To ••• With Passwords

Transcript

1. TO •••• WITH PASSWORDS Jacob Kaplan-Moss [email protected]

2. None

3. !

4. Agenda 1. Introduction to threat modeling 2. Apply threat modeling

   to identity systems and discover that passwords are the root of many problems. 3. If not passwords, then what?

5. THREAT MODELING

6. Scenario-Based Threat Modeling 1. Scenario: tell a story about an

   imagined breach 2. Pre-mortem: trace contributing events 3. Mitigate: figure out where and how best to mitigate Photo by You X Ventures

7. Threat Modeling Example — https://twitter.com/badthingsdaily/status/836984397819596800

8. Threat Modeling Example Issue Mitigation CI/CD servers have over- scoped

   AWS keys Evidence: enable CloudTrail Contain: IAM roles Eliminate: pull-based deploys Code contains OAuth secrets Prevent: move keys to env Eliminate: use Vault/KMS

9. THREAT MODELING PASSWORDS

10. THREAT MODELING PASSWORDS: CLASSIC ATTACKS

11. Shoulder Surfing Scenario: Jack, a disgruntled employee watches Alberta, the

    CFO, log in, and remembers her password. He can now use her password to embezzle funds. Photo by David Rangel

12. Shoulder Surfing Issue Mitigation Jack saw Alberta's password Prevent: masked

    input Prevent: password complexity Jack can re-use Alberta's password (much) later Contain: password rotation Prevent: password complexity Eliminate: 2FA

13. Password File Leak Scenario: a vulnerability in ping allowed Jack

    to read /etc/passwd1, which has everyone's passwords in it. 1 Yes, I'm aware of /etc/shadow. I'm using this for simplicity. Photo by Matthew Brodeur

14. Password File Leak Issue Mitigation Why didn't we fire Jack

    after the last time? ¯\_(ϑ)_/¯ Jack can read anyone's password Prevent: hashed passwords Prevent: password complexity Jack can log in as anyone Contain: password rotation Eliminate: 2FA

15. Classic Password Threat Mitigations • Masked input • Password complexity

    • Password rotation • Hashed passwords • Two-Factor authentication Are these mitigations effective?

16. The only effective security measures are systemic AKA: "humans gonna

    human"

17. The idea that a person is at fault when something

    goes wrong is deeply entrenched in society. […] More and more often the blame is attributed to “human error.” The person involved can be fined, punished, or fired. But […], human error usually is a result of poor design: it should be called system error. Humans err continually; it is an intrinsic part of our nature. System design should take this into account. Pinning the blame on the person may be a comfortable way to proceed, but why was the system ever designed so that a single act by a single person could cause calamity? — Donald Norman, The Design of Everyday Things

18. Password complexity and rotation don't work

19. Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures

    of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). — NIST SP 800-63B

20. THREAT MODELING PASSWORDS: MODERN ATTACKS

21. Phishing Scenario: Yesterday your CEO received an email that seemed

    to be from her admin, asking her to review some expenses on Dropbox. She followed the link, and entered her Dropbox account. Today, she realized when talking to her admin that he hadn't sent that email.

22. Phishing Issue Mitigation The attacker has access to your Dropbox

    Prevent: 2FA Your CEO may have used her Dropbox password elsewhere Contain: Password managers Your CEO couldn't tell the difference between the phishing site and the real Dropbox Eliminate: U2F

23. Credential Stuffing Scenario: A service you use announces that they've

    been breached, and that the attackers have everyone's email and passwords. Several of your staff use the same password for their corporate email..

24. Credential Stuffing Issue Mitigation Password re-use Respond: monitor @haveibeenpwnd Contain:

    password managers Elminate: 2FA Elminate: SSO

25. Common mitigations against modern attacks on passwords • Password managers

    • 2FA (especially U2F) • Single-sign on (SSO) Are these mitigations effective?

26. Password managers remain out of reach for most normal computer

    users But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. — Maciej Cegłowski, What I Learned Trying to Secure Congressional Campaigns

27. Single sign-on is terrifically effective!

28. SUMMARY: MITIGATIONS FOR PASSWORD THREATS

29. Mitigation Effectiveness Usability Masked input not effective ! Password complexity

    high, when used correctly ! Password rotation not effective " Hashed passwords moderate, when used correctly — Password managers high, if actually used ! 2FA (especially U2F) very effective ! Single-sign on (SSO) very effective # ✨ %

30. If U2F is more secure than passwords, why use passwords?

    If SSO is more than passwords, why use passwords?

31. ! WHAT IF PASSWORDS ARE THE PROBLEM?

32. What would happen if we got rid of passwords? •

    Shoulder surfing? • Password leaks? • Phishing? • Credential Stufffing? None of these attacks are effective if users don't have passwords to steal.

33. TO •••• WITH PASSWORDS!

34. If not passwords... what then? • Federated identity (Facebook, Google,

    Github, etc) • Email login • Corporate identity (SAML/OIDC)

35. Federated Identity • Great for most consumer-oriented identity systems •

    UX is good, though beware of too many identity options. • Unfortunately, forces a tradeoff between privacy and security. • I dream about IndieAuth become widespread, but don't hold your breath.

36. Email-only login • More or less the same as Federated

    Identity, except using email • Traditional security people will feel weird about this. They're wrong.

37. GOOGLE'S SECURITY TEAM IS BETTER THAN YOURS

38. Corporate Identity • Almost every company with good security practices

    uses some sort of corporate identity provider. If you're selling to businesses, you need to support this. • Two standards: SAML and OpenID Connect. Implement SAML first.

39. TO •••• WITH PASSWORDS! Stop using passwords. The alternatives are

    easier to use and more secure. Only roll your own identity system if you know what you're doing. Thanks! Jacob Kaplan-Moss [email protected]

40. Further Reading • Post- and pre-mortem practice: The Infinite Hows

    (or, the Dangers Of The Five Whys) • A fun source for scenarios: @badthingsdaily • Data on real-world attacks: • Data Breach Information Report • BusinessInsider ($$$) • Cost of Data Breach Report • On mitigation: The “Five Factors” Used To Secure Systems