Password Security: From Zero to Hero

Slide 1

Slide 1 text

Password Security From Zero to Hero! @rdegges @gostormpath

Slide 2

Slide 2 text

Why is Password Security Important?

Slide 3

Slide 3 text

LOVE YOUR USERS

Slide 4

Slide 4 text

Security Samurai

Slide 5

Slide 5 text

I’m Randall Developer Evangelist, Stormpath https://stormpath.com Python Hacker Formerly Co-Founder / CTO, OpenCNAM

Slide 6

Slide 6 text

Stormpath User Management API for Developers ● Authentication ● User Profiles ● Groups and Roles ● Python/Flask SDK

Slide 7

Slide 7 text

The Simplest Thing

Slide 8

Slide 8 text

Plain Text

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Who would ever do this?!

Slide 11

Slide 11 text

http://plaintextoffenders.com

Slide 12

Slide 12 text

One Step Up The Hash

Slide 13

Slide 13 text

MD5 / SHA1

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Brute Force

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

Rainbow Tables ● SHA1 ● SHA256 ● SHA512 ● MD5 ● etc.

Slide 19

Slide 19 text

https://crackstation.net

Slide 20

Slide 20 text

Collisions abc123 == omgno!

Slide 21

Slide 21 text

Moving On The Salt

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

The Good ● Rainbow tables won’t work! ● Still easy to brute force. ● Have to store your salt in the database. The Bad

Slide 24

Slide 24 text

Let’s talk about speed.

Slide 25

Slide 25 text

Slower is Better

Slide 26

Slide 26 text

bcrypt is slow

Slide 27

Slide 27 text

scrypt is slower!

Slide 28

Slide 28 text

But … Complexity Still Matters

Slide 29

Slide 29 text

Quick Recap

Slide 30

Slide 30 text

Next Up Storage

Slide 31

Slide 31 text

? ? ? ?

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

Tips for Mitigating DB Attacks

Slide 34

Slide 34 text

Distributed Hash

Slide 35

Slide 35 text

Encrypting Hashes

Slide 36

Slide 36 text

Rotating Keys

Slide 37

Slide 37 text

Summary ● Use bcrypt (or scrypt, if you live on the edge). ● Lock your server(s) down. ● Encrypt output if necessary. ● Prevent human access.

Slide 38

Slide 38 text

Security is Hard, We can Help

Slide 39

Slide 39 text

Flask-Stormpath

Slide 40

Slide 40 text

So... ● Don’t store passwords in plain text! ● Check out Flask-Stormpath on Github: https://github. com/stormpath/stormpath-flask ● If you liked this presentation, tweet us! @gostormpath

Slide 41

Slide 41 text

You are Awesome