Passwords
and how to handle them
Christopher Riley
PHP North West, 2016
1
Slide 2
Slide 2 text
Introduction
Slide 3
Slide 3 text
6 Rules of password storage
Slide 4
Slide 4 text
Rule 1
We must protect passwords not just for our own services security
but for the security of all internet services. Users reuse passwords,
in an ever connected internet, the value of a password is ever
increasing.
2
Slide 5
Slide 5 text
Rule 2
We must not store plain text passwords because databases have a
habit of falling into the wrong hands.
3
Slide 6
Slide 6 text
Rule 3
We must not use reversible encryption because keys are required
all the time and have a habit of falling into the same wrong hands
at the same time as the database.
4
Slide 7
Slide 7 text
Rule 4
We must not simply hash the passwords. With a simple hash,
every password that is the same hashes to the same value an
attackers work to recover the passwords is therefore greatly
reduced.
5
Slide 8
Slide 8 text
Rule 5
We must not use a hash which has been intentionally built for
speed such as Md5, Sha1 or Sha2. Dedicated hardware and GPU’s
can calculate Billions to TRILLIONS of hashes per second.
Password recovery by an attacker is inevitable.
6
Slide 9
Slide 9 text
Rule 6
We must use a hashing algorithm designed for password storage
such as PBKDF2, Bcrypt or Argon2i with appropriate cost
parameters.
7