PASSWORDS! PASSWORDS! PASSWORDS! 

Why so remedial? ▪ Gave this talk in 2016 ▪ Users often struggle with this ▪ Enterprises still getting it wrong ▪ Foundational infosec knowledge 

Appeal to authority? ▪ Does it matter? ▪ My background 

Password Selection ▪ A fixed word starting point, fights complexity  “screwyou”  “screwyou1”  “Screwyou1”  “Screwyou1!” ▪ Recently saw “Bear1986” ▪ Anyone want to guess user age? 

No content

Complexity ▪ We’re chasing entropy ▪ Length creates entropy ▪ Min 9 length stops 499/500 of most used passwords ▪ Most people won't use special characters ▪ Attackers will customize wordlist 

No content

Password Reuse ▪ This happens lots and lots ▪ If you take away only one thing, take this ▪ Happens even within infosec community ▪ https://haveibeenpwned.com/ ▪ Unique passwords per site ▪ Same local admin account firm wide 

Password Storage ▪ Don’t store passwords in cleartext ▪ What is a hash? ▪ Why do we want to salt?  Protection against rainbow tables ▪ Updating old password hashes ▪ How does AD store passwords?  NTLMv2 uses unsalted MD4  SAMBA/source/libsmb/smbencrypt.c:nt_lm_owf_gen 

Anatomy of a Password Hash 

// Get this from in input form $password = "sadkittens"; // Get stored hash from database $pwhash = md5($password); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (strcmp(md5($password), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (strcmp(md5('confusedkittens'), $pwhash) == 0) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; sadkittens Password hash; e0c5c1e2b1983c4c121e426843744a7e Password is correct Password is incorrect The Wrong Way 

No content

// Get this from in input form $password = "annoyedkittens"; // Generate an md5 hash, use static salt $pwhash = crypt($password, '$1$iusesalt'); echo "Password; $password\n"; echo "Password hash; $pwhash\n"; if (hash_equals($pwhash, crypt($password,'$1$iusesalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; // proof this works if (hash_equals($pwhash, crypt($password,'$1$wrongsalt'))) echo "Password is correct\n"; else echo "Password is incorrect\n"; Output: Password; annoyedkittens Password hash; $1$iusesalt$J2Ll48Pfl7EgK5bN80e5P0 Password is correct Password is incorrect Still Wrong 

// Get this from in input form $password = "happykittens"; // From database $pwhash = '$1$iusesalt$rvKFr25lYXyf2600GRfdp/'; if (hash_equals($pwhash, crypt($password, $pwhash))) { echo "Password is correct\n"; // check if we need to update password hash if (password_needs_rehash($pwhash, PASSWORD_DEFAULT)) { $pwhash = password_hash($password, PASSWORD_DEFAULT); echo "Rehashed password; $pwhash\n"; } } // proof this works if (password_verify($password, $pwhash)) echo "Password is correct\n"; Output: Password is correct Rehashed password; $2y$10$YtTdgc.l1x0rP9/TN3vwTuF8w pXOeBlSc7Xu4pBWCx7T4TQcDvP62 Password is correct Modern approach 

Password Expiration For Against We get newer hashes People will hate us Old breaches don’t hurt us Sticky notes everywhere Compromised end points Service desk calls New password likely similar Software implants 

Let's talk about 2FA ▪ SMS (deprecated) ▪ OTP (One-time password)  hash (shared secret + truncated current time) ▪ x509 client certificates ▪ SSH keys ▪ Challenge-response hardware token 

Checking our own passwords ▪ Password managers starting to do this  chrome://settings/passwords/check  LastPass ▪ Azure AD password protection ▪ 3rd party notification services  Security Scorecard / Bitsight  Raidforums community ▪ Cracking our own user accounts?  Hashcat + cheap GPUs 

Moving beyond passwords? ▪ The dilemma  New password + secure == can't remember  New password + can remember == not secure ▪ Can we just give up on passwords?  Biometrics not suitable  Push notifications  Apple  Facebook  Microsoft Office365