Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them - at NoRuKo

Phil Nash
August 21, 2020

Fantastic passwords and where to find them - at NoRuKo

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/envato/zxcvbn
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

Phil Nash

August 21, 2020
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash
  2. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash
  3. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash
  4. Authlogic validates :password, confirmation: { if: require_password? }, length: {

    minimum: 8, if: require_password? } 01. 02. 03. 04. 05. 06. @philnash
  5. nobspw pwc = NOBSPW::PasswordChecker.new password: 'philnashrules', name: 'Phil Nash', username:

    'philnash', email: '[email protected]' pwc.strong? pwc.weak? pwd.weak_password_reasons 01. 02. 03. 04. 05. 06. 07. @philnash
  6. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash
  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 1156 PM · Oct 13, 2014 3.3K 4.7K people are Tweeting about this @philnash