Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them

Phil Nash
June 06, 2019
Programming
0
150

Fantastic passwords and where to find them

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.9e679e8f517a

Packages:

password-validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://www.npmjs.com/package/zxcvbn

@philnash/pwned:
https://www.npmjs.com/package/@philnash/pwned
https://github.com/philnash/pwned.js

Other pwned password libraries:
hibp: https://www.npmjs.com/package/hibp
pwnedpasswords: https://www.npmjs.com/package/pwnedpasswords
pwned-pw: https://www.npmjs.com/package/pwned-pw

Phil Nash

June 06, 2019
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
310
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
180
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
190
Better API DX with a CLI - APIdays Jakarta
philnash
0
280
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
140
Four steps from JavaScript to TypeScript
philnash
0
330
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
The trouble with webhooks - at APIdays Singapore
philnash
0
220
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
310

Other Decks in Programming

See All in Programming
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
310
ONE WEDGE_company_guide
1wedge_one
0
480
新宿ダンジョンを可視化してみた
satoshi7190
2
260
Ruby GitHub Packages
bkuhlmann
0
630
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
Let's learn code review
riofujimon
1
310
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
200
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
700
Fragment Composition of GraphQL
quramy
7
990
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
Milestoner
bkuhlmann
1
410

Featured

See All Featured
Side Projects
sachag
451
41k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
YesSQL, Process and Tooling at Scale
rocio
164
13k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
Happy Clients
brianwarren
92
6.4k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Designing for humans not robots
tammielis
248
25k

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash http://philna.sh [email protected]

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,448 10:56 PM - Oct 13, 2014 4,926 people are talking about this @philnash

  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash

  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

  28. IN NODE.JS? @philnash

  29. Avoid validator.js validate.js password-sheriff @philnash

  30. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash

  31. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash

  32. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash

  33. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash

  34. DEMO @philnash

  35. INSECURE PASSWORDS? @philnash

  36. PWNED PASSWORDS @philnash

  37. Pwned Passwords 517,238,891 passwords previously exposed in data breaches @philnash

  38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

  40. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  41. DEMO @philnash

  42. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  43. NEXT LEVEL @philnash

  44. 2 FACTOR AUTHENTICATION @philnash

  45. @philnash

  46. PASSWORDS ARE TERRIBLE @philnash

  47. PASSWORD GUIDELINES ARE WORSE @philnash

  48. MAKE PASSWORDS LONGER @philnash

  49. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  50. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  51. THANKS! @philnash

  52. QUESTIONS OR BAD PASSWORD JOKES @philnash

  53. Thanks! @philnash http://philna.sh [email protected]