Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Passwords and how to handle them

carnage
October 01, 2016

Passwords and how to handle them

Like it or not, passwords form an essential part of nearly all user authentication systems, yet so many companies make basic mistakes when handling them. Often a password forms the only means of security for a user's account on multiple different websites so we all have a responsibility to handle this data properly.

During this talk I will go over some of the common mistakes people make surrounding password policies and elaborate on the golden rules for storing them securely.

carnage

October 01, 2016
Tweet

More Decks by carnage

Other Decks in Technology

Transcript

  1. Passwords
    and how to handle them
    Christopher Riley
    PHP North West, 2016
    1

    View full-size slide

  2. Introduction

    View full-size slide

  3. 6 Rules of password storage

    View full-size slide

  4. Rule 1
    We must protect passwords not just for our own services security
    but for the security of all internet services. Users reuse passwords,
    in an ever connected internet, the value of a password is ever
    increasing.
    2

    View full-size slide

  5. Rule 2
    We must not store plain text passwords because databases have a
    habit of falling into the wrong hands.
    3

    View full-size slide

  6. Rule 3
    We must not use reversible encryption because keys are required
    all the time and have a habit of falling into the same wrong hands
    at the same time as the database.
    4

    View full-size slide

  7. Rule 4
    We must not simply hash the passwords. With a simple hash,
    every password that is the same hashes to the same value an
    attackers work to recover the passwords is therefore greatly
    reduced.
    5

    View full-size slide

  8. Rule 5
    We must not use a hash which has been intentionally built for
    speed such as Md5, Sha1 or Sha2. Dedicated hardware and GPU’s
    can calculate Billions to TRILLIONS of hashes per second.
    Password recovery by an attacker is inevitable.
    6

    View full-size slide

  9. Rule 6
    We must use a hashing algorithm designed for password storage
    such as PBKDF2, Bcrypt or Argon2i with appropriate cost
    parameters.
    7

    View full-size slide

  10. Bonus rule
    We may encrypt hashes.
    8

    View full-size slide

  11. PHP functions
    9

    View full-size slide

  12. PHP functions
    10

    View full-size slide

  13. PHP functions
    11

    View full-size slide

  14. Good password policies

    View full-size slide

  15. Don’t disable copy + paste

    View full-size slide

  16. Don’t force password expiry...

    View full-size slide

  17. ... Unless compromised

    View full-size slide

  18. Don’t add complex requirements

    View full-size slide

  19. Thanks
    • @giveupalready
    • https://github.com/carnage
    • https://github.com/carnage/entropy
    • http://joind.in/bc6b8
    13

    View full-size slide