Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Password Security: From Zero to Hero

Randall Degges
March 13, 2014
Programming
2
330

Password Security: From Zero to Hero

This talk walks you through the evolution of password security over the years, and also discusses the best possible methods for locking down your user passwords.

Randall Degges

March 13, 2014
Tweet

More Decks by Randall Degges

See All by Randall Degges
How to Lose 500k in 5 Minutes
rdegges
0
430
Useful Cryptography, An Introduction
rdegges
0
680
12 Factors of Pain and Suffering
rdegges
3
850
An Introduction to PASETO Tokens
rdegges
0
1.6k
JWTs Suck
rdegges
24
26k
Almost Everything You Ever Wanted to Know About Web Authentication in Python
rdegges
7
1.1k
Almost Everything You Ever Wanted to Know About Web Authentication in Node
rdegges
13
2k
WTF Are APIs?!
rdegges
4
860
Fuck It: Let's Have Fun - Building a Top Torrents API
rdegges
2
650

Other Decks in Programming

See All in Programming
現場で役立つモデリング 超入門
masuda220
PRO
15
3.2k
Click-free releases & the making of a CLI app
oheyadam
2
110
イベント駆動で成長して委員会
happymana
1
320
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
距離関数を極める! / SESSIONS 2024
gam0022
0
280
Outline View in SwiftUI
1024jp
1
320
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
Jakarta EE meets AI
ivargrimstad
0
130
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Adopting Sorbet at Scale
ufuk
73
9.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
The World Runs on Bad Software
bkeepers
PRO
65
11k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Visualization
eitanlees
145
15k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k

Transcript

  1. Password Security From Zero to Hero! @rdegges @gostormpath

  2. Why is Password Security Important?

  3. LOVE YOUR USERS

  4. Security Samurai

  5. I’m Randall Developer Evangelist, Stormpath https://stormpath.com Python Hacker Formerly Co-Founder

    / CTO, OpenCNAM

  6. Stormpath User Management API for Developers • Authentication • User

    Profiles • Groups and Roles • Python/Flask SDK

  7. The Simplest Thing

  8. Plain Text

  9. None

  10. Who would ever do this?!

  11. http://plaintextoffenders.com

  12. One Step Up The Hash

  13. MD5 / SHA1

  14. None

  15. Brute Force

  16. None
  17. None

  18. Rainbow Tables • SHA1 • SHA256 • SHA512 • MD5

    • etc.

  19. https://crackstation.net

  20. Collisions abc123 == omgno!

  21. Moving On The Salt

  22. None

  23. The Good • Rainbow tables won’t work! • Still easy

    to brute force. • Have to store your salt in the database. The Bad

  24. Let’s talk about speed.

  25. Slower is Better

  26. bcrypt is slow

  27. scrypt is slower!

  28. But … Complexity Still Matters

  29. Quick Recap

  30. Next Up Storage

  31. ? ? ? ?

  32. None

  33. Tips for Mitigating DB Attacks

  34. Distributed Hash

  35. Encrypting Hashes

  36. Rotating Keys

  37. Summary • Use bcrypt (or scrypt, if you live on

    the edge). • Lock your server(s) down. • Encrypt output if necessary. • Prevent human access.

  38. Security is Hard, We can Help

  39. Flask-Stormpath

  40. So... • Don’t store passwords in plain text! • Check

    out Flask-Stormpath on Github: https://github. com/stormpath/stormpath-flask • If you liked this presentation, tweet us! @gostormpath

  41. You are Awesome