Passwords! Passwords! Passwords! 2022

Transcript

1. PASSWORDS! PASSWORDS! PASSWORDS!

2. Why so remedial? ▪ Gave this talk in 2016 ▪

   Users often struggle with this ▪ Enterprises still getting it wrong ▪ Foundational infosec knowledge

3. Appeal to authority? ▪ Does it matter? ▪ My background

4. Password Selection ▪ A fixed word starting point, fights complexity

    “screwyou”  “screwyou1”  “Screwyou1”  “Screwyou1!” ▪ Recently saw “Bear1986” ▪ Anyone want to guess user age?
5. None

6. Complexity ▪ We’re chasing entropy ▪ Length creates entropy ▪

   Min 9 length stops 499/500 of most used passwords ▪ Most people won't use special characters ▪ Attackers will customize wordlist
7. None

8. Password Reuse ▪ This happens lots and lots ▪ If

   you take away only one thing, take this ▪ Happens even within infosec community ▪ https://haveibeenpwned.com/ ▪ Unique passwords per site ▪ Same local admin account firm wide

9. Password Storage ▪ Don’t store passwords in cleartext ▪ What

   is a hash? ▪ Why do we want to salt?  Protection against rainbow tables ▪ Updating old password hashes ▪ How does AD store passwords?  NTLMv2 uses unsalted MD4  SAMBA/source/libsmb/smbencrypt.c:nt_lm_owf_gen

10. Anatomy of a Password Hash

11. // Get this from in input form $password = "sadkittens";

    // Get stored hash from database $pwhash = md5($password); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (strcmp(md5($password), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (strcmp(md5('confusedkittens'), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; sadkittens Password hash; e0c5c1e2b1983c4c121e426843744a7e Password is correct Password is incorrect The Wrong Way
12. None

13. // Get this from in input form $password = "annoyedkittens";

    // Generate an md5 hash, use static salt $pwhash = crypt($password, '$1$iusesalt'); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (hash_equals($pwhash, crypt($password,'$1$iusesalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (hash_equals($pwhash, crypt($password,'$1$wrongsalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; annoyedkittens Password hash; $1$iusesalt$J2Ll48Pfl7EgK5bN80e5P0 Password is correct Password is incorrect Still Wrong

14. // Get this from in input form $password = "happykittens";

    // From database $pwhash = '$1$iusesalt$rvKFr25lYXyf2600GRfdp/'; if (hash_equals($pwhash, crypt($password, $pwhash))) { echo "Password is correct\n"; // check if we need to update password hash if (password_needs_rehash($pwhash, PASSWORD_DEFAULT)) { $pwhash = password_hash($password, PASSWORD_DEFAULT); echo "Rehashed password; $pwhash\n"; } } // proof this works if (password_verify($password, $pwhash)) echo "Password is correct\n"; Output: Password is correct Rehashed password; $2y$10$YtTdgc.l1x0rP9/TN3vwTuF8w pXOeBlSc7Xu4pBWCx7T4TQcDvP62 Password is correct Modern approach

15. Password Expiration For Against We get newer hashes People will

    hate us Old breaches don’t hurt us Sticky notes everywhere Compromised end points Service desk calls New password likely similar Software implants

16. Let's talk about 2FA ▪ SMS (deprecated) ▪ OTP (One-time

    password)  hash (shared secret + truncated current time) ▪ x509 client certificates ▪ SSH keys ▪ Challenge-response hardware token

17. Checking our own passwords ▪ Password managers starting to do

    this  chrome://settings/passwords/check  LastPass ▪ Azure AD password protection ▪ 3rd party notification services  Security Scorecard / Bitsight  Raidforums community ▪ Cracking our own user accounts?  Hashcat + cheap GPUs

18. Moving beyond passwords? ▪ The dilemma  New password +

    secure == can't remember  New password + can remember == not secure ▪ Can we just give up on passwords?  Biometrics not suitable  Push notifications  Apple  Facebook  Microsoft Office365