Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them @ WFHConf

Phil Nash
March 26, 2020
Technology
0
310

Fantastic passwords and where to find them @ WFHConf

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html

Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn

@philnash/pwned: https://github.com/philnash/pwned.js

Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw

Phil Nash

March 26, 2020
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
310
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
170
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
190
Better API DX with a CLI - APIdays Jakarta
philnash
0
270
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
140
Four steps from JavaScript to TypeScript
philnash
0
330
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
The trouble with webhooks - at APIdays Singapore
philnash
0
220
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
310

Other Decks in Technology

See All in Technology
開発生産性向上サービスを作るFindyが自分たちで開発生産性を爆上げした組織づくりの歩み / Findy's path to boosting its own development productivity 2024-04-17
ma3tk
3
340
オブザーバビリティの Primary Signals
onk
PRO
0
550
反実仮想機械学習とは何か
usaito
PRO
7
2.3k
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
130
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
130
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
140
Databricks における 『MLOps』
databricksjapan
2
140
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
110
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
540
Databricks におけるデータエンジニアリング
databricksjapan
0
380
オーナーシップを持つ領域を明確にする
konifar
12
2.6k

Featured

See All Featured
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2.1k
Scaling GitHub
holman
457
140k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Statistics for Hackers
jakevdp
789
220k
How GitHub (no longer) Works
holman
304
140k
The Art of Programming - Codeland 2020
erikaheidi
41
12k
Practical Orchestrator
shlominoach
181
9.7k
We Have a Design System, Now What?
morganepeng
42
6.7k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash @phil_nash https://philna.sh [email protected]

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,392 11:56 PM - Oct 13, 2014 4,805 people are talking about this @philnash

  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash

  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

  28. IN NODE.JS? @philnash

  29. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash

  30. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash

  31. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash

  32. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash

  33. DEMO @philnash

  34. INSECURE PASSWORDS? @philnash

  35. PWNED PASSWORDS @philnash

  36. Pwned Passwords 555,278,657 passwords previously exposed in data breaches @philnash

  37. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  38. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

  39. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  40. DEMO @philnash

  41. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  42. NEXT LEVEL @philnash

  43. TWO FACTOR AUTHENTICATION @philnash

  44. PASSWORDS ARE TERRIBLE @philnash

  45. PASSWORD GUIDELINES ARE WORSE @philnash

  46. MAKE PASSWORDS LONGER @philnash

  47. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  48. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  49. THANKS! @philnash

  50. Thanks! @philnash @phil_nash https://philna.sh [email protected]