Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Password Security - From Zero to Hero

Password Security - From Zero to Hero

This is a beginner talk which explains password security (hashing, etc.).

Randall Degges

June 26, 2014
Tweet

More Decks by Randall Degges

Other Decks in Programming

Transcript

  1. Password Security
    From Zero to Hero
    @rdegges

    View full-size slide

  2. I’m Randall Degges
    Developer Evangelist, Stormpath
    https://stormpath.com
    Pythonista
    103 github projects, mostly python

    View full-size slide

  3. “Why should I care
    about password
    security?”

    View full-size slide

  4. Nobody teaches it :(

    View full-size slide

  5. Everyone messes it up!

    View full-size slide

  6. LOVE
    YOUR
    USERS

    View full-size slide

  7. Security Samurai
    YOU

    View full-size slide

  8. You need to store
    passwords.

    View full-size slide

  9. Plain Text
    "rdegges","omgmypass"
    "rocketspaceadmin","abc123"
    "liljohn","OKKAAAYYYY!"

    View full-size slide

  10. If someone gets access to
    your database, game over.

    View full-size slide

  11. Then you have to
    deal with this.

    View full-size slide

  12. “But Randall, who
    would do that?”

    View full-size slide

  13. http://plaintextoffenders.com

    View full-size slide

  14. Introducing
    the Hash

    View full-size slide

  15. “What is a hash?”

    View full-size slide

  16. It’s basically a
    stupid function that
    converts a string
    into garbage.

    View full-size slide

  17. "rdegges","omgmypass"
    "rocketspaceadmin","abc123"
    "liljohn","OKKAAAYYYY!"
    "rdegges","3e3faeabbd3e98c6cedb91ad46551014"
    "rocketspaceadmin","e99a18c428cb38d5f260853678922e03"
    "liljohn","9bc50c01de2edd2bdc488d94751b4a1e"
    hash()

    View full-size slide

  18. All hashes are
    unique.

    View full-size slide

  19. You cannot
    ‘reverse’ a hash.

    View full-size slide

  20. There are lots of hashing
    algorithms!
    MD5
    SHA1
    SHA256
    SHA512
    PBKDF2
    BCRYPT
    SCRYPT

    View full-size slide

  21. Most suck though.
    MD5
    SHA1
    SHA256
    SHA512
    PBKDF2
    BCRYPT
    SCRYPT

    View full-size slide

  22. Let’s talk about
    why.

    View full-size slide

  23. You basically
    just try every
    possible
    password.

    View full-size slide

  24. from hashlib import md5
    from itertools import chain, product
    from string import printable
    from sys import argv
    def bruteforce(length):
    return (
    ''.join(candidate) for candidate in
    chain.from_iterable(
    product(
    printable,
    repeat = i
    ) for i in range(1, length + 1)
    )
    )
    for pw in bruteforce(int(argv[2])):
    if md5(pw).hexdigest() == argv[1]:
    print 'Cracked hash: %s!' % argv[1]
    print 'Password is: %s' % pw
    break

    View full-size slide

  25. brutal!
    >>> from brute import brute
    >>> for s in brute(length=10):
    ... print s
    $ pip install brute

    View full-size slide

  26. Rainbow Tables

    View full-size slide

  27. password | md5 | sha1
    -------------+----------------------------------+------------------------------------------
    omgmypass | 364a7aeccbc2b0f8b9bcf07ae0dd4748 | 8a4dd43ae7291b91f995f6d3153e926211ebae44
    abc123 | e99a18c428cb38d5f260853678922e03 | 6367c48dd193d56ea7b0baad25b19455e529f5ee
    OKKAAAYYYY! | 9bc50c01de2edd2bdc488d94751b4a1e | 9a1dc4294bbc5f6a35b5eed899386a2035a2ebde
    A big ass database of
    passwords and hashes.

    View full-size slide

  28. TONS of these.

    View full-size slide

  29. Collisions
    What happens
    when two different
    passwords have
    the same password
    hash.

    View full-size slide

  30. You basically just create a
    random string and prepend
    it to passwords to make
    brute forcing harder.

    View full-size slide

  31. hash(salt+pass)

    View full-size slide

  32. salt$hash(salt+pass)
    hash(pass)

    View full-size slide

  33. "rdegges","salt$hash"
    "rocketspaceadmin","salt$hash"
    "liljohn","salt$hash"

    View full-size slide

  34. Salts are great because
    attackers can’t use rainbow
    tables, and must brute
    force every password
    individually.

    View full-size slide

  35. Speeeeeeeeeed!

    View full-size slide

  36. Slower is better.

    View full-size slide

  37. The slower a hash
    function is, the
    longer it takes to
    brute force.

    View full-size slide

  38. md5(pass) ~ .1 sec
    bcrypt(pass) ~ 2 sec
    = 20x slower

    View full-size slide

  39. bcrypt is slow
    “I’m slow.”

    View full-size slide

  40. >>> from bcrypt import gensalt, hashpw
    >>>
    >>> hash = hashpw('omghi!', gensalt())
    >>> if hashpw('omghi!', hash) == hash:
    ... print 'password valid!'
    ...
    'password valid!'

    View full-size slide

  41. bcrypt
    ● Been around for a long
    time.
    ● Very well peer
    reviewed.
    ● Widely considered the
    best option for
    password hashing.
    ● Easy to use in Python.
    ● Orders of magnitude
    slower than almost
    every other hashing
    function (ask me more
    about this later).

    View full-size slide

  42. “Use bcrypt or I
    will be upset
    with you.”
    -Randall

    View full-size slide

  43. $ pip install bcrypt

    View full-size slide

  44. # settings.py
    PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
    )

    View full-size slide

  45. Security is hard.

    View full-size slide

  46. Stormpath
    User Management API for Developers
    ● Authentication
    ● User Profiles
    ● Groups and Roles
    ● Awesome Python Support
    ● API Authentication
    ● Social Login
    ● SSO
    ● Hosted Login

    View full-size slide

  47. So...
    ● Store passwords with bcrypt.
    ● Check out stormpath.com and play
    around with it! It’s awesome!
    ● If you liked this talk, tweet
    @gostormpath.

    View full-size slide

  48. You are Awesome
    [email protected] @rdegges

    View full-size slide