Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Password Security: From Zero to Hero

Randall Degges
March 13, 2014
Programming
2
320

Password Security: From Zero to Hero

This talk walks you through the evolution of password security over the years, and also discusses the best possible methods for locking down your user passwords.

Randall Degges

March 13, 2014
Tweet

More Decks by Randall Degges

See All by Randall Degges
How to Lose 500k in 5 Minutes
rdegges
0
340
Useful Cryptography, An Introduction
rdegges
0
590
12 Factors of Pain and Suffering
rdegges
3
770
An Introduction to PASETO Tokens
rdegges
0
1.4k
JWTs Suck
rdegges
24
25k
Almost Everything You Ever Wanted to Know About Web Authentication in Python
rdegges
7
980
Almost Everything You Ever Wanted to Know About Web Authentication in Node
rdegges
13
2k
WTF Are APIs?!
rdegges
4
840
Fuck It: Let's Have Fun - Building a Top Torrents API
rdegges
2
630

Other Decks in Programming

See All in Programming
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
160
Git Lint
bkuhlmann
4
750
チーム力を高めるスクラム実践法:カンバン公開と課題攻略について - ニフティのスクラムトーク Vol. 2 - NIFTY Tech Talk #18
niftycorp
PRO
1
110
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
220
新宿ダンジョンを可視化してみた
satoshi7190
2
180
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.1k
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.3k
Elm Form Validation
bkuhlmann
0
510
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
120
try!Swift Tokyo 2024 参加報告 LT
akidon0000
1
210
Tailwind CSSを本気でカスタマイズする方法
fsubal
13
5k
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380

Featured

See All Featured
Atom: Resistance is Futile
akmur
258
25k
Docker and Python
trallard
33
2.7k
A designer walks into a library…
pauljervisheath
199
23k
The Mythical Team-Month
searls
215
42k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Building Applications with DynamoDB
mza
88
5.6k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
Making Projects Easy
brettharned
108
5.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
273
13k
Thoughts on Productivity
jonyablonski
57
3.8k
Navigating Team Friction
lara
177
13k

Transcript

  1. Password Security From Zero to Hero! @rdegges @gostormpath

  2. Why is Password Security Important?

  3. LOVE YOUR USERS

  4. Security Samurai

  5. I’m Randall Developer Evangelist, Stormpath https://stormpath.com Python Hacker Formerly Co-Founder

    / CTO, OpenCNAM

  6. Stormpath User Management API for Developers • Authentication • User

    Profiles • Groups and Roles • Python/Flask SDK

  7. The Simplest Thing

  8. Plain Text

  9. None

  10. Who would ever do this?!

  11. http://plaintextoffenders.com

  12. One Step Up The Hash

  13. MD5 / SHA1

  14. None

  15. Brute Force

  16. None
  17. None

  18. Rainbow Tables • SHA1 • SHA256 • SHA512 • MD5

    • etc.

  19. https://crackstation.net

  20. Collisions abc123 == omgno!

  21. Moving On The Salt

  22. None

  23. The Good • Rainbow tables won’t work! • Still easy

    to brute force. • Have to store your salt in the database. The Bad

  24. Let’s talk about speed.

  25. Slower is Better

  26. bcrypt is slow

  27. scrypt is slower!

  28. But … Complexity Still Matters

  29. Quick Recap

  30. Next Up Storage

  31. ? ? ? ?

  32. None

  33. Tips for Mitigating DB Attacks

  34. Distributed Hash

  35. Encrypting Hashes

  36. Rotating Keys

  37. Summary • Use bcrypt (or scrypt, if you live on

    the edge). • Lock your server(s) down. • Encrypt output if necessary. • Prevent human access.

  38. Security is Hard, We can Help

  39. Flask-Stormpath

  40. So... • Don’t store passwords in plain text! • Check

    out Flask-Stormpath on Github: https://github. com/stormpath/stormpath-flask • If you liked this presentation, tweet us! @gostormpath

  41. You are Awesome