# What Developers do Wrong
## Fact: It's easy to compromise users passwords
Start with demoing the dvwa from the OWASP BWA VM.
Demo the SQLi
finding users
getting their hashed passwords
cracking the password
* This shows us several vulnerabilities: SQLi, weak password hashing strategies . weak algorithm, reversible, no salts.
* Many websites limit password lengths. This spells that the developers don't have a clue what they're doing.
## Fact: Most of the time cracking is not necessary
Demo of proxying the toastmasters web site login. Show credentials.
* Discuss how easy this is to fix.
# How We can protect ourselves regardless of developer skill level
## Compromise Techniques:
brute force
dictionary
rainbow tables
## What makes a good password
Long (generally hard to remember), mix of random characters.
Unique passwords for every account.
Don't swap characters with numbers and symbols that look like characters. All hackers know these tricks.
## Use password database
Generate long random passwords with all types of characters. Tool does this for us.
Show what it looks like
# Conclusion
Use unique passwords that are long for every account. Mix of upper & lower case letters, numbers & symbols
Hackers know the tricks of swapping alpha characters with numbers and symbols that look similar
Use password database to generate random passwords and store them.
binarymist
oracle4engineer
netmarkjp
interu
bob3bob3
red_frasco
okuzawats
forcia_dev_pr
k9i
trycycle
hatahata021
speakerdeck
notwaldorf
brettharned
tammielis
rocio
keathley
brianwarren
dotmariusz
garrettdimon
62gerente
roundedbygravity
sferik