Fantastic passwords and where to find them @ WFHConf

Fantastic passwords and where to find them @ WFHConf

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html

Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn

@philnash/pwned: https://github.com/philnash/pwned.js

Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

March 26, 2020
Tweet

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash @phil_nash https://philna.sh philnash@twilio.com

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,392 11:56 PM - Oct 13, 2014 4,805 people are talking about this @philnash
  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash
  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash
  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash
  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash
  28. IN NODE.JS? @philnash

  29. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash
  30. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash
  31. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash
  32. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash
  33. DEMO @philnash

  34. INSECURE PASSWORDS? @philnash

  35. PWNED PASSWORDS @philnash

  36. Pwned Passwords 555,278,657 passwords previously exposed in data breaches @philnash

  37. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  38. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash
  39. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  40. DEMO @philnash

  41. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  42. NEXT LEVEL @philnash

  43. TWO FACTOR AUTHENTICATION @philnash

  44. PASSWORDS ARE TERRIBLE @philnash

  45. PASSWORD GUIDELINES ARE WORSE @philnash

  46. MAKE PASSWORDS LONGER @philnash

  47. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  48. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  49. THANKS! @philnash

  50. Thanks! @philnash @phil_nash https://philna.sh philnash@twilio.com