Pro Yearly is on sale from $80 to $50! »

Fantastic passwords and where to find them

Fantastic passwords and where to find them

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.9e679e8f517a

Packages:

password-validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://www.npmjs.com/package/zxcvbn

@philnash/pwned:
https://www.npmjs.com/package/@philnash/pwned
https://github.com/philnash/pwned.js

Other pwned password libraries:
hibp: https://www.npmjs.com/package/hibp
pwnedpasswords: https://www.npmjs.com/package/pwnedpasswords
pwned-pw: https://www.npmjs.com/package/pwned-pw

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

June 06, 2019
Tweet

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash http://philna.sh philnash@twilio.com

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,448 10:56 PM - Oct 13, 2014 4,926 people are talking about this @philnash
  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash
  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash
  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash
  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash
  28. IN NODE.JS? @philnash

  29. Avoid validator.js validate.js password-sheriff @philnash

  30. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash
  31. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash
  32. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash
  33. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash
  34. DEMO @philnash

  35. INSECURE PASSWORDS? @philnash

  36. PWNED PASSWORDS @philnash

  37. Pwned Passwords 517,238,891 passwords previously exposed in data breaches @philnash

  38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash
  40. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  41. DEMO @philnash

  42. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  43. NEXT LEVEL @philnash

  44. 2 FACTOR AUTHENTICATION @philnash

  45. @philnash

  46. PASSWORDS ARE TERRIBLE @philnash

  47. PASSWORD GUIDELINES ARE WORSE @philnash

  48. MAKE PASSWORDS LONGER @philnash

  49. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  50. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  51. THANKS! @philnash

  52. QUESTIONS OR BAD PASSWORD JOKES @philnash

  53. Thanks! @philnash http://philna.sh philnash@twilio.com