Speaker Deck

Passwords-lol.pdf

by Kim Carter

Published June 2, 2015 in Technology

# What Developers do Wrong

## Fact: It's easy to compromise users passwords
Start with demoing the dvwa from the OWASP BWA VM.
Demo the SQLi
finding users
getting their hashed passwords
cracking the password
* This shows us several vulnerabilities: SQLi, weak password hashing strategies . weak algorithm, reversible, no salts.
* Many websites limit password lengths. This spells that the developers don't have a clue what they're doing.

## Fact: Most of the time cracking is not necessary
Demo of proxying the toastmasters web site login. Show credentials.
* Discuss how easy this is to fix.

# How We can protect ourselves regardless of developer skill level

## Compromise Techniques:
brute force
dictionary
rainbow tables

## What makes a good password
Long (generally hard to remember), mix of random characters.
Unique passwords for every account.
Don't swap characters with numbers and symbols that look like characters. All hackers know these tricks.

## Use password database
Generate long random passwords with all types of characters. Tool does this for us.
Show what it looks like

# Conclusion
Use unique passwords that are long for every account. Mix of upper & lower case letters, numbers & symbols
Hackers know the tricks of swapping alpha characters with numbers and symbols that look similar
Use password database to generate random passwords and store them.