LT @ Agileware Drinkup, RubyKaigi 2017
On Password PoliciesRyo Kajiwara @ RubyKaigi Drinkupby Agileware, 9/19/2017Tw: @s01, GH: @sylph01
View Slide
ࣗݾհֿݪ ཾ(Ryo Kajiwara)the IDIOT(ID + IoT)engineerTwitter: @s01
એͦͷ1:ʰϓϩϑΣογϣφϧSSL/TLSʱಡॻձ࣍ճ10/6(ۚ) 19:00TLSͷ੬ऑੑΛղઆ͠·͢
એͦͷ2:ͷԻָஂ ԋձ9/23 15:00- @ ޱϦϦΞʢ࡛ۄݝʣཧ݊γεςϜ࡞ͬͯ·͢ʢ9/22·Ͱɺ·ͩؒʹ߹͏ʂʣͪΖΜग़ԋ͠·͢
TL;DR
ύεϫʔυͷఆظߋ৽Λഇࢭͤ͞Α͏
ͦͷઓ͍ํͷΛ͠·͢
NIST SP800-63B• NIST(ΞϝϦΧࠃཱඪ४ٕज़ݚڀॴ)ʹΑΔσδλϧೝূͷΨΠυϥΠϯ• ύεϫʔυͷఆظతͳมߋΛཁٻ͖͢Ͱͳ͍• จࣈछͷΈ߹ΘͤΛύεϫʔυʹ՝͖͢Ͱͳ͍• ͍ʮύεϑϨʔζʯΛ͏͜ͱ͕ਪ• ೋཁૉೝূʹSMSΛ͏ͷਪ͞Εͳ͍• etc...
ݱͷύεϫʔυ߈ܸ• ૯Γ߈ܸ͚ͩͲϦΫΤετΛൃߦ͠·͘ΔΘ͚͡Όͳ͍• ϋογϡΛୣ͏• ฏจύεϫʔυͳΜͯอଘͯ͠ΔΘ͚ͳ͍ΑͶʁʁʁ
ه߸Λύεϫʔυʹ͚ͭΔΑΓ͘͢Δ΄͏͕༗རΞϧϑΝϕοτେจࣈখจࣈ: 52छྨͦΕʹࣈ10छɾه߸16छྨΛͨ͠78छྨه߸ࠐΈ8ܻ:ࣈɾه߸ൈ͖10ܻ:→ ഒ = 100ഒڧ͍ʂʂ
ύεϑϨʔζ͕ڧ͍ཧ༝• ݱࡏͷࣙॻ߈ܸʮ୯Ұͷ୯ޠʯʹରͯ͠ߦ͏• ڧ͍ࣙॻ߈ܸͦΕʹՃ͑ͯʮl33t sp34kʯͷΑ͏ͳจࣈஔ͖͑ͷΠϯΫϦϝϯτʹରͯ͠߈ܸΛ͢Δ• ʮෳ୯ޠͷΈ߹ΘͤʯΈ߹ΘͤΔ୯ޠ͕૿͑Δ΄Ͳ୯ޠϕʔεͰ୳ࡧۭ͕ؒ૿͑ΔͷͰ͠ΜͲ͍• ୯७ʹ͍ύεϫʔυʹͳΔPerlPHPJavaScriptRubyCSchemeOCamlProlog Ͱेڧ͍ɻ
ҰํͰʮه߸ΛΘͤΔͳʯͰͳ͍• બࢶڱΊΔͱ୳ࡧۭؒখ͘͞ͳͬͯࢮ͵ɻ• ࡾඛ౦ژUFJۜߦͷΫϨδοτΧʔυͷαΠτɺύεϫʔυʹେจࣈ͑ͳ͍ΜͰ͕͢ɺ୳ࡧۭؒ૬খ͘͞ͳΔͷͰ͕͢ʼʻ
ύεϫʔυϚωʔδϟʔΛ͓͏ݸਓͰ͏ͳΒ1Password͕൘ɻMacͷΩʔνΣʔϯɺChromeͷΩʔνΣʔϯʹڧ͍ύεϫʔυΛ֮͑ͤ͞ΔͷͰΑ͍ɻاۀͰಋೖ͢ΔͳΒIDaaSͱ͍͏ΩʔϫʔυͰ͍Ζ͍Ζग़ͯ·͢ɻ
ձࣾͷύεϫʔυϙϦγʔΛࡴͨ͠• ސ٬ͷIDج൫ͱ͔ηΩϡϦςΟͷࣄΛ͍࣮͕ͯͨ͋ͬͨ͠• ͦͷ্ͰઌఔͷΤϏσϯεΛಥ͖͚ͭͯ• ਖ਼͍͠ύεϫʔυͷ͚ํͷߨशΛͨ͠• ҎલͷϙϦγʔͷઃఆऀͷਓʹڠྗΛಘͯແࣄύεϫʔυͷఆظߋ৽Λഇࢭ
ձࣾͷύεϫʔυϙϦγʔΛࡴͨ͠• ҎલͷϙϦγʔมߋISMSೝূऔಘʹΑΔͷͩͬͨ• ISMSͷೝূج४ʹʮϕετɾϓϥΫςΟεʹै͑ʯͱ͔͠ॻ͍͓ͯΒͣɺύεϫʔυఆظมߋΛཁٻ͍ͯ͠ΔΘ͚Ͱͳ͍• ҰํPCI-DSSʹ໌ࣔ͞Ε͍ͯΔɻPCI-DSS͕ඞཁͳΒఘΊ·͠ΐ͏• ϙϦγʔಋೖͷࠜڌͷূ͕ͬͯͳ͍ͷʮʮʮҋʯʯʯ
·ͱΊ
͍ύεϫʔυΛ͚ͭΑ͏
ύεϫʔυϚωʔδϟʔΛ͓͏
ϙϦγʔಋೖ࣌ʹٞͷաఔͪΌΜͱͦ͏
Questions?
ࢀߟURL• NIST SP800-63B ༁൛ - https://openid-foundation-japan.github.io/800-63-3/sp800-63b.ja.html• ͋ͷύεϫʔυنଇɺ࣮ࣦഊ࡞ͩͬͨ @ THE WALLSTREETJOURNAL - http://jp.wsj.com/articles/SB12199000528276883842504583318883522596550• ඪ४ॻʹݟΔʮύεϫʔυͷఆظతมߋʯͷྺ࢙(ॻ͖͔͚์ஔ)@ nilnilઐ༻νϥγͷཪ - http://d.hatena.ne.jp/nilnil/20131220/1387546964