Upgrade to Pro — share decks privately, control downloads, hide ads and more …

On Password Policies

sylph01
September 19, 2017
Technology
2
1.2k

On Password Policies

LT @ Agileware Drinkup, RubyKaigi 2017

sylph01

September 19, 2017
Tweet

More Decks by sylph01

See All by sylph01
Community & RubyKaigi Showcase @ Ehime.rb Reboot Meetup
sylph01
0
92
Build and Learn Rails Authentication
sylph01
8
1.4k
DNS Encryption and Its Controversies
sylph01
0
510
Email, Messaging, and SSI/DID (再放送)
sylph01
0
1k
Action Mailbox in Action
sylph01
1
2.6k
Keebs-n-Kaigi
sylph01
1
140
Email, Messaging, and SSI/DID
sylph01
0
700
IETF 107 Report Session: OAuth/TxAuth
sylph01
0
64
OAuth, Transactional Authorization @ IETF106
sylph01
1
470

Other Decks in Technology

See All in Technology
Zennを支える Google Cloud の技術
wadayusuke
0
130
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.5k
ビギナー向け エッジランタイムのすすめ | エッジランタイムを意識した開発をはじめよう
aiji42
1
730
シゴトをジモトに運び込め〜大企業でCCoEやってた私が地元に事業所を作るまで〜
mamohacy
2
140
プロ野球をデータモデリングしてみたら沼だった件 / Baseball ERD Modeling to be obsessed
gothedistance
1
120
Secret sauce for improving developer experience: tackle flaky tests
line_developers
PRO
2
230
JAWS-UG千葉#20-AWS Security Lakeを試してみたら 最高の運用者体験だった
yamaguchitk333
0
210
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
150
React開発における失敗事例と学び〜実例3選とともに〜
bitkey
PRO
2
660
IoTによるGPS等の位置情報活用 基礎知識
soracom
PRO
0
240
大規模ブロックチェーンゲームの マスアダプションまでの課題と解決への期待
miyatakoji
0
120
安全にプロセスを停止するためにシグナル制御を学ぼう!
yamamotohiroya
0
260

Featured

See All Featured
Robots, Beer and Maslow
schacon
154
7.4k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
Testing 201, or: Great Expectations
jmmastey
26
5.8k
Adopting Sorbet at Scale
ufuk
66
7.9k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.1k
What's in a price? How to price your products and services
michaelherold
233
9.8k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.4k
Visualization
eitanlees
130
12k
Clear Off the Table
cherdarchuk
80
290k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k

Transcript

  1. On Password Policies
    Ryo Kajiwara @ RubyKaigi Drinkup
    by Agileware, 9/19/2017
    Tw: @s01, GH: @sylph01

    View Slide

  2. ࣗݾ঺հ
    ֿݪ ཾ(Ryo Kajiwara)
    the IDIOT(ID + IoT)
    engineer
    Twitter: @s01

    View Slide

  3. એ఻ͦͷ1:
    ʰϓϩϑΣογ
    ϣφϧSSL/TLSʱ
    ಡॻձ
    ࣍ճ͸10/6(ۚ) 19:00
    TLSͷ੬ऑੑΛղઆ͠
    ·͢

    View Slide

  4. એ఻ͦͷ2:
    ਑ͷԻָஂ ԋ૗ձ
    9/23 15:00- @ ઒ޱϦϦΞ
    ʢ࡛ۄݝʣ
    ੔ཧ݊γεςϜ࡞ͬͯ·͢
    ʢ9/22·Ͱɺ·ͩؒʹ߹
    ͏ʂʣ
    ΋ͪΖΜग़ԋ΋͠·͢

    View Slide

  5. View Slide

  6. TL;DR

    View Slide

  7. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  8. ͦͷઓ͍ํͷ
    ࿩Λ͠·͢

    View Slide

  9. View Slide

  10. NIST SP800-63B
    • NIST(ΞϝϦΧࠃཱඪ४ٕज़ݚڀॴ)ʹΑΔσδλϧೝূͷΨΠυ
    ϥΠϯ
    • ύεϫʔυͷఆظతͳมߋΛཁٻ͢΂͖Ͱͳ͍
    • จࣈछͷ૊Έ߹ΘͤΛύεϫʔυʹ՝͢΂͖Ͱͳ͍
    • ௕͍ʮύεϑϨʔζʯΛ࢖͏͜ͱ͕ਪ঑
    • ೋཁૉೝূʹSMSΛ࢖͏ͷ͸ਪ঑͞Εͳ͍
    • etc...

    View Slide

  11. ݱ୅ͷύεϫʔυ߈ܸ
    • ૯౰Γ߈ܸ͚ͩͲϦΫΤετΛൃߦ͠·͘ΔΘ͚͡Όͳ͍
    • ϋογϡ஋Λୣ͏
    • ฏจύεϫʔυͳΜͯอଘͯ͠ΔΘ͚ͳ͍ΑͶʁʁʁ

    View Slide

  12. ه߸Λύεϫʔυʹ͚ͭΔΑ
    Γ௕͘͢Δ΄͏͕༗ར
    ΞϧϑΝϕοτେจࣈখจࣈ: 52छྨ
    ͦΕʹ਺ࣈ10छɾه߸16छྨΛ଍ͨ͠78छྨ
    ه߸ࠐΈ8ܻ:
    ਺ࣈɾه߸ൈ͖10ܻ:
    → ഒ = 100ഒڧ͍ʂʂ

    View Slide

  13. ύεϑϨʔζ͕ڧ͍ཧ༝
    • ݱࡏͷࣙॻ߈ܸ͸ʮ୯Ұͷ୯ޠʯʹରͯ͠ߦ͏
    • ڧ͍ࣙॻ߈ܸ͸ͦΕʹՃ͑ͯʮl33t sp34kʯͷΑ͏ͳจࣈஔ͖׵
    ͑΍਺஋ͷΠϯΫϦϝϯτʹରͯ͠΋߈ܸΛ͢Δ
    • ʮෳ਺୯ޠͷ૊Έ߹Θͤʯ͸૊Έ߹ΘͤΔ୯ޠ͕૿͑Δ΄Ͳ୯
    ޠϕʔεͰ΋୳ࡧۭ͕ؒ૿͑ΔͷͰ͠ΜͲ͍
    • ୯७ʹ௕͍ύεϫʔυʹͳΔ
    PerlPHPJavaScriptRubyCSchemeOCamlProlog Ͱ΋े෼ڧ͍ɻ

    View Slide

  14. ҰํͰʮه߸Λ࢖ΘͤΔͳʯ
    Ͱ͸ͳ͍
    • બ୒ࢶڱΊΔͱ୳ࡧۭؒখ͘͞ͳͬͯࢮ͵ɻ
    • ࡾඛ౦ژUFJۜߦͷΫϨδοτΧʔυͷαΠτɺύεϫʔυʹେ
    จࣈ࢖͑ͳ͍ΜͰ͕͢ɺ୳ࡧۭؒ૬౰খ͘͞ͳΔͷͰ͕͢ʼʻ

    View Slide

  15. ύεϫʔυϚωʔδϟʔΛ࢖
    ͓͏
    ݸਓͰ࢖͏ͳΒ1Password͕൘ɻMacͷΩʔνΣʔϯɺChromeͷΩ
    ʔνΣʔϯʹڧ͍ύεϫʔυΛ֮͑ͤ͞ΔͷͰ΋Α͍ɻ
    اۀͰಋೖ͢ΔͳΒIDaaSͱ͍͏ΩʔϫʔυͰ͍Ζ͍Ζग़ͯ·͢ɻ

    View Slide

  16. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ސ٬ͷIDج൫ͱ͔ηΩϡϦςΟͷ࢓ࣄΛ͍࣮ͯͨ͠੷͕͋ͬͨ
    • ͦͷ্ͰઌఔͷΤϏσϯεΛಥ͖͚ͭͯ
    • ਖ਼͍͠ύεϫʔυͷ෇͚ํͷߨशΛͨ͠
    • ҎલͷϙϦγʔͷઃఆऀͷਓʹڠྗΛಘͯແࣄύεϫʔυͷఆ
    ظߋ৽Λഇࢭ

    View Slide

  17. ձࣾͷύεϫʔυϙϦγʔΛ
    ࡴͨ͠࿩
    • ҎલͷϙϦγʔมߋ͸ISMSೝূऔಘʹΑΔ΋ͷͩͬͨ
    • ISMSͷೝূج४ʹ͸ʮϕετɾϓϥΫςΟεʹै͑ʯͱ͔͠ॻ
    ͍͓ͯΒͣɺύεϫʔυఆظมߋΛཁٻ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍
    • ҰํPCI-DSSʹ͸໌ࣔ͞Ε͍ͯΔɻPCI-DSS͕ඞཁͳΒఘΊ·
    ͠ΐ͏
    • ϙϦγʔಋೖͷࠜڌͷূ੻͕࢒ͬͯͳ͍ͷ͸ʮʮʮҋʯʯʯ

    View Slide

  18. View Slide

  19. ·ͱΊ

    View Slide

  20. ύεϫʔυͷ
    ఆظߋ৽Λ
    ഇࢭͤ͞Α͏

    View Slide

  21. ௕͍ύεϫʔυ
    Λ͚ͭΑ͏

    View Slide

  22. ύεϫʔυϚωʔδϟʔ
    Λ࢖͓͏

    View Slide

  23. ϙϦγʔಋೖ࣌ʹ͸
    ٞ࿦ͷաఔ΋
    ͪΌΜͱ࢒ͦ͏

    View Slide

  24. Questions?

    View Slide

  25. ࢀߟURL
    • NIST SP800-63B ຋༁൛ - https:/
    /openid-foundation-
    japan.github.io/800-63-3/sp800-63b.ja.html
    • ͋ͷύεϫʔυنଇɺ࣮͸ࣦഊ࡞ͩͬͨ @ THE WALLSTREET
    JOURNAL - http:/
    /jp.wsj.com/articles/
    SB12199000528276883842504583318883522596550
    • ඪ४ॻʹݟΔʮύεϫʔυͷఆظతมߋʯͷྺ࢙(ॻ͖͔͚์ஔ)
    @ nilnilઐ༻νϥγͷཪ - http:/
    /d.hatena.ne.jp/nilnil/
    20131220/1387546964

    View Slide