Tweet
Tweet

Slide 1

Slide 1 text

FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

Slide 2

Slide 2 text

Phil Nash @philnash @phil_nash https://philna.sh [email protected]

Slide 3

Slide 3 text

My first password: “nash” “atom” @philnash

Slide 4

Slide 4 text

I GOT HACKED @philnash

Slide 5

Slide 5 text

PASSWORDS ARE TERRIBLE @philnash

Slide 6

Slide 6 text

GUIDELINES @philnash

Slide 7

Slide 7 text

Tom Carr @ItsMeTomC "Your password must contain at least 8 letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,392 11:56 PM - Oct 13, 2014 4,805 people are talking about this @philnash

Slide 8

Slide 8 text

Guidelines • Uppercase • Lowercase • Numbers • Special characters @philnash

Slide 9

Slide 9 text

password @philnash

Slide 10

Slide 10 text

Password1! @philnash

Slide 11

Slide 11 text

Guidelines Change passwords regularly @philnash

Slide 12

Slide 12 text

Password123! @philnash

Slide 13

Slide 13 text

PATTERNS @philnash

Slide 14

Slide 14 text

Password1! @philnash

Slide 15

Slide 15 text

ULLLLLLLDS @philnash

Slide 16

Slide 16 text

AN EXAMPLE @philnash

Slide 17

Slide 17 text

Western Australia Government Security Audit 234,000 passwords were assessed 1/4 of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

Slide 18

Slide 18 text

Western Australia Government Security Audit @philnash

Slide 19

Slide 19 text

My "best" password • 8 characters long • Numbers and letters (uppercase only) • Model number of my hi-fi @philnash

Slide 20

Slide 20 text

I GOT HACKED @philnash

Slide 21

Slide 21 text

REPETITION @philnash

Slide 22

Slide 22 text

BREACHES @philnash

Slide 23

Slide 23 text

@philnash

Slide 24

Slide 24 text

HOW DO WE FIX THIS? @philnash

Slide 25

Slide 25 text

THE GUIDELINES WERE WRONG @philnash

Slide 26

Slide 26 text

@philnash

Slide 27

Slide 27 text

New guidelines From the ACSC, the NCSC and NIST • At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

Slide 28

Slide 28 text

IN NODE.JS? @philnash

Slide 29

Slide 29 text

Suggestions if (user.password.length < 14) { // fail } password-validator @philnash

Slide 30

Slide 30 text

password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits() .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash

Slide 31

Slide 31 text

password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password', 'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash

Slide 32

Slide 32 text

Suggestions if (user.password.length < 14) { // fail } password-validator zxcvbn @philnash

Slide 33

Slide 33 text

DEMO @philnash

Slide 34

Slide 34 text

INSECURE PASSWORDS? @philnash

Slide 35

Slide 35 text

PWNED PASSWORDS @philnash

Slide 36

Slide 36 text

Pwned Passwords 555,278,657 passwords previously exposed in data breaches @philnash

Slide 37

Slide 37 text

Pwned Passwords API ⚠ Don't worry ⚠ @philnash

Slide 38

Slide 38 text

Pwned Passwords API 1. Get the SHA1 hash of the password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

Slide 39

Slide 39 text

Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

Slide 40

Slide 40 text

DEMO @philnash

Slide 41

Slide 41 text

Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

Slide 42

Slide 42 text

NEXT LEVEL @philnash

Slide 43

Slide 43 text

TWO FACTOR AUTHENTICATION @philnash

Slide 44

Slide 44 text

PASSWORDS ARE TERRIBLE @philnash

Slide 45

Slide 45 text

PASSWORD GUIDELINES ARE WORSE @philnash

Slide 46

Slide 46 text

MAKE PASSWORDS LONGER @philnash

Slide 47

Slide 47 text

CHECK AGAINST BREACHES AND DICTIONARIES @philnash

Slide 48

Slide 48 text

IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

Slide 49

Slide 49 text

THANKS! @philnash

Slide 50

Slide 50 text

Thanks! @philnash @phil_nash https://philna.sh [email protected]