Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Passwords-lol.pdf

 Passwords-lol.pdf

# What Developers do Wrong

## Fact: It's easy to compromise users passwords
Start with demoing the dvwa from the OWASP BWA VM.
Demo the SQLi
finding users
getting their hashed passwords
cracking the password
* This shows us several vulnerabilities: SQLi, weak password hashing strategies . weak algorithm, reversible, no salts.
* Many websites limit password lengths. This spells that the developers don't have a clue what they're doing.

## Fact: Most of the time cracking is not necessary
Demo of proxying the toastmasters web site login. Show credentials.
* Discuss how easy this is to fix.

# How We can protect ourselves regardless of developer skill level

## Compromise Techniques:
brute force
dictionary
rainbow tables

## What makes a good password
Long (generally hard to remember), mix of random characters.
Unique passwords for every account.
Don't swap characters with numbers and symbols that look like characters. All hackers know these tricks.

## Use password database
Generate long random passwords with all types of characters. Tool does this for us.
Show what it looks like

# Conclusion
Use unique passwords that are long for every account. Mix of upper & lower case letters, numbers & symbols
Hackers know the tricks of swapping alpha characters with numbers and symbols that look similar
Use password database to generate random passwords and store them.

Kim Carter

June 02, 2015
Tweet

More Decks by Kim Carter

Other Decks in Technology

Transcript

  1. Passwords 101 lol

    View Slide

  2. 5: Identify Risks?
    What Developers Do Wrong

    View Slide

  3. 5: Identify Risks?
    Fact:
    Passwords Are Easy to Compromise

    View Slide

  4. 5: Identify Risks?
    Fact:
    Cracking is Usually Not Necessary

    View Slide

  5. 5: Identify Risks?
    Protecting Ourselves

    View Slide

  6. 5: Identify Risks?
    Fact & Pro Opinion:

    Compromise Techniques

    What Makes a Good Password

    How to Remember them *

    View Slide

  7. 5: Identify Risks?
    Conclusion
    1. Unique, long, mix of chars
    2. Hackers know * the tricks
    3. Use Database. Gen random

    View Slide