Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Password Security - From Zero to Hero

Password Security - From Zero to Hero

This is a beginner talk which explains password security (hashing, etc.).

56badf521701d4f9b3a394d3ef6e90c4?s=128

Randall Degges

June 26, 2014
Tweet

Transcript

  1. Password Security From Zero to Hero @rdegges

  2. I’m Randall Degges Developer Evangelist, Stormpath https://stormpath.com Pythonista 103 github

    projects, mostly python
  3. “Why should I care about password security?”

  4. Nobody teaches it :(

  5. Everyone messes it up!

  6. LOVE YOUR USERS

  7. Security Samurai YOU

  8. The Basics

  9. You need to store passwords.

  10. Plain Text "rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!"

  11. This sucks.

  12. If someone gets access to your database, game over.

  13. Then you have to deal with this.

  14. “But Randall, who would do that?”

  15. ...

  16. http://plaintextoffenders.com

  17. Introducing the Hash

  18. “What is a hash?”

  19. It’s basically a stupid function that converts a string into

    garbage.
  20. "rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!" "rdegges","3e3faeabbd3e98c6cedb91ad46551014" "rocketspaceadmin","e99a18c428cb38d5f260853678922e03" "liljohn","9bc50c01de2edd2bdc488d94751b4a1e" hash()

  21. All hashes are unique.

  22. You cannot ‘reverse’ a hash.

  23. There are lots of hashing algorithms! MD5 SHA1 SHA256 SHA512

    PBKDF2 BCRYPT SCRYPT
  24. Most suck though. MD5 SHA1 SHA256 SHA512 PBKDF2 BCRYPT SCRYPT

  25. Let’s talk about why.

  26. Brute Force

  27. You basically just try every possible password.

  28. from hashlib import md5 from itertools import chain, product from

    string import printable from sys import argv def bruteforce(length): return ( ''.join(candidate) for candidate in chain.from_iterable( product( printable, repeat = i ) for i in range(1, length + 1) ) ) for pw in bruteforce(int(argv[2])): if md5(pw).hexdigest() == argv[1]: print 'Cracked hash: %s!' % argv[1] print 'Password is: %s' % pw break
  29. None
  30. brutal! >>> from brute import brute >>> for s in

    brute(length=10): ... print s $ pip install brute
  31. Rainbow Tables

  32. password | md5 | sha1 -------------+----------------------------------+------------------------------------------ omgmypass | 364a7aeccbc2b0f8b9bcf07ae0dd4748 |

    8a4dd43ae7291b91f995f6d3153e926211ebae44 abc123 | e99a18c428cb38d5f260853678922e03 | 6367c48dd193d56ea7b0baad25b19455e529f5ee OKKAAAYYYY! | 9bc50c01de2edd2bdc488d94751b4a1e | 9a1dc4294bbc5f6a35b5eed899386a2035a2ebde A big ass database of passwords and hashes.
  33. TONS of these.

  34. Collisions What happens when two different passwords have the same

    password hash.
  35. Salts

  36. You basically just create a random string and prepend it

    to passwords to make brute forcing harder.
  37. hash(salt+pass)

  38. salt$hash(salt+pass) hash(pass)

  39. "rdegges","salt$hash" "rocketspaceadmin","salt$hash" "liljohn","salt$hash"

  40. Salts are great because attackers can’t use rainbow tables, and

    must brute force every password individually.
  41. Speeeeeeeeeed!

  42. Slower is better.

  43. The slower a hash function is, the longer it takes

    to brute force.
  44. md5(pass) ~ .1 sec bcrypt(pass) ~ 2 sec = 20x

    slower
  45. bcrypt is slow “I’m slow.”

  46. >>> from bcrypt import gensalt, hashpw >>> >>> hash =

    hashpw('omghi!', gensalt()) >>> if hashpw('omghi!', hash) == hash: ... print 'password valid!' ... 'password valid!'
  47. bcrypt • Been around for a long time. • Very

    well peer reviewed. • Widely considered the best option for password hashing. • Easy to use in Python. • Orders of magnitude slower than almost every other hashing function (ask me more about this later).
  48. “Use bcrypt or I will be upset with you.” -Randall

  49. $ pip install bcrypt

  50. # settings.py PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher',

    'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
  51. Security is hard.

  52. Stormpath User Management API for Developers • Authentication • User

    Profiles • Groups and Roles • Awesome Python Support • API Authentication • Social Login • SSO • Hosted Login
  53. So... • Store passwords with bcrypt. • Check out stormpath.com

    and play around with it! It’s awesome! • If you liked this talk, tweet @gostormpath.
  54. You are Awesome randall@stormpath.com @rdegges