Fantastic passwords and where to find them

Slide 1

Slide 1 text

FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

Slide 2

Slide 2 text

Phil Nash @philnash http://philna.sh [email protected]

Slide 3

Slide 3 text

My first password: “nash” “atom” @philnash

Slide 4

Slide 4 text

I GOT HACKED @philnash

Slide 5

Slide 5 text

PASSWORDS ARE TERRIBLE @philnash

Slide 6

Slide 6 text

GUIDELINES @philnash

Slide 7

Slide 7 text

Tom Carr @ItsMeTomC "Your password must contain at least 8 letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 11:56 PM - Oct 13, 2014 3,520 5,019 people are talking about this @philnash

Slide 8

Slide 8 text

Guidelines • Uppercase • Lowercase • Numbers • Special characters @philnash

Slide 9

Slide 9 text

password @philnash

Slide 10

Slide 10 text

Password1! @philnash

Slide 11

Slide 11 text

Guidelines Change passwords regularly @philnash

Slide 12

Slide 12 text

Password123! @philnash

Slide 13

Slide 13 text

PATTERNS @philnash

Slide 14

Slide 14 text

Western Australia Government Security Audit 234,000 passwords were assessed 1/4 of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

Slide 15

Slide 15 text

Western Australia Government Security Audit @philnash

Slide 16

Slide 16 text

My "best" password • 8 characters long • Numbers and letters (uppercase only) • Model number of my hi-ﬁ @philnash

Slide 17

Slide 17 text

@philnash

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

I GOT HACKED @philnash

Slide 20

Slide 20 text

REPETITION @philnash

Slide 21

Slide 21 text

BREACHES @philnash

Slide 22

Slide 22 text

@philnash

Slide 23

Slide 23 text

HOW DO WE FIX THIS? @philnash

Slide 24

Slide 24 text

THE GUIDELINES WERE WRONG @philnash

Slide 25

Slide 25 text

@philnash

Slide 26

Slide 26 text

New guidelines From the ACSC, the NCSC and NIST • At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context speciﬁc words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

Slide 27

Slide 27 text

IN RUBY? @philnash

Slide 28

Slide 28 text

Devise config.password_length = 6..128 @philnash

Slide 29

Slide 29 text

Authlogic validates :password, confirmation: { if: :require_password? }, length: { minimum: 8, if: :require_password? } 01. 02. 03. 04. 05. 06. @philnash

Slide 30

Slide 30 text

Clearance # Nothing @philnash

Slide 31

Slide 31 text

Avoid devise_security_extension password_strength @philnash

Slide 32

Slide 32 text

Suggestions validates :password, length: { minimum: 14 } nobspw zxcvbn-js strong_password @philnash

Slide 33

Slide 33 text

DEMO @philnash

Slide 34

Slide 34 text

INSECURE PASSWORDS? @philnash

Slide 35

Slide 35 text

PWNED PASSWORDS @philnash

Slide 36

Slide 36 text

Pwned Passwords 517,238,891 passwords previously exposed in data breaches @philnash

Slide 37

Slide 37 text

Pwned Passwords API ⚠ Don't worry ⚠ @philnash

Slide 38

Slide 38 text

Pwned Passwords API 1. Get the SHA1 hash of the password 2. Take the ﬁrst 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{preﬁx} 4. Check if the remainder of the hash is in the result @philnash

Slide 39

Slide 39 text

PWNED GEM @philnash

Slide 40

Slide 40 text

DEMO @philnash

Slide 41

Slide 41 text

Pwned https://github.com/philnash/pwned devise-pwned_password @philnash

Slide 42

Slide 42 text

PASSWORDS ARE TERRIBLE @philnash

Slide 43

Slide 43 text

PASSWORD GUIDELINES ARE WORSE @philnash

Slide 44

Slide 44 text

MAKE PASSWORDS LONGER @philnash

Slide 45

Slide 45 text

CHECK AGAINST BREACHES AND DICTIONARIES @philnash

Slide 46

Slide 46 text

IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

Slide 47

Slide 47 text

THANKS! @philnash

Slide 48

Slide 48 text

QUESTIONS OR BAD PASSWORD JOKES @philnash

Slide 49

Slide 49 text

Thanks! @philnash http://philna.sh [email protected]