Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them

Phil Nash
June 06, 2019
Programming
0
190

Fantastic passwords and where to find them

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on&utm_term=.9e679e8f517a

Packages:

password-validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://www.npmjs.com/package/zxcvbn

@philnash/pwned:
https://www.npmjs.com/package/@philnash/pwned
https://github.com/philnash/pwned.js

Other pwned password libraries:
hibp: https://www.npmjs.com/package/hibp
pwnedpasswords: https://www.npmjs.com/package/pwnedpasswords
pwned-pw: https://www.npmjs.com/package/pwned-pw

Phil Nash

June 06, 2019
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
410
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
260
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
270
Better API DX with a CLI - APIdays Jakarta
philnash
0
340
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
200
Four steps from JavaScript to TypeScript
philnash
0
390
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The trouble with webhooks - at APIdays Singapore
philnash
0
290
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
430

Other Decks in Programming

See All in Programming
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
190
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
120
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
シールドクラスをはじめよう / Getting Started with Sealed Classes
mackey0225
4
640
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
330
初めてDefinitelyTypedにPRを出した話
syumai
0
400
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
540
Better Code Design in PHP
afilina
PRO
0
120
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
Jakarta EE meets AI
ivargrimstad
0
130
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Thoughts on Productivity
jonyablonski
67
4.3k
The Language of Interfaces
destraynor
154
24k
Typedesign – Prime Four
hannesfritz
40
2.4k
Speed Design
sergeychernyshev
24
610
Producing Creativity
orderedlist
PRO
341
39k
Happy Clients
brianwarren
98
6.7k
GitHub's CSS Performance
jonrohan
1030
460k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash http://philna.sh [email protected]

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,448 10:56 PM - Oct 13, 2014 4,926 people are talking about this @philnash

  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash

  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

  28. IN NODE.JS? @philnash

  29. Avoid validator.js validate.js password-sheriff @philnash

  30. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash

  31. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash

  32. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash

  33. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash

  34. DEMO @philnash

  35. INSECURE PASSWORDS? @philnash

  36. PWNED PASSWORDS @philnash

  37. Pwned Passwords 517,238,891 passwords previously exposed in data breaches @philnash

  38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

  40. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  41. DEMO @philnash

  42. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  43. NEXT LEVEL @philnash

  44. 2 FACTOR AUTHENTICATION @philnash

  45. @philnash

  46. PASSWORDS ARE TERRIBLE @philnash

  47. PASSWORD GUIDELINES ARE WORSE @philnash

  48. MAKE PASSWORDS LONGER @philnash

  49. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  50. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  51. THANKS! @philnash

  52. QUESTIONS OR BAD PASSWORD JOKES @philnash

  53. Thanks! @philnash http://philna.sh [email protected]