PASSWORD SECURITY

FUNDAMENTALS

J E N T R I Ñ A N E SS R . . N E T D E V E LO P E R – V F T S G LO B A L

PA S S W O R D S T O RAG E

PA S S W O R D R E S E T

PA S S W O R D C O M P L E X I T YA G E N D A

Click icon to add pictureADOBE HACK – OCTOBER 2013153 million Adobe accounts were breached each containing internal ID, username, email, ENCRYPTED password and password hint in plain text.Password encryption was poorly done and many were quickly resolved back to plain text.

Click icon to add pictureSONY PICTURES HACK – DECEMBER 2014

In Sony’s biggest security breach, it was discovered that thousands of passwords were not even encrypted. Passwords were stored in plain text in a folder named ‘Password’.

Click icon to add picture000WEBHOST HACK – MARCH 201513 million customer records were breached. The data breach include names, email addresses and plain text passwords.The data was sold and traded before 000webhost was informed in October.

SECURE PASSWORD STORAGE GUIDANCE• NEVER, EVER STORE PASSWORDS IN PLAIN TEXT!

• UNSALTED HASH = BAD

• CONSIDERED WEAK HASHING ALGORITHMS:– MD5– SHA1 (LINKEDIN USED FOR PASSWORD ENCRYPTION BEFORE THE HACK)

• SHA256 / SHA512 ARE GOOD, BUT NOT SLOW BY DESIGN

SECURE PASSWORD STORAGE GUIDANCE• NIST RECOMMENDS PASSWORD-BASED KEY DERIVATION FUNCTION 2 (PBKDF2)

HASH = PBKDF2(PSEUDORANDOM() + SENSITIVE DATA + SALT + ITERATION)(HIGHER ITERATION == SLOWER == BETTER)

• .NET IMPLEMENTATION: RFC2898DERIVEBYTES CLASS

• USED BY ASP.NET IDENTITY

• IOS 4 USED 10K ITERATIONS, LASTPASS USED 5K ITERATIONS FOR JS AND 100K FOR SERVER-SIDE HASHING

• OTHER STRONG HASHING ALGORITHM FLAVORS: – BCRYPT– SCRYPT

Click icon to add picture

DID YOU JUST EMAIL ME BACK MY OWN PASSWORD?!

SECURE PASSWORD RESET GUIDANCE• IMPLEMENT A SECURE PASSWORD RESET – NOT RETRIEVAL!

• MUST BE TOKEN-BASED AND TIME-SENSITIVE

• DESIGN FOR 2 DISTINCT PHASES:– TOKEN REQUEST– TOKEN VALIDATION

Click icon to add picture

TOKEN REQUEST• GUID is already sufficient

for a random, unpredictable token

• Set at least 1 hour window for password reset.

START

User enters email address in a

password reset form and resolves

CAPTCHA

CAPTCHA resolved

?END

N

Y

Email address found in database

?

Display “If your

account exists, you will be sent

an email with further instructions

”

N

1. Generate a random token w/ timestamp

2. Store the token and timestamp in database

3. Send an email w/ the token

Y

Click icon to add pictureTOKEN VALIDATION

START

User enters username /

account ID and resolves CAPTCHA

CAPTCHA resolved

?END

N

Y

Is token valid and unexpire

d?

Display “Invalid

reset token”

N

1. User enters his new password

2. Set the token and timestamp to null

3. Send an email acknowledging the password change

Y

Click icon to add pictureTOP 20 MOST COMMON PASSWORDS OF 2015

Password reuse is rampant (social media, email, banking, corporate accounts, etc.)

PASSWORD STRENGTH GUIDANCE• PASSWORD LENGTH

– LONGER PASSWORDS PROVIDE GREATER COMBINATION OF CHARACTERS AND MORE DIFFICULT FOR AN ATTACKER TO GUESS

– YOU CAN ENCOURAGE USERS TO SET PASSPHRASES

• ENFORCE PASSWORD COMPLEXITY

• DOT NOT LET THE USER REUSE HIS PASSWORD. ENFORCE THE USER TO CHANGE HIS PASSWORD EVERY n DAYS

Click icon to add pictureHOW STRONG IS STRONG PASSWORD?

Click icon to add pictureHOW LONG DOES IT TAKE TO CRACK MY PASSWORD?

Click icon to add pictureYOU CAN’T REMEMBER ALL YOUR PASSWORDS

Use an offline password manager like 1Password

Click icon to add pictureOTHER SECURITY CONSIDERATIONS

Only serve login, registration and any forms that can POST sensitive data over TLS or other strong support

THANK YOU!