OMG Crypto! Securing Password with Django - Speaker Deck

Tweet

Tweet

Slide 1

Slide 1 text

OMG Crypto! Securing passwords with Django. @rdegges

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Creating a Django User rdegges at Randalls-MacBook-Pro in ~/Desktop/omgcrypto (omgcrypto) ○ python manage.py shell Python 2.7.6 (default, Feb 3 2014, 10:00:57) [GCC 4.2.1 Compatible Apple LLVM 5.0 (clang-500.2.79)] on darwin Type "help", "copyright", "credits" or "license" for more information. (InteractiveConsole) >>> from django.contrib.auth.models import User >>> u = User.objects.create_user('rdegges', 'r@rdegges.com', 'python<3') >>> u.password u'pbkdf2_sha256$12000$TpbGqZKgAx8J$tDIEbKd+lWDJW9q/xDUOlSunzu7ZNHiV6Um11ZG39ck =' >>>

Slide 4

Slide 4 text

How Django Does It

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

HOLY S@!

Slide 7

Slide 7 text

How Ninjas Do It

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Using bcrypt with Django rdegges at Randalls-MacBook-Pro in ~/Desktop/omgcrypto (omgcrypto) ○ pip install -U bcrypt Downloading/unpacking bcrypt

Slide 10

Slide 10 text

Using bcrypt with Django # settings.py PASSWORD_HASHERS = ( 'django.contrib.auth.hashers. BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Password upgrading When users log in, if their passwords are stored with anything other than the preferred algorithm, Django will automatically upgrade the algorithm to the preferred one. This means that old installs of Django will get automatically more secure as users log in, and it also means that you can switch to new (and better) storage algorithms as they get invented. However, Django can only upgrade passwords that use algorithms mentioned in PASSWORD_HASHERS, so as you upgrade to new systems you should make sure never to remove entries from this list. If you do, users using unmentioned algorithms won’t be able to upgrade. Passwords will be upgraded when changing the PBKDF2 iteration count. https://docs.djangoproject.com/en/dev/topics/auth/passwords/#password-upgrading

Slide 13

Slide 13 text

TLDR: NO

Slide 14

Slide 14 text

USE BCRYPT

Slide 15

Slide 15 text

We make security easy. ● User Account Storage ● User Profile Storage ● Data Security ● Password Reset ● Email Verification ● Social Login

Slide 16

Slide 16 text

@rdegges