (I can assure you, if you want.) ● StartSSL issues free certs which most browsers recognize without warning.
  • 11.
    Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
  • 12.
    Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
  • 13.
    But I can'tlog in with other credentials for debugging now! ● That's really NOT a good reason to save passwords in the clear. ● Add a feature which allows your admin users to impersonate any other user on the system!
  • 14.
    Password Strength ● Educate your users ● Show password strength meters in your change-password-forms ● Disallow weak passwords (server side!!)
  • 15.
    Web Services ● Do not use username/password credentials, especially, if you can't use encryption on transport. ● Treating web services like users gives another attack vector. And there's always this one place, where you broke your authorization... ● Treat them with different mechanisms, give out API keys for them, restrict them to IP adresses, domain names, time constraints...