PASSWORDS! PASSWORDS! PASSWORDS! 

Why so remedial?  Users often struggle with this  Enterprises still getting it wrong  Vendors still getting it wrong  Foundational infosec knowledge  Sticky notes are everywhere  Most people in the room probably not the problem 

Who am I?  Does it matter?  Even experts are failing at this  Facts speak for themselves  Atlseccon speakers shout out 

Password Selection  A fixed word starting point, fights complexity  “screwyou”  “screwyou1”  “Screwyou1”  “Screwyou1!”  Recently saw “Bear1986”  Anyone want to guess user age? 

Complexity  We’re chasing entropy  Length creates entropy  Min 9 length stops 499/500 of most used passwords  Most people wont use special characters  Attackers will customize wordlist 

No content

Password reuse  This happens lots and lots  If you take away only one thing, take this  Happens even within infosec community  https://haveibeenpwned.com/  Unique passwords per site  Same local admin account firm wide 

Password Storage  Don’t store passwords in cleartext  What is a hash?  Why do we want to salt?  Protection against rainbow tables  Unique per-user vs global salt  Updating old password hashes  How does AD store passwords?  NTLMv2 uses unsalted MD4  SAMBA/source/libsmb/smbencrypt.c:nt_lm_owf_gen 

Anatomy of a Password Hash 

// Get this from in input form $password = "sadkittens"; // Get stored hash from database $pwhash = md5($password); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (strcmp(md5($password), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (strcmp(md5('confusedkittens'), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; sadkittens Password hash; e0c5c1e2b1983c4c121e426843744a7e Password is correct Password is incorrect The Wrong Way 

// Get this from in input form $password = "annoyedkittens"; // Generate an md5 hash, use static salt $pwhash = crypt($password, '$1$iusesalt'); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (hash_equals($pwhash, crypt($password,'$1$iusesalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (hash_equals($pwhash, crypt($password,'$1$wrongsalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; annoyedkittens Password hash; $1$iusesalt$J2Ll48Pfl7EgK5bN80e5P0 Password is correct Password is incorrect Still Wrong 

// Get this from in input form $password = "happykittens"; // From database $pwhash = '$1$iusesalt$rvKFr25lYXyf2600GRfdp/'; if (hash_equals($pwhash, crypt($password, $pwhash))) { echo "Password is correct\n"; // check if we need to update password hash if (password_needs_rehash($pwhash, PASSWORD_DEFAULT)) { $pwhash = password_hash($password, PASSWORD_DEFAULT); echo "Rehashed password; $pwhash\n"; } } // proof this works if (password_verify($password, $pwhash)) echo "Password is correct\n"; Output: Password is correct Rehashed password; $2y$10$YtTdgc.l1x0rP9/TN3vwTuF8w pXOeBlSc7Xu4pBWCx7T4TQcDvP62 Password is correct Modern approach 

Password Transmission  HTTPS  HTTPS isn’t just for login pages  Session cookies can be sniffed/stolen  Anyone remember firesheep?  We want to avoid session jacking  SessionID MD5($username)  Don’t do this  SessionID MD5($username + $password)  Parliament members reuse passwords too 

Password Expiration For Against We get newer hashes People will hate us Old breaches don’t hurt us Sticky notes everywhere Compromised end points Service desk calls New password likely similar Software implants 

My passwords! Site Login Password Twitter jzsavoie 2j88nmzv2j88nmzv Twitter #2 **** Z0zLw$#qWL9@j#0kH32T Facebook savoiejulien Yz1g&J^5Hv7j6067o#L7 Facebook #2 **** W85OV67QjT@G#763W8HO PayPal **** 0EP9FA92j5*OLI%T24fh Google pathosflux JixT9X4ppX%J70u351^U Google #2 **** 17736KQvCx8q6Avkh!ag RiseUp **** oq2rr12e5nvstq41n0zg3izm 

But it doesn’t matter  Two factor is cheap  SMS  Secure code generator app  x509 client certificates  YubiKey / RSA securID  SSH user keys  Use a password manager  Make your friends/family use one