Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Password Security - From Zero to Hero

Password Security - From Zero to Hero

This is a beginner talk which explains password security (hashing, etc.).

Randall Degges

June 26, 2014

More Decks by Randall Degges

Other Decks in Programming


  1. ...

  2. from hashlib import md5 from itertools import chain, product from

    string import printable from sys import argv def bruteforce(length): return ( ''.join(candidate) for candidate in chain.from_iterable( product( printable, repeat = i ) for i in range(1, length + 1) ) ) for pw in bruteforce(int(argv[2])): if md5(pw).hexdigest() == argv[1]: print 'Cracked hash: %s!' % argv[1] print 'Password is: %s' % pw break
  3. brutal! >>> from brute import brute >>> for s in

    brute(length=10): ... print s $ pip install brute
  4. password | md5 | sha1 -------------+----------------------------------+------------------------------------------ omgmypass | 364a7aeccbc2b0f8b9bcf07ae0dd4748 |

    8a4dd43ae7291b91f995f6d3153e926211ebae44 abc123 | e99a18c428cb38d5f260853678922e03 | 6367c48dd193d56ea7b0baad25b19455e529f5ee OKKAAAYYYY! | 9bc50c01de2edd2bdc488d94751b4a1e | 9a1dc4294bbc5f6a35b5eed899386a2035a2ebde A big ass database of passwords and hashes.
  5. You basically just create a random string and prepend it

    to passwords to make brute forcing harder.
  6. Salts are great because attackers can’t use rainbow tables, and

    must brute force every password individually.
  7. >>> from bcrypt import gensalt, hashpw >>> >>> hash =

    hashpw('omghi!', gensalt()) >>> if hashpw('omghi!', hash) == hash: ... print 'password valid!' ... 'password valid!'
  8. bcrypt • Been around for a long time. • Very

    well peer reviewed. • Widely considered the best option for password hashing. • Easy to use in Python. • Orders of magnitude slower than almost every other hashing function (ask me more about this later).
  9. Stormpath User Management API for Developers • Authentication • User

    Profiles • Groups and Roles • Awesome Python Support • API Authentication • Social Login • SSO • Hosted Login
  10. So... • Store passwords with bcrypt. • Check out stormpath.com

    and play around with it! It’s awesome! • If you liked this talk, tweet @gostormpath.