Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Passwords and how to handle them

carnage
October 01, 2016
Technology
0
210

Passwords and how to handle them

Like it or not, passwords form an essential part of nearly all user authentication systems, yet so many companies make basic mistakes when handling them. Often a password forms the only means of security for a user's account on multiple different websites so we all have a responsibility to handle this data properly.

During this talk I will go over some of the common mistakes people make surrounding password policies and elaborate on the golden rules for storing them securely.

carnage

October 01, 2016
Tweet

More Decks by carnage

See All by carnage
Object re-orientation
carnage
2
310
Event Driven Development
carnage
0
450
More Secrets of Cryptography
carnage
0
250
Nuclear powered software securty
carnage
0
260
Microservices vs The distributed monolith
carnage
1
1.8k
A storm is brewing
carnage
0
64
The secrets of cryptography
carnage
0
120
The secrets of cryptography
carnage
0
120
You attended talk: An introduction to event sourcing (short)
carnage
0
380

Other Decks in Technology

See All in Technology
TrivyでAWSセキュリティをシフトレフトしよう
bitkey
PRO
1
520
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
120
「XIAOGYAN」への想い
matsujirushi
0
130
『AWSではじめるクラウドセキュリティ』の裏側を。
ryohatanmonolog
2
190
Keynote: Kishore Gopalakrishna, StarTree - The Rise of Real-Time Analytics | RTA Summit 2023
startree
PRO
0
130
エンジニアからの情報発信の意義に関して、さまざまな方々が私に教えてくださったことのまとめ
m3hiro3
0
110
ハンズオンで学ぶ! Instana基礎
daihiraoka
1
120
点群SegmentationのためのTransformerサーベイ
takmin
1
480
テスト設計チュートリアル/Test Design Tutorial
goyoki
6
4.2k
組織の立ち上げと体制変更の1年
tarappo
2
300
AWS Copilotを CDKでカスタマイズする
_takahash
2
1.4k
DevSecOpsへの展開〜全てのチームの能力を最大限に引き出す/Expanding to DevSecOps
newrelic2023
0
200

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
In The Pink: A Labor of Love
frogandcode
133
21k
The Pragmatic Product Professional
lauravandoore
22
3.8k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Building Applications with DynamoDB
mza
86
5.1k
Building Effective Engineering Teams - LeadDev
addyosmani
5
580
Java REST API Framework Comparison - PWX 2021
mraible
PRO
16
5.8k
Rails Girls Zürich Keynote
gr2m
89
12k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.3k
It's Worth the Effort
3n
179
26k

Transcript

  1. Passwords
    and how to handle them
    Christopher Riley
    PHP North West, 2016
    1

    View Slide

  2. Introduction

    View Slide

  3. 6 Rules of password storage

    View Slide

  4. Rule 1
    We must protect passwords not just for our own services security
    but for the security of all internet services. Users reuse passwords,
    in an ever connected internet, the value of a password is ever
    increasing.
    2

    View Slide

  5. Rule 2
    We must not store plain text passwords because databases have a
    habit of falling into the wrong hands.
    3

    View Slide

  6. Rule 3
    We must not use reversible encryption because keys are required
    all the time and have a habit of falling into the same wrong hands
    at the same time as the database.
    4

    View Slide

  7. Rule 4
    We must not simply hash the passwords. With a simple hash,
    every password that is the same hashes to the same value an
    attackers work to recover the passwords is therefore greatly
    reduced.
    5

    View Slide

  8. Rule 5
    We must not use a hash which has been intentionally built for
    speed such as Md5, Sha1 or Sha2. Dedicated hardware and GPU’s
    can calculate Billions to TRILLIONS of hashes per second.
    Password recovery by an attacker is inevitable.
    6

    View Slide

  9. Rule 6
    We must use a hashing algorithm designed for password storage
    such as PBKDF2, Bcrypt or Argon2i with appropriate cost
    parameters.
    7

    View Slide

  10. Bonus rule
    We may encrypt hashes.
    8

    View Slide

  11. PHP functions
    9

    View Slide

  12. PHP functions
    10

    View Slide

  13. PHP functions
    11

    View Slide

  14. Good password policies

    View Slide

  15. Don’t disable copy + paste

    View Slide

  16. Don’t force password expiry...

    View Slide

  17. ... Unless compromised

    View Slide

  18. Don’t add complex requirements

    View Slide

  19. Entropy
    12

    View Slide

  20. Thanks
    • @giveupalready
    • https://github.com/carnage
    • https://github.com/carnage/entropy
    • http://joind.in/bc6b8
    13

    View Slide