Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth*: Dispelling the Myths

Auth*: Dispelling the Myths

There's a lot of bad practices and myths floating around about authentication and authorization these days. Using passwords just isn't good enough anymore. Come with me as I explore and dispel some of these common misconceptions and myths about these two important and often misunderstood topics. I'll talk about some of the most common techniques and look forward to tools and options that can help make your applications even more secure.

@ True North PHP 2013

Chris Cornutt

November 09, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. ...the act of confirming the truth of an attribute of

    a datum or entity [and] often involves verifying the validity of at least one form of identification. AUTHENTICATION source: wikipedia Saturday, November 9, 2013
  2. Confirming identity A satisfactory “yes” or “no” Impossible...in theory What

    about anonymous? no, not *that* Anonymous... AND... Saturday, November 9, 2013
  3. ...is the function of specifying access rights to resources, which

    is related to information security and computer security in general and access control in particular. AUTHORIZATION source: wikipedia Saturday, November 9, 2013
  4. TYPES Access control lists (ACL) Role-based access control (RBAC) Attribute-based

    control Policy enforcement Discretionary controls Mandatory controls Saturday, November 9, 2013
  5. SILVER BULLETS Not a “cure all” Yet another hoop Different

    implementations Hardware versus Software Saturday, November 9, 2013
  6. IT’S GOOD AT... Being a backup method, not a replacement

    Increasing confidence in users Helps with compliance Saturday, November 9, 2013
  7. IT’S NOT GOOD AT... Being the only method Preventing out-of-band

    attacks Stopping other attacks (ex. SQLi on login) Preventing provider (IdP) issues Saturday, November 9, 2013
  8. PASSWORD BALL & CHAIN Ancient origins Just feels ancient today

    New app? Use a password! Password policies Saturday, November 9, 2013
  9. WHY PASSWORDS SUCK Shared across services Restrictive policies Too much

    work on “getting it right” Users are no good at them Cracking hardware is cheap Saturday, November 9, 2013
  10. PASSWORD CRACKING Offline attack Dictionary/guessing Brute force Key casting Cloud

    services ....and password policies Saturday, November 9, 2013
  11. PASSWORD POLICIES Number/Lower/Upper/Special Reduce repeated characters Length > Complexity Use

    slow algorithm Salt and hash (at the least) Saturday, November 9, 2013
  12. INTERNAL More control More traditional options Easier to customize Hardware

    costs/infrastructure Too many tools Less stringent on encryption Saturday, November 9, 2013
  13. EXTERNAL Standardized auth methods Agility & flexibility Cost savings High

    encryption/protection Less “control” Limited to provider options Saturday, November 9, 2013
  14. OWASP Top 10 A2: Broken Auth/Session Management A4: Insecure Object

    References A6: Sensitive Data Exposure Saturday, November 9, 2013
  15. Bad Practices Sending plain-text passwords Sensitive data in the URL

    Informative error messages No throttling on resets or registrations or password failures Saturday, November 9, 2013
  16. Audit of current components Gather usage data Plan, plan then

    plan some more Easier in hindsight REALIGNMENT Saturday, November 9, 2013
  17. Think “Subject” not “User” Narrowing the options Pick the right

    fit, not the shiny one Plan for delegation LOOK AHEAD Saturday, November 9, 2013
  18. More than one level? What to protect? Is it the

    same everywhere? Policies/procedures Reduce the overhead IN DEPTH Saturday, November 9, 2013