Pro Yearly is on sale from $80 to $50! »

Fantastic passwords and where to find them - at NoRuKo

8ec1383b240b5ba15ffb9743fceb3c0e?s=47 Phil Nash
August 21, 2020

Fantastic passwords and where to find them - at NoRuKo

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/envato/zxcvbn
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

August 21, 2020
Tweet

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash @phil_nash https://philna.sh philnash@twilio.com

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash
  8. password @philnash

  9. Password1! @philnash

  10. Guidelines Change passwords regularly @philnash

  11. Password123! @philnash

  12. PATTERNS @philnash

  13. Password1! @philnash

  14. ULLLLLLLDS @philnash

  15. AN EXAMPLE @philnash

  16. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash
  17. Western Australia Government Security Audit @philnash

  18. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash
  19. I GOT HACKED @philnash

  20. REPETITION @philnash

  21. BREACHES @philnash

  22. @philnash

  23. HOW DO WE FIX THIS? @philnash

  24. THE GUIDELINES WERE WRONG @philnash

  25. @philnash

  26. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash
  27. IN RUBY? @philnash

  28. Devise config.password_length = 6..128 @philnash

  29. Authlogic validates :password, confirmation: { if: require_password? }, length: {

    minimum: 8, if: require_password? } 01. 02. 03. 04. 05. 06. @philnash
  30. Clearance # Nothing @philnash

  31. Suggestions validates :password, length: { minimum: 14 } nobspw strong_password

    zxcvbn @philnash
  32. nobspw pwc = NOBSPW::PasswordChecker.new password: 'philnashrules', name: 'Phil Nash', username:

    'philnash', email: 'philnash@twilio.com' pwc.strong? pwc.weak? pwd.weak_password_reasons 01. 02. 03. 04. 05. 06. 07. @philnash
  33. zxcvbn test = Zxcvbn.test("philnashrules", ["philnash"]) test.score test.feedback.suggestions 01. 02. 03.

    @philnash
  34. DEMO @philnash

  35. INSECURE PASSWORDS? @philnash

  36. PWNED PASSWORDS @philnash

  37. Pwned Passwords 572,611,621 passwords previously exposed in data breaches @philnash

  38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash
  40. PWNED GEM @philnash

  41. DEMO @philnash

  42. Pwned https://github.com/philnash/pwned devise-pwned_password @philnash

  43. NEXT LEVEL @philnash

  44. TWO FACTOR AUTHENTICATION @philnash

  45. PASSWORDS ARE TERRIBLE @philnash

  46. PASSWORD GUIDELINES ARE WORSE @philnash

  47. MAKE PASSWORDS LONGER @philnash

  48. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  49. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  50. Thanks! @philnash @phil_nash https://philna.sh philnash@twilio.com

  51. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 1156 PM · Oct 13, 2014 3.3K 4.7K people are Tweeting about this @philnash