Passwords and how to handle them

Transcript

1. Passwords and how to handle them Christopher Riley PHP North

   West, 2016 1

2. Introduction

3. 6 Rules of password storage

4. Rule 1 We must protect passwords not just for our

   own services security but for the security of all internet services. Users reuse passwords, in an ever connected internet, the value of a password is ever increasing. 2

5. Rule 2 We must not store plain text passwords because

   databases have a habit of falling into the wrong hands. 3

6. Rule 3 We must not use reversible encryption because keys

   are required all the time and have a habit of falling into the same wrong hands at the same time as the database. 4

7. Rule 4 We must not simply hash the passwords. With

   a simple hash, every password that is the same hashes to the same value an attackers work to recover the passwords is therefore greatly reduced. 5

8. Rule 5 We must not use a hash which has

   been intentionally built for speed such as Md5, Sha1 or Sha2. Dedicated hardware and GPU’s can calculate Billions to TRILLIONS of hashes per second. Password recovery by an attacker is inevitable. 6

9. Rule 6 We must use a hashing algorithm designed for

   password storage such as PBKDF2, Bcrypt or Argon2i with appropriate cost parameters. 7

10. Bonus rule We may encrypt hashes. 8

11. PHP functions 9

12. PHP functions 10

13. PHP functions 11

14. Good password policies

15. Don’t disable copy + paste

16. Don’t force password expiry...

17. ... Unless compromised

18. Don’t add complex requirements

19. Entropy 12

20. Thanks • @giveupalready • https://github.com/carnage • https://github.com/carnage/entropy • http://joind.in/bc6b8 13