Python Password Security: From Zero to Hero

Transcript

1. Password Security From Zero to Hero! @rdegges @gostormpath

2. Why is Password Security Important?

3. LOVE YOUR USERS

4. Security Samurai

5. I’m Randall Degges Developer Evangelist, Stormpath https://stormpath.com Python Hacker Formerly

   Co-Founder / CTO, OpenCNAM

6. Stormpath User Management API for Developers • Authentication • User

   Profiles • Groups and Roles • Python/Flask SDK

7. The Simplest Thing

8. "rdegges","omgmypass" "rocketspaceadmin","abc123" "liljohn","OKKAAAYYYY!" Plain Text

9. @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'GET': return

   render_template('register.html') try: user = User( email = request.form.get('email'), password = request.form.get('password'), ) user.save() except: return render_template('register.html', error='Username and password required.') return redirect(url_for('dashboard'))

10. Who would ever do this?!

11. http://plaintextoffenders.com

12. One Step Up The Hash

13. "rdegges","3e3faeabbd3e98c6cedb91ad46551014" "rocketspaceadmin"," e99a18c428cb38d5f260853678922e03" "liljohn","9bc50c01de2edd2bdc488d94751b4a1e" MD5 / SHA1

14. from hashlib import md5 user = User( email = request.form.get('email'),

    password = md5( request.form.get('password') ).hexdigest(), )

15. Brute Force

16. from hashlib import md5 from itertools import chain, product from

    string import printable from sys import argv def bruteforce(length): return ( ''.join(candidate) for candidate in chain.from_iterable( product( printable, repeat = i ) for i in range(1, length + 1) ) ) for pw in bruteforce(int(argv[2])): if md5(pw).hexdigest() == argv[1]: print 'Cracked hash: %s!' % argv[1] print 'Password is: %s' % pw break
17. None

18. Also… brute! >>> from brute import brute >>> for s

    in brute(length=10): ... print s $ pip install brute

19. Rainbow Tables • SHA1 • SHA256 • SHA512 • MD5

    • etc.

20. https://crackstation.net

21. Collisions abc123 == omgno!

22. Moving On The Salt

23. from hashlib import sha512 from random import choice from string

    import printable salt = ''.join(choice(printable) for i in range (40)) user = User( email = request.form.get('email'), password = salt + '$' + sha512( salt + request.form.get('password') ).hexdigest(), )

24. The Good • Rainbow tables won’t work! • Still easy

    to brute force. • Have to store your salt in the database. The Bad

25. Let’s talk about speed.

26. Slower is Better def hash(): for i in xrange(10000000): do_expensive_operations_that_take_a_while()

    return some_hash

27. Complexity is a Thing >>> hash(hash(hash(hash(hash(hash(hash(...)))))))

28. bcrypt is slow >>> from bcrypt import gensalt, hashpw >>>

    >>> hash = hashpw('omghi!', gensalt()) >>> if hashpw('omghi!', hash) == hash: ... print 'password valid!' ... 'password valid!'

29. scrypt is slower! >>> from scrypt import hash >>> >>>

    myhash = hash('mypass', 'mysalt') >>> if hash('mypass', myhash) == myhash: ... print 'password valid!' ... 'password valid!'

30. Quick Recap

31. Next Up Storage

32. sqlite> create table users (email text, password text); sqlite> .tables

    users sqlite> .schema users CREATE TABLE users (email text, password text); sqlite> insert into users (email, password) values ( ...> '[email protected]', ...> 'mysalt$mypasswordhash' ...> ); sqlite> select * from users; [email protected]|mysalt$mypasswordhash ? ? ? ?
33. None

34. Tips for Mitigating DB Attacks

35. Distributed Hash

36. Encrypting Hashes

37. Rotating Keys

38. Summary • Use bcrypt (or scrypt, if you live on

    the edge). • Lock your server(s) down. • Encrypt output if necessary. • Prevent human access.

39. Security is Hard, We can Help

40. Flask-Stormpath @app.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'GET':

    return render_template('register.html') try: someuser = User.create( email = request.form.get('email'), password = request.form.get('password'), ) except StormpathError, err: return render_template('register.html', error=err.message) login_user(someuser, remember=True) return redirect(url_for('dashboard'))

41. So... • Don’t store passwords in plain text! • Check

    out Flask-Stormpath on Github: https://github.com/stormpath/stormpath- flask • If you liked this presentation, tweet me! @rdegges

42. You are Awesome 818-217-9229 rdegges.com Thanks, cars!