Passwords! Passwords! Passwords!

Transcript

1. PASSWORDS! PASSWORDS! PASSWORDS!

2. Why so remedial?  Users often struggle with this 

   Enterprises still getting it wrong  Vendors still getting it wrong  Foundational infosec knowledge  Sticky notes are everywhere  Most people in the room probably not the problem

3. Who am I?  Does it matter?  Even experts

   are failing at this  Facts speak for themselves  Atlseccon speakers shout out

4. Password Selection  A fixed word starting point, fights complexity

    “screwyou”  “screwyou1”  “Screwyou1”  “Screwyou1!”  Recently saw “Bear1986”  Anyone want to guess user age?

5. Complexity  We’re chasing entropy  Length creates entropy 

   Min 9 length stops 499/500 of most used passwords  Most people wont use special characters  Attackers will customize wordlist
6. None

7. Password reuse  This happens lots and lots  If

   you take away only one thing, take this  Happens even within infosec community  https://haveibeenpwned.com/  Unique passwords per site  Same local admin account firm wide

8. Password Storage  Don’t store passwords in cleartext  What

   is a hash?  Why do we want to salt?  Protection against rainbow tables  Unique per-user vs global salt  Updating old password hashes  How does AD store passwords?  NTLMv2 uses unsalted MD4  SAMBA/source/libsmb/smbencrypt.c:nt_lm_owf_gen

9. Anatomy of a Password Hash

10. // Get this from in input form $password = "sadkittens";

    // Get stored hash from database $pwhash = md5($password); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (strcmp(md5($password), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (strcmp(md5('confusedkittens'), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; sadkittens Password hash; e0c5c1e2b1983c4c121e426843744a7e Password is correct Password is incorrect The Wrong Way

11. // Get this from in input form $password = "annoyedkittens";

    // Generate an md5 hash, use static salt $pwhash = crypt($password, '$1$iusesalt'); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (hash_equals($pwhash, crypt($password,'$1$iusesalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (hash_equals($pwhash, crypt($password,'$1$wrongsalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; annoyedkittens Password hash; $1$iusesalt$J2Ll48Pfl7EgK5bN80e5P0 Password is correct Password is incorrect Still Wrong

12. // Get this from in input form $password = "happykittens";

    // From database $pwhash = '$1$iusesalt$rvKFr25lYXyf2600GRfdp/'; if (hash_equals($pwhash, crypt($password, $pwhash))) { echo "Password is correct\n"; // check if we need to update password hash if (password_needs_rehash($pwhash, PASSWORD_DEFAULT)) { $pwhash = password_hash($password, PASSWORD_DEFAULT); echo "Rehashed password; $pwhash\n"; } } // proof this works if (password_verify($password, $pwhash)) echo "Password is correct\n"; Output: Password is correct Rehashed password; $2y$10$YtTdgc.l1x0rP9/TN3vwTuF8w pXOeBlSc7Xu4pBWCx7T4TQcDvP62 Password is correct Modern approach

13. Password Transmission  HTTPS  HTTPS isn’t just for login

    pages  Session cookies can be sniffed/stolen  Anyone remember firesheep?  We want to avoid session jacking  SessionID MD5($username)  Don’t do this  SessionID MD5($username + $password)  Parliament members reuse passwords too

14. Password Expiration For Against We get newer hashes People will

    hate us Old breaches don’t hurt us Sticky notes everywhere Compromised end points Service desk calls New password likely similar Software implants

15. My passwords! Site Login Password Twitter jzsavoie 2j88nmzv2j88nmzv Twitter #2

    **** Z0zLw$#qWL9@j#0kH32T Facebook savoiejulien Yz1g&J^5Hv7j6067o#L7 Facebook #2 **** W85OV67QjT@G#763W8HO PayPal **** 0EP9FA92j5*OLI%T24fh Google pathosflux JixT9X4ppX%J70u351^U Google #2 **** 17736KQvCx8q6Avkh!ag RiseUp **** oq2rr12e5nvstq41n0zg3izm

16. But it doesn’t matter  Two factor is cheap 

    SMS  Secure code generator app  x509 client certificates  YubiKey / RSA securID  SSH user keys  Use a password manager  Make your friends/family use one