Save 37% off PRO during our Black Friday Sale! »

Fantastic passwords and where to find them

8ec1383b240b5ba15ffb9743fceb3c0e?s=47 Phil Nash
October 03, 2018

Fantastic passwords and where to find them

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.9e679e8f517a

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/bitzesty/zxcvbn-js (but it's not JS...)
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

October 03, 2018
Tweet

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash http://philna.sh philnash@twilio.com

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 11:56 PM - Oct 13, 2014 3,520 5,019 people are talking about this @philnash
  8. Guidelines •  Uppercase •  Lowercase •  Numbers •  Special characters

    @philnash
  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash
  15. Western Australia Government Security Audit @philnash

  16. My "best" password •  8 characters long •  Numbers and

    letters (uppercase only) •  Model number of my hi-fi @philnash
  17. @philnash

  18. None
  19. I GOT HACKED @philnash

  20. REPETITION @philnash

  21. BREACHES @philnash

  22. @philnash

  23. HOW DO WE FIX THIS? @philnash

  24. THE GUIDELINES WERE WRONG @philnash

  25. @philnash

  26. New guidelines From the ACSC, the NCSC and NIST •

     At least 13 characters •  Accept all characters •  Don't allow insecure passwords •  Dictionary words •  Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) •  Context specific words (e.g. username, email, app name) •  Passwords that have been in a breach @philnash
  27. IN RUBY? @philnash

  28. Devise config.password_length = 6..128 @philnash

  29. Authlogic validates :password, confirmation: { if: :require_password? }, length: {

    minimum: 8, if: :require_password? } 01. 02. 03. 04. 05. 06. @philnash
  30. Clearance # Nothing @philnash

  31. Avoid devise_security_extension password_strength @philnash

  32. Suggestions validates :password, length: { minimum: 14 } nobspw zxcvbn-js

    strong_password @philnash
  33. DEMO @philnash

  34. INSECURE PASSWORDS? @philnash

  35. PWNED PASSWORDS @philnash

  36. Pwned Passwords 517,238,891 passwords previously exposed in data breaches @philnash

  37. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  38. Pwned Passwords API 1.  Get the SHA1 hash of the

    password 2.  Take the first 5 characters of the hash 3.  https://api.pwnedpasswords.com/range/#{prefix} 4.  Check if the remainder of the hash is in the result @philnash
  39. PWNED GEM @philnash

  40. DEMO @philnash

  41. Pwned https://github.com/philnash/pwned devise-pwned_password @philnash

  42. PASSWORDS ARE TERRIBLE @philnash

  43. PASSWORD GUIDELINES ARE WORSE @philnash

  44. MAKE PASSWORDS LONGER @philnash

  45. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  46. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  47. THANKS! @philnash

  48. QUESTIONS OR BAD PASSWORD JOKES @philnash

  49. Thanks! @philnash http://philna.sh philnash@twilio.com