Python Password Security: From Zero to Hero

Slide 1

Slide 1 text

Password Security From Zero to Hero! @rdegges @gostormpath

Slide 2

Slide 2 text

Why is Password Security Important?

Slide 3

Slide 3 text

LOVE YOUR USERS

Slide 4

Slide 4 text

Security Samurai

Slide 5

Slide 5 text

I’m Randall Degges Developer Evangelist, Stormpath https://stormpath.com Python Hacker Formerly Co-Founder / CTO, OpenCNAM

Slide 6

Slide 6 text

Stormpath User Management API for Developers ● Authentication ● User Profiles ● Groups and Roles ● Python/Flask SDK

Slide 7

Slide 7 text

The Simplest Thing

Slide 8

Slide 8 text

"rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!" Plain Text

Slide 9

Slide 9 text

@app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'GET': return render_template('register.html') try: user = User( email = request.form.get('email'), password = request.form.get('password'), ) user.save() except: return render_template('register.html', error='Username and password required.') return redirect(url_for('dashboard'))

Slide 10

Slide 10 text

Who would ever do this?!

Slide 11

Slide 11 text

http://plaintextoffenders.com

Slide 12

Slide 12 text

One Step Up The Hash

Slide 13

Slide 13 text

"rdegges","3e3faeabbd3e98c6cedb91ad46551014" "rocketspaceadmin"," e99a18c428cb38d5f260853678922e03" "liljohn","9bc50c01de2edd2bdc488d94751b4a1e" MD5 / SHA1

Slide 14

Slide 14 text

from hashlib import md5 user = User( email = request.form.get('email'), password = md5( request.form.get('password') ).hexdigest(), )

Slide 15

Slide 15 text

Brute Force

Slide 16

Slide 16 text

from hashlib import md5 from itertools import chain, product from string import printable from sys import argv def bruteforce(length): return ( ''.join(candidate) for candidate in chain.from_iterable( product( printable, repeat = i ) for i in range(1, length + 1) ) ) for pw in bruteforce(int(argv[2])): if md5(pw).hexdigest() == argv[1]: print 'Cracked hash: %s!' % argv[1] print 'Password is: %s' % pw break

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Also… brute! >>> from brute import brute >>> for s in brute(length=10): ... print s $ pip install brute

Slide 19

Slide 19 text

Rainbow Tables ● SHA1 ● SHA256 ● SHA512 ● MD5 ● etc.

Slide 20

Slide 20 text

https://crackstation.net

Slide 21

Slide 21 text

Collisions abc123 == omgno!

Slide 22

Slide 22 text

Moving On The Salt

Slide 23

Slide 23 text

from hashlib import sha512 from random import choice from string import printable salt = ''.join(choice(printable) for i in range (40)) user = User( email = request.form.get('email'), password = salt + '$' + sha512( salt + request.form.get('password') ).hexdigest(), )

Slide 24

Slide 24 text

The Good ● Rainbow tables won’t work! ● Still easy to brute force. ● Have to store your salt in the database. The Bad

Slide 25

Slide 25 text

Let’s talk about speed.

Slide 26

Slide 26 text

Slower is Better def hash(): for i in xrange(10000000): do_expensive_operations_that_take_a_while() return some_hash

Slide 27

Slide 27 text

Complexity is a Thing >>> hash(hash(hash(hash(hash(hash(hash(...)))))))

Slide 28

Slide 28 text

bcrypt is slow >>> from bcrypt import gensalt, hashpw >>> >>> hash = hashpw('omghi!', gensalt()) >>> if hashpw('omghi!', hash) == hash: ... print 'password valid!' ... 'password valid!'

Slide 29

Slide 29 text

scrypt is slower! >>> from scrypt import hash >>> >>> myhash = hash('mypass', 'mysalt') >>> if hash('mypass', myhash) == myhash: ... print 'password valid!' ... 'password valid!'

Slide 30

Slide 30 text

Quick Recap

Slide 31

Slide 31 text

Next Up Storage

Slide 32

Slide 32 text

sqlite> create table users (email text, password text); sqlite> .tables users sqlite> .schema users CREATE TABLE users (email text, password text); sqlite> insert into users (email, password) values ( ...> 'randall@stormpath.com', ...> 'mysalt$mypasswordhash' ...> ); sqlite> select * from users; randall@stormpath.com|mysalt$mypasswordhash ? ? ? ?

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Tips for Mitigating DB Attacks

Slide 35

Slide 35 text

Distributed Hash

Slide 36

Slide 36 text

Encrypting Hashes

Slide 37

Slide 37 text

Rotating Keys

Slide 38

Slide 38 text

Summary ● Use bcrypt (or scrypt, if you live on the edge). ● Lock your server(s) down. ● Encrypt output if necessary. ● Prevent human access.

Slide 39

Slide 39 text

Security is Hard, We can Help

Slide 40

Slide 40 text

Flask-Stormpath @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'GET': return render_template('register.html') try: someuser = User.create( email = request.form.get('email'), password = request.form.get('password'), ) except StormpathError, err: return render_template('register.html', error=err.message) login_user(someuser, remember=True) return redirect(url_for('dashboard'))

Slide 41

Slide 41 text

So... ● Don’t store passwords in plain text! ● Check out Flask-Stormpath on Github: https://github.com/stormpath/stormpath- flask ● If you liked this presentation, tweet me! @rdegges

Slide 42

Slide 42 text

You are Awesome 818-217-9229 rdegges.com Thanks, cars!