$30 off During Our Annual Pro Sale. View Details »

On Password Policies

sylph01
September 19, 2017
Technology
2
1.2k

On Password Policies

LT @ Agileware Drinkup, RubyKaigi 2017

sylph01

September 19, 2017
Tweet

More Decks by sylph01

See All by sylph01
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
170
Build and Learn Rails Authentication
sylph01
8
1.6k
Email, Messaging, and Self-Sovereign Identity (2021/05/28 edition)
sylph01
0
100
DNS Encryption and Its Controversies
sylph01
0
580
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1.1k
Action Mailbox in Action
sylph01
1
2.8k
Keebs-n-Kaigi
sylph01
1
220
Email, Messaging, and SSI/DID
sylph01
0
760
IETF 107 Report Session: OAuth/TxAuth
sylph01
0
73

Other Decks in Technology

See All in Technology
2023년의 딥러닝과 LLM 생태계
inureyes
PRO
0
1.4k
地域発展の新たなフロンティアを探そう、地方企業こそサーバーレスを活用すべき3つの理由 / Local Startup With Serverless
_kensh
0
150
NIKKEI COMPASSの Stripe決済フローと決済高速化の方法/20231205-compass
nikkei_engineer_recruiting
1
240
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
360
徹底解説!Power Platform 導入の成功事例から見る DX 推進のコツ / Tips for DX promotion from Power Platform case studies
karamem0
0
1k
reInvent2023のセキュリティまとめしてGuardDutyQとコストの話します
cmusudakeisuke
0
380
PKSHAでアルゴリズムを 社会実装する楽しみ
pkshadeck
1
170
サービスの1等地ホーム画面改善と効果的なステークホルダーマネジメント / Improvement of Prime Location Home Screen for Services and Effective Stakeholder Management
rilmayer
0
220
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.3k
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
1.1k
AutoGenで作るLLM Agen
peisuke
1
360
Autonomous Database サービス・アップデート (FY24)
oracle4engineer
PRO
0
170

Featured

See All Featured
GitHub's CSS Performance
jonrohan
1021
440k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
185
15k
Typedesign – Prime Four
hannesfritz
35
1.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
113
17k
Optimizing for Happiness
mojombo
368
68k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Being A Developer After 40
akosma
52
580k
RailsConf 2023
tenderlove
0
360
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
15
1.7k
Automating Front-end Workflow
addyosmani
1354
200k

Transcript

  1. On Password Policies
    Ryo Kajiwara @ RubyKaigi Drinkup
    by Agileware, 9/19/2017
    Tw: @s01, GH: @sylph01

    View Slide

  2. ࣗݾ঺հ
    ֿݪ ཾ(Ryo Kajiwara)
    the IDIOT(ID + IoT)
    engineer
    Twitter: @s01

    View Slide

  3. એ఻ͦͷ1:
    ʰϓϩϑΣογ
    ϣφϧSSL/TLSʱ
    ಡॻձ
    ࣍ճ͸10/6(ۚ) 19:00
    TLSͷ੬ऑੑΛղઆ͠
    ·͢

    View Slide

  4. એ఻ͦͷ2:
    ਑ͷԻָஂ ԋ૗ձ
    9/23 15:00- @ ઒ޱϦϦΞ
    ʢ࡛ۄݝʣ
    ੔ཧ݊γεςϜ࡞ͬͯ·͢
    ʢ9/22·Ͱɺ·ͩؒʹ߹
    ͏ʂʣ
    ΋ͪΖΜग़ԋ΋͠·͢

    View Slide

  5. View Slide

  6. TL;DR

    View Slide

  7. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  8. ͦͷઓ͍ํͷ
    ࿩Λ͠·͢

    View Slide

  9. View Slide

  10. NIST SP800-63B
    • NIST(ΞϝϦΧࠃཱඪ४ٕज़ݚڀॴ)ʹΑΔσδλϧೝূͷΨΠυ
    ϥΠϯ
    • ύεϫʔυͷఆظతͳมߋΛཁٻ͢΂͖Ͱͳ͍
    • จࣈछͷ૊Έ߹ΘͤΛύεϫʔυʹ՝͢΂͖Ͱͳ͍
    • ௕͍ʮύεϑϨʔζʯΛ࢖͏͜ͱ͕ਪ঑
    • ೋཁૉೝূʹSMSΛ࢖͏ͷ͸ਪ঑͞Εͳ͍
    • etc...

    View Slide

  11. ݱ୅ͷύεϫʔυ߈ܸ
    • ૯౰Γ߈ܸ͚ͩͲϦΫΤετΛൃߦ͠·͘ΔΘ͚͡Όͳ͍
    • ϋογϡ஋Λୣ͏
    • ฏจύεϫʔυͳΜͯอଘͯ͠ΔΘ͚ͳ͍ΑͶʁʁʁ

    View Slide

  12. ه߸Λύεϫʔυʹ͚ͭΔΑ
    Γ௕͘͢Δ΄͏͕༗ར
    ΞϧϑΝϕοτେจࣈখจࣈ: 52छྨ
    ͦΕʹ਺ࣈ10छɾه߸16छྨΛ଍ͨ͠78छྨ
    ه߸ࠐΈ8ܻ:
    ਺ࣈɾه߸ൈ͖10ܻ:
    → ഒ = 100ഒڧ͍ʂʂ

    View Slide

  13. ύεϑϨʔζ͕ڧ͍ཧ༝
    • ݱࡏͷࣙॻ߈ܸ͸ʮ୯Ұͷ୯ޠʯʹରͯ͠ߦ͏
    • ڧ͍ࣙॻ߈ܸ͸ͦΕʹՃ͑ͯʮl33t sp34kʯͷΑ͏ͳจࣈஔ͖׵
    ͑΍਺஋ͷΠϯΫϦϝϯτʹରͯ͠΋߈ܸΛ͢Δ
    • ʮෳ਺୯ޠͷ૊Έ߹Θͤʯ͸૊Έ߹ΘͤΔ୯ޠ͕૿͑Δ΄Ͳ୯
    ޠϕʔεͰ΋୳ࡧۭ͕ؒ૿͑ΔͷͰ͠ΜͲ͍
    • ୯७ʹ௕͍ύεϫʔυʹͳΔ
    PerlPHPJavaScriptRubyCSchemeOCamlProlog Ͱ΋े෼ڧ͍ɻ

    View Slide

  14. ҰํͰʮه߸Λ࢖ΘͤΔͳʯ
    Ͱ͸ͳ͍
    • બ୒ࢶڱΊΔͱ୳ࡧۭؒখ͘͞ͳͬͯࢮ͵ɻ
    • ࡾඛ౦ژUFJۜߦͷΫϨδοτΧʔυͷαΠτɺύεϫʔυʹେ
    จࣈ࢖͑ͳ͍ΜͰ͕͢ɺ୳ࡧۭؒ૬౰খ͘͞ͳΔͷͰ͕͢ʼʻ

    View Slide

  15. ύεϫʔυϚωʔδϟʔΛ࢖
    ͓͏
    ݸਓͰ࢖͏ͳΒ1Password͕൘ɻMacͷΩʔνΣʔϯɺChromeͷΩ
    ʔνΣʔϯʹڧ͍ύεϫʔυΛ֮͑ͤ͞ΔͷͰ΋Α͍ɻ
    اۀͰಋೖ͢ΔͳΒIDaaSͱ͍͏ΩʔϫʔυͰ͍Ζ͍Ζग़ͯ·͢ɻ

    View Slide

  16. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ސ٬ͷIDج൫ͱ͔ηΩϡϦςΟͷ࢓ࣄΛ͍࣮ͯͨ͠੷͕͋ͬͨ
    • ͦͷ্ͰઌఔͷΤϏσϯεΛಥ͖͚ͭͯ
    • ਖ਼͍͠ύεϫʔυͷ෇͚ํͷߨशΛͨ͠
    • ҎલͷϙϦγʔͷઃఆऀͷਓʹڠྗΛಘͯແࣄύεϫʔυͷఆ
    ظߋ৽Λഇࢭ

    View Slide

  17. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ҎલͷϙϦγʔมߋ͸ISMSೝূऔಘʹΑΔ΋ͷͩͬͨ
    • ISMSͷೝূج४ʹ͸ʮϕετɾϓϥΫςΟεʹै͑ʯͱ͔͠ॻ
    ͍͓ͯΒͣɺύεϫʔυఆظมߋΛཁٻ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍
    • ҰํPCI-DSSʹ͸໌ࣔ͞Ε͍ͯΔɻPCI-DSS͕ඞཁͳΒఘΊ·
    ͠ΐ͏
    • ϙϦγʔಋೖͷࠜڌͷূ੻͕࢒ͬͯͳ͍ͷ͸ʮʮʮҋʯʯʯ

    View Slide

  18. View Slide

  19. ·ͱΊ

    View Slide

  20. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  21. ௕͍ύεϫʔυ
    Λ͚ͭΑ͏

    View Slide

  22. ύεϫʔυϚωʔδϟʔ
    Λ࢖͓͏

    View Slide

  23. ϙϦγʔಋೖ࣌ʹ͸
    ٞ࿦ͷաఔ΋
    ͪΌΜͱ࢒ͦ͏

    View Slide

  24. Questions?

    View Slide

  25. ࢀߟURL
    • NIST SP800-63B ຋༁൛ - https:/
    /openid-foundation-
    japan.github.io/800-63-3/sp800-63b.ja.html
    • ͋ͷύεϫʔυنଇɺ࣮͸ࣦഊ࡞ͩͬͨ @ THE WALLSTREET
    JOURNAL - http:/
    /jp.wsj.com/articles/
    SB12199000528276883842504583318883522596550
    • ඪ४ॻʹݟΔʮύεϫʔυͷఆظతมߋʯͷྺ࢙(ॻ͖͔͚์ஔ)
    @ nilnilઐ༻νϥγͷཪ - http:/
    /d.hatena.ne.jp/nilnil/
    20131220/1387546964

    View Slide