Upgrade to Pro — share decks privately, control downloads, hide ads and more …

To ••• With Passwords

To ••• With Passwords

Jacob Kaplan-Moss

November 02, 2019
Tweet

More Decks by Jacob Kaplan-Moss

Other Decks in Technology

Transcript

  1. TO •••• WITH
    PASSWORDS
    Jacob Kaplan-Moss
    [email protected]

    View full-size slide

  2. Agenda
    1. Introduction to threat modeling
    2. Apply threat modeling to identity systems and discover that
    passwords are the root of many problems.
    3. If not passwords, then what?

    View full-size slide

  3. THREAT
    MODELING

    View full-size slide

  4. Scenario-Based Threat
    Modeling
    1. Scenario: tell a story about an
    imagined breach
    2. Pre-mortem: trace contributing
    events
    3. Mitigate: figure out where and how
    best to mitigate
    Photo by You X Ventures

    View full-size slide

  5. Threat Modeling Example
    — https://twitter.com/badthingsdaily/status/836984397819596800

    View full-size slide

  6. Threat Modeling Example
    Issue Mitigation
    CI/CD servers have over-
    scoped AWS keys
    Evidence: enable CloudTrail
    Contain: IAM roles
    Eliminate: pull-based deploys
    Code contains OAuth secrets Prevent: move keys to env
    Eliminate: use Vault/KMS

    View full-size slide

  7. THREAT
    MODELING
    PASSWORDS

    View full-size slide

  8. THREAT MODELING PASSWORDS:
    CLASSIC ATTACKS

    View full-size slide

  9. Shoulder Surfing
    Scenario: Jack, a disgruntled employee
    watches Alberta, the CFO, log in, and
    remembers her password. He can now
    use her password to embezzle funds.
    Photo by David Rangel

    View full-size slide

  10. Shoulder Surfing
    Issue Mitigation
    Jack saw Alberta's password Prevent: masked input
    Prevent: password complexity
    Jack can re-use Alberta's
    password (much) later
    Contain: password rotation
    Prevent: password complexity
    Eliminate: 2FA

    View full-size slide

  11. Password File Leak
    Scenario: a vulnerability in ping
    allowed Jack to read /etc/passwd1,
    which has everyone's passwords in it.
    1 Yes, I'm aware of /etc/shadow. I'm using this for simplicity.
    Photo by Matthew Brodeur

    View full-size slide

  12. Password File Leak
    Issue Mitigation
    Why didn't we fire Jack after the
    last time?
    ¯\_(ϑ)_/¯
    Jack can read anyone's password Prevent: hashed passwords
    Prevent: password complexity
    Jack can log in as anyone Contain: password rotation
    Eliminate: 2FA

    View full-size slide

  13. Classic Password Threat Mitigations
    • Masked input
    • Password complexity
    • Password rotation
    • Hashed passwords
    • Two-Factor authentication
    Are these mitigations effective?

    View full-size slide

  14. The only effective security measures
    are systemic
    AKA: "humans gonna human"

    View full-size slide

  15. The idea that a person is at fault when something goes wrong is deeply
    entrenched in society. […] More and more often the blame is attributed to
    “human error.” The person involved can be fined, punished, or fired. But
    […], human error usually is a result of poor design: it should be called
    system error. Humans err continually; it is an intrinsic part of our nature.
    System design should take this into account. Pinning the blame on the
    person may be a comfortable way to proceed, but why was the system
    ever designed so that a single act by a single person could cause
    calamity?
    — Donald Norman, The Design of Everyday Things

    View full-size slide

  16. Password complexity and rotation
    don't work

    View full-size slide

  17. Verifiers SHOULD NOT impose
    other composition rules (e.g.,
    requiring mixtures of different
    character types or prohibiting
    consecutively repeated characters)
    for memorized secrets. Verifiers
    SHOULD NOT require memorized
    secrets to be changed arbitrarily
    (e.g., periodically).
    — NIST SP 800-63B

    View full-size slide

  18. THREAT MODELING PASSWORDS:
    MODERN ATTACKS

    View full-size slide

  19. Phishing
    Scenario: Yesterday your CEO received
    an email that seemed to be from her
    admin, asking her to review some
    expenses on Dropbox. She followed
    the link, and entered her Dropbox
    account. Today, she realized when
    talking to her admin that he hadn't sent
    that email.

    View full-size slide

  20. Phishing
    Issue Mitigation
    The attacker has access to your
    Dropbox
    Prevent: 2FA
    Your CEO may have used her
    Dropbox password elsewhere
    Contain: Password managers
    Your CEO couldn't tell the difference
    between the phishing site and the
    real Dropbox
    Eliminate: U2F

    View full-size slide

  21. Credential Stuffing
    Scenario: A service you use announces that they've been
    breached, and that the attackers have everyone's email and
    passwords. Several of your staff use the same password for
    their corporate email..

    View full-size slide

  22. Credential Stuffing
    Issue Mitigation
    Password re-use Respond: monitor
    @haveibeenpwnd
    Contain: password managers
    Elminate: 2FA
    Elminate: SSO

    View full-size slide

  23. Common mitigations against modern attacks
    on passwords
    • Password managers
    • 2FA (especially U2F)
    • Single-sign on (SSO)
    Are these mitigations effective?

    View full-size slide

  24. Password managers remain out of reach for
    most normal computer users
    But I never found a way to get people onto 1password in a single training session. The
    setup process has a lot of moving parts, involving the desktop app, browser plugin, online
    service, mobile app, and app store. It requires repeatedly typing a long master passphrase.
    And then, once it is all set up, you have to train people on the unrelated skill of how to use
    the thing, starting with their most sensitive accounts. And then you leave.
    — Maciej Cegłowski, What I Learned Trying to Secure Congressional Campaigns

    View full-size slide

  25. Single sign-on is terrifically effective!

    View full-size slide

  26. SUMMARY:
    MITIGATIONS FOR
    PASSWORD THREATS

    View full-size slide

  27. Mitigation Effectiveness Usability
    Masked input not effective !
    Password complexity high, when used correctly !
    Password rotation not effective "
    Hashed passwords moderate, when used
    correctly

    Password managers high, if actually used !
    2FA (especially U2F) very effective !
    Single-sign on (SSO) very effective # ✨ %

    View full-size slide

  28. If U2F is more secure than passwords,
    why use passwords?
    If SSO is more than passwords,
    why use passwords?

    View full-size slide

  29. !
    WHAT IF PASSWORDS
    ARE THE PROBLEM?

    View full-size slide

  30. What would happen if we got rid of
    passwords?
    • Shoulder surfing?
    • Password leaks?
    • Phishing?
    • Credential Stufffing?
    None of these attacks are effective if users don't have
    passwords to steal.

    View full-size slide

  31. TO •••• WITH
    PASSWORDS!

    View full-size slide

  32. If not passwords... what then?
    • Federated identity (Facebook, Google, Github, etc)
    • Email login
    • Corporate identity (SAML/OIDC)

    View full-size slide

  33. Federated Identity
    • Great for most consumer-oriented
    identity systems
    • UX is good, though beware of too
    many identity options.
    • Unfortunately, forces a tradeoff
    between privacy and security.
    • I dream about IndieAuth become
    widespread, but don't hold your
    breath.

    View full-size slide

  34. Email-only login
    • More or less the same as Federated
    Identity, except using email
    • Traditional security people will feel
    weird about this. They're wrong.

    View full-size slide

  35. GOOGLE'S SECURITY TEAM
    IS BETTER THAN YOURS

    View full-size slide

  36. Corporate Identity
    • Almost every company with good
    security practices uses some sort of
    corporate identity provider. If you're
    selling to businesses, you need to
    support this.
    • Two standards: SAML and OpenID
    Connect. Implement SAML first.

    View full-size slide

  37. TO •••• WITH PASSWORDS!
    Stop using passwords. The alternatives are easier to use and
    more secure. Only roll your own identity system if you know
    what you're doing.
    Thanks!
    Jacob Kaplan-Moss
    [email protected]

    View full-size slide

  38. Further Reading
    • Post- and pre-mortem practice: The Infinite Hows (or, the Dangers Of
    The Five Whys)
    • A fun source for scenarios: @badthingsdaily
    • Data on real-world attacks:
    • Data Breach Information Report
    • BusinessInsider ($$$)
    • Cost of Data Breach Report
    • On mitigation: The “Five Factors” Used To Secure Systems

    View full-size slide