$30 off During Our Annual Pro Sale. View Details »

Fantastic passwords and where to find them - at NoRuKo

Phil Nash
August 21, 2020

Fantastic passwords and where to find them - at NoRuKo

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/envato/zxcvbn
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

Phil Nash

August 21, 2020
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. FANTASTIC
    PASSWORDS
    AND WHERE
    TO FIND THEM
    @philnash

    View Slide

  2. Phil Nash
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide

  3. My first password:
    “nash”
    “atom”
    @philnash

    View Slide

  4. I GOT HACKED
    @philnash

    View Slide

  5. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  6. GUIDELINES
    @philnash

    View Slide

  7. Guidelines
    • Uppercase
    • Lowercase
    • Numbers
    • Special characters
    @philnash

    View Slide

  8. password
    @philnash

    View Slide

  9. Password1!
    @philnash

    View Slide

  10. Guidelines
    Change passwords regularly
    @philnash

    View Slide

  11. Password123!
    @philnash

    View Slide

  12. PATTERNS
    @philnash

    View Slide

  13. Password1!
    @philnash

    View Slide

  14. ULLLLLLLDS
    @philnash

    View Slide

  15. AN EXAMPLE
    @philnash

    View Slide

  16. Western Australia Government Security Audit
    234,000 passwords were assessed
    1/4 of passwords were deemed "weak" passwords
    1,464 passwords were "Password123"
    (source)
    @philnash

    View Slide

  17. Western Australia Government Security Audit
    @philnash

    View Slide

  18. My "best" password
    • 8 characters long
    • Numbers and letters (uppercase only)
    • Model number of my hi-fi
    @philnash

    View Slide

  19. I GOT HACKED
    @philnash

    View Slide

  20. REPETITION
    @philnash

    View Slide

  21. BREACHES
    @philnash

    View Slide

  22. @philnash

    View Slide

  23. HOW DO WE FIX
    THIS?
    @philnash

    View Slide

  24. THE GUIDELINES
    WERE WRONG
    @philnash

    View Slide

  25. @philnash

    View Slide

  26. New guidelines
    From the ACSC, the NCSC and NIST
    • At least 13 characters
    • Accept all characters
    • Don't allow insecure passwords
    • Dictionary words
    • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
    • Context specific words (e.g. username, email, app name)
    • Passwords that have been in a breach
    @philnash

    View Slide

  27. IN RUBY?
    @philnash

    View Slide

  28. Devise
    config.password_length = 6..128
    @philnash

    View Slide

  29. Authlogic
    validates :password,
    confirmation: { if: require_password? },
    length: {
    minimum: 8,
    if: require_password?
    }
    01.
    02.
    03.
    04.
    05.
    06.
    @philnash

    View Slide

  30. Clearance
    # Nothing
    @philnash

    View Slide

  31. Suggestions
    validates :password, length: { minimum: 14 }
    nobspw
    strong_password
    zxcvbn
    @philnash

    View Slide

  32. nobspw
    pwc = NOBSPW::PasswordChecker.new password: 'philnashrules',
    name: 'Phil Nash',
    username: 'philnash',
    email: '[email protected]'
    pwc.strong?
    pwc.weak?
    pwd.weak_password_reasons
    01.
    02.
    03.
    04.
    05.
    06.
    07.
    @philnash

    View Slide

  33. zxcvbn
    test = Zxcvbn.test("philnashrules", ["philnash"])
    test.score
    test.feedback.suggestions
    01.
    02.
    03.
    @philnash

    View Slide

  34. DEMO
    @philnash

    View Slide

  35. INSECURE
    PASSWORDS?
    @philnash

    View Slide

  36. PWNED
    PASSWORDS
    @philnash

    View Slide

  37. Pwned Passwords
    572,611,621 passwords previously exposed in data
    breaches
    @philnash

    View Slide

  38. Pwned Passwords API
    ⚠ Don't worry

    @philnash

    View Slide

  39. Pwned Passwords API
    1. Get the SHA1 hash of the password
    2. Take the first 5 characters of the hash
    3. https://api.pwnedpasswords.com/range/#{prefix}
    4. Check if the remainder of the hash is in the result
    @philnash

    View Slide

  40. PWNED GEM
    @philnash

    View Slide

  41. DEMO
    @philnash

    View Slide

  42. Pwned
    https://github.com/philnash/pwned
    devise-pwned_password
    @philnash

    View Slide

  43. NEXT LEVEL
    @philnash

    View Slide

  44. TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  45. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  46. PASSWORD
    GUIDELINES ARE
    WORSE
    @philnash

    View Slide

  47. MAKE
    PASSWORDS
    LONGER
    @philnash

    View Slide

  48. CHECK AGAINST
    BREACHES
    AND
    DICTIONARIES
    @philnash

    View Slide

  49. IMPLEMENT
    TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  50. Thanks!
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide

  51. Tom Carr
    @ItsMeTomC
    "Your password must contain at least 8 letters, a capital, a
    plot, a protagonist with good character development, a twist
    & a happy ending."
    1156 PM · Oct 13, 2014
    3.3K 4.7K people are Tweeting about this
    @philnash

    View Slide