Password Security - From Zero to Hero

Transcript

1. Password Security From Zero to Hero @rdegges

2. I’m Randall Degges Developer Evangelist, Stormpath https://stormpath.com Pythonista 103 github

   projects, mostly python

3. “Why should I care about password security?”

4. Nobody teaches it :(

5. Everyone messes it up!

6. LOVE YOUR USERS

7. Security Samurai YOU

8. The Basics

9. You need to store passwords.

10. Plain Text "rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!"

11. This sucks.

12. If someone gets access to your database, game over.

13. Then you have to deal with this.

14. “But Randall, who would do that?”

15. ...

16. http://plaintextoffenders.com

17. Introducing the Hash

18. “What is a hash?”

19. It’s basically a stupid function that converts a string into

    garbage.

20. "rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!" "rdegges","3e3faeabbd3e98c6cedb91ad46551014" "rocketspaceadmin","e99a18c428cb38d5f260853678922e03" "liljohn","9bc50c01de2edd2bdc488d94751b4a1e" hash()

21. All hashes are unique.

22. You cannot ‘reverse’ a hash.

23. There are lots of hashing algorithms! MD5 SHA1 SHA256 SHA512

    PBKDF2 BCRYPT SCRYPT

24. Most suck though. MD5 SHA1 SHA256 SHA512 PBKDF2 BCRYPT SCRYPT

25. Let’s talk about why.

26. Brute Force

27. You basically just try every possible password.

28. from hashlib import md5 from itertools import chain, product from

    string import printable from sys import argv def bruteforce(length): return ( ''.join(candidate) for candidate in chain.from_iterable( product( printable, repeat = i ) for i in range(1, length + 1) ) ) for pw in bruteforce(int(argv[2])): if md5(pw).hexdigest() == argv[1]: print 'Cracked hash: %s!' % argv[1] print 'Password is: %s' % pw break
29. None

30. brutal! >>> from brute import brute >>> for s in

    brute(length=10): ... print s $ pip install brute

31. Rainbow Tables

32. password | md5 | sha1 -------------+----------------------------------+------------------------------------------ omgmypass | 364a7aeccbc2b0f8b9bcf07ae0dd4748 |

    8a4dd43ae7291b91f995f6d3153e926211ebae44 abc123 | e99a18c428cb38d5f260853678922e03 | 6367c48dd193d56ea7b0baad25b19455e529f5ee OKKAAAYYYY! | 9bc50c01de2edd2bdc488d94751b4a1e | 9a1dc4294bbc5f6a35b5eed899386a2035a2ebde A big ass database of passwords and hashes.

33. TONS of these.

34. Collisions What happens when two different passwords have the same

    password hash.

35. Salts

36. You basically just create a random string and prepend it

    to passwords to make brute forcing harder.

37. hash(salt+pass)

38. salt$hash(salt+pass) hash(pass)

39. "rdegges","salt$hash" "rocketspaceadmin","salt$hash" "liljohn","salt$hash"

40. Salts are great because attackers can’t use rainbow tables, and

    must brute force every password individually.

41. Speeeeeeeeeed!

42. Slower is better.

43. The slower a hash function is, the longer it takes

    to brute force.

44. md5(pass) ~ .1 sec bcrypt(pass) ~ 2 sec = 20x

    slower

45. bcrypt is slow “I’m slow.”

46. >>> from bcrypt import gensalt, hashpw >>> >>> hash =

    hashpw('omghi!', gensalt()) >>> if hashpw('omghi!', hash) == hash: ... print 'password valid!' ... 'password valid!'

47. bcrypt • Been around for a long time. • Very

    well peer reviewed. • Widely considered the best option for password hashing. • Easy to use in Python. • Orders of magnitude slower than almost every other hashing function (ask me more about this later).

48. “Use bcrypt or I will be upset with you.” -Randall

49. $ pip install bcrypt

50. # settings.py PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher',

    'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )

51. Security is hard.

52. Stormpath User Management API for Developers • Authentication • User

    Profiles • Groups and Roles • Awesome Python Support • API Authentication • Social Login • SSO • Hosted Login

53. So... • Store passwords with bcrypt. • Check out stormpath.com

    and play around with it! It’s awesome! • If you liked this talk, tweet @gostormpath.

54. You are Awesome [email protected] @rdegges