$30 off During Our Annual Pro Sale. View Details »

On Password Policies

sylph01
September 19, 2017

On Password Policies

LT @ Agileware Drinkup, RubyKaigi 2017

sylph01

September 19, 2017
Tweet

More Decks by sylph01

Other Decks in Technology

Transcript

  1. On Password Policies
    Ryo Kajiwara @ RubyKaigi Drinkup
    by Agileware, 9/19/2017
    Tw: @s01, GH: @sylph01

    View Slide

  2. ࣗݾ঺հ
    ֿݪ ཾ(Ryo Kajiwara)
    the IDIOT(ID + IoT)
    engineer
    Twitter: @s01

    View Slide

  3. એ఻ͦͷ1:
    ʰϓϩϑΣογ
    ϣφϧSSL/TLSʱ
    ಡॻձ
    ࣍ճ͸10/6(ۚ) 19:00
    TLSͷ੬ऑੑΛղઆ͠
    ·͢

    View Slide

  4. એ఻ͦͷ2:
    ਑ͷԻָஂ ԋ૗ձ
    9/23 15:00- @ ઒ޱϦϦΞ
    ʢ࡛ۄݝʣ
    ੔ཧ݊γεςϜ࡞ͬͯ·͢
    ʢ9/22·Ͱɺ·ͩؒʹ߹
    ͏ʂʣ
    ΋ͪΖΜग़ԋ΋͠·͢

    View Slide

  5. View Slide

  6. TL;DR

    View Slide

  7. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  8. ͦͷઓ͍ํͷ
    ࿩Λ͠·͢

    View Slide

  9. View Slide

  10. NIST SP800-63B
    • NIST(ΞϝϦΧࠃཱඪ४ٕज़ݚڀॴ)ʹΑΔσδλϧೝূͷΨΠυ
    ϥΠϯ
    • ύεϫʔυͷఆظతͳมߋΛཁٻ͢΂͖Ͱͳ͍
    • จࣈछͷ૊Έ߹ΘͤΛύεϫʔυʹ՝͢΂͖Ͱͳ͍
    • ௕͍ʮύεϑϨʔζʯΛ࢖͏͜ͱ͕ਪ঑
    • ೋཁૉೝূʹSMSΛ࢖͏ͷ͸ਪ঑͞Εͳ͍
    • etc...

    View Slide

  11. ݱ୅ͷύεϫʔυ߈ܸ
    • ૯౰Γ߈ܸ͚ͩͲϦΫΤετΛൃߦ͠·͘ΔΘ͚͡Όͳ͍
    • ϋογϡ஋Λୣ͏
    • ฏจύεϫʔυͳΜͯอଘͯ͠ΔΘ͚ͳ͍ΑͶʁʁʁ

    View Slide

  12. ه߸Λύεϫʔυʹ͚ͭΔΑ
    Γ௕͘͢Δ΄͏͕༗ར
    ΞϧϑΝϕοτେจࣈখจࣈ: 52छྨ
    ͦΕʹ਺ࣈ10छɾه߸16छྨΛ଍ͨ͠78छྨ
    ه߸ࠐΈ8ܻ:
    ਺ࣈɾه߸ൈ͖10ܻ:
    → ഒ = 100ഒڧ͍ʂʂ

    View Slide

  13. ύεϑϨʔζ͕ڧ͍ཧ༝
    • ݱࡏͷࣙॻ߈ܸ͸ʮ୯Ұͷ୯ޠʯʹରͯ͠ߦ͏
    • ڧ͍ࣙॻ߈ܸ͸ͦΕʹՃ͑ͯʮl33t sp34kʯͷΑ͏ͳจࣈஔ͖׵
    ͑΍਺஋ͷΠϯΫϦϝϯτʹରͯ͠΋߈ܸΛ͢Δ
    • ʮෳ਺୯ޠͷ૊Έ߹Θͤʯ͸૊Έ߹ΘͤΔ୯ޠ͕૿͑Δ΄Ͳ୯
    ޠϕʔεͰ΋୳ࡧۭ͕ؒ૿͑ΔͷͰ͠ΜͲ͍
    • ୯७ʹ௕͍ύεϫʔυʹͳΔ
    PerlPHPJavaScriptRubyCSchemeOCamlProlog Ͱ΋े෼ڧ͍ɻ

    View Slide

  14. ҰํͰʮه߸Λ࢖ΘͤΔͳʯ
    Ͱ͸ͳ͍
    • બ୒ࢶڱΊΔͱ୳ࡧۭؒখ͘͞ͳͬͯࢮ͵ɻ
    • ࡾඛ౦ژUFJۜߦͷΫϨδοτΧʔυͷαΠτɺύεϫʔυʹେ
    จࣈ࢖͑ͳ͍ΜͰ͕͢ɺ୳ࡧۭؒ૬౰খ͘͞ͳΔͷͰ͕͢ʼʻ

    View Slide

  15. ύεϫʔυϚωʔδϟʔΛ࢖
    ͓͏
    ݸਓͰ࢖͏ͳΒ1Password͕൘ɻMacͷΩʔνΣʔϯɺChromeͷΩ
    ʔνΣʔϯʹڧ͍ύεϫʔυΛ֮͑ͤ͞ΔͷͰ΋Α͍ɻ
    اۀͰಋೖ͢ΔͳΒIDaaSͱ͍͏ΩʔϫʔυͰ͍Ζ͍Ζग़ͯ·͢ɻ

    View Slide

  16. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ސ٬ͷIDج൫ͱ͔ηΩϡϦςΟͷ࢓ࣄΛ͍࣮ͯͨ͠੷͕͋ͬͨ
    • ͦͷ্ͰઌఔͷΤϏσϯεΛಥ͖͚ͭͯ
    • ਖ਼͍͠ύεϫʔυͷ෇͚ํͷߨशΛͨ͠
    • ҎલͷϙϦγʔͷઃఆऀͷਓʹڠྗΛಘͯແࣄύεϫʔυͷఆ
    ظߋ৽Λഇࢭ

    View Slide

  17. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ҎલͷϙϦγʔมߋ͸ISMSೝূऔಘʹΑΔ΋ͷͩͬͨ
    • ISMSͷೝূج४ʹ͸ʮϕετɾϓϥΫςΟεʹै͑ʯͱ͔͠ॻ
    ͍͓ͯΒͣɺύεϫʔυఆظมߋΛཁٻ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍
    • ҰํPCI-DSSʹ͸໌ࣔ͞Ε͍ͯΔɻPCI-DSS͕ඞཁͳΒఘΊ·
    ͠ΐ͏
    • ϙϦγʔಋೖͷࠜڌͷূ੻͕࢒ͬͯͳ͍ͷ͸ʮʮʮҋʯʯʯ

    View Slide

  18. View Slide

  19. ·ͱΊ

    View Slide

  20. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  21. ௕͍ύεϫʔυ
    Λ͚ͭΑ͏

    View Slide

  22. ύεϫʔυϚωʔδϟʔ
    Λ࢖͓͏

    View Slide

  23. ϙϦγʔಋೖ࣌ʹ͸
    ٞ࿦ͷաఔ΋
    ͪΌΜͱ࢒ͦ͏

    View Slide

  24. Questions?

    View Slide

  25. ࢀߟURL
    • NIST SP800-63B ຋༁൛ - https:/
    /openid-foundation-
    japan.github.io/800-63-3/sp800-63b.ja.html
    • ͋ͷύεϫʔυنଇɺ࣮͸ࣦഊ࡞ͩͬͨ @ THE WALLSTREET
    JOURNAL - http:/
    /jp.wsj.com/articles/
    SB12199000528276883842504583318883522596550
    • ඪ४ॻʹݟΔʮύεϫʔυͷఆظతมߋʯͷྺ࢙(ॻ͖͔͚์ஔ)
    @ nilnilઐ༻νϥγͷཪ - http:/
    /d.hatena.ne.jp/nilnil/
    20131220/1387546964

    View Slide