SlideShare ist ein Scribd-Unternehmen logo

Passwords

Als ODP, PDF herunterladen
Charles Southerland
Charles Southerland

What users should know about passwords. Presented at Information Warfare Summit 2011.

Technologie
1 von 20
PasswordsPasswords Charles SoutherlandCharles Southerland ONEsite & DC405ONEsite & DC405
Know anyone that...Know anyone that... ...uses the same...uses the same password forpassword for everything?everything?
Multiple PasswordsMultiple Passwords Regarding multiple passwords...Regarding multiple passwords... • ...never write a password down or store it...never write a password down or store it unencrypted (including email, SMS, etc.).unencrypted (including email, SMS, etc.). • ...avoid reusing a password for any two things....avoid reusing a password for any two things. • ……if you feel you must reuse some passwords,if you feel you must reuse some passwords, never reuse a password for something whichnever reuse a password for something which needs to be secure.needs to be secure. • ...many people have tricks based on what the...many people have tricks based on what the password is for (Steve Gibson has a new one).password is for (Steve Gibson has a new one). • ...you could use KeePass or LastPass....you could use KeePass or LastPass.
Know anyone that...Know anyone that... ...thinks it's a good idea...thinks it's a good idea to change passwordsto change passwords every 6 months?every 6 months?
Regular PasswordRegular Password ChangesChanges Changing your passwords every 6 months...Changing your passwords every 6 months... • ...does nothing to protect you....does nothing to protect you. • ...encourages bad password habits....encourages bad password habits. • ...gives a false sense of security....gives a false sense of security. • ...is much less secure than making your...is much less secure than making your passwords a few characters longer.passwords a few characters longer. • ...makes end users hate tech support. :(...makes end users hate tech support. :(
Know anyone that...Know anyone that... ...thinks it's okay to limit...thinks it's okay to limit passwords to beingpasswords to being between 8 and 25between 8 and 25 characters in length?characters in length?
Minimum PasswordMinimum Password LengthLength Passwords should be...Passwords should be... • ...made of not just lower-case letters....made of not just lower-case letters. • ...no less than 12 characters long given...no less than 12 characters long given the power of the modern GPU.the power of the modern GPU. • ...as long as is practical (more on this in...as long as is practical (more on this in a bit).a bit).
Password HaystacksPassword Haystacks Which password will be caught first by mostWhich password will be caught first by most brute-force password cracking algorithms?brute-force password cracking algorithms? • D0g.....................D0g..................... • PrXyc.N(n4k77#L!eVdAfp9PrXyc.N(n4k77#L!eVdAfp9 Steve Gibson came up with the idea ofSteve Gibson came up with the idea of “Password Haystacks” just a few months ago,“Password Haystacks” just a few months ago, and it is already starting to take off.and it is already starting to take off.
Know anyone that...Know anyone that... ...thinks it's okay to have...thinks it's okay to have an upper limit on howan upper limit on how many characters are in amany characters are in a password?password? Note: Not referring to an upper limit imposed by buffer size.Note: Not referring to an upper limit imposed by buffer size.
Upper Limits on LengthUpper Limits on Length If someone gives you an upper limit onIf someone gives you an upper limit on password length that isn't solely because ofpassword length that isn't solely because of browser or server limitations...browser or server limitations... • ...you need to be very concerned....you need to be very concerned. • ...they could be storing your password instead...they could be storing your password instead of storing its hash.of storing its hash. • ……they could possibly get your password.they could possibly get your password. • ...an ID thief can probably get your password....an ID thief can probably get your password.
Know anyone that...Know anyone that... ...stores passwords...stores passwords (plain or encrypted) in a(plain or encrypted) in a database field?database field?
Password HashesPassword Hashes Passwords should...Passwords should... • ......NEVERNEVER be stored in a database in such a way that theybe stored in a database in such a way that they can be recreated.can be recreated. • ...be checked by comparing the hash of the supplied...be checked by comparing the hash of the supplied password against the password hash stored in thepassword against the password hash stored in the database.database. • ...be removed from RAM as quickly as possible....be removed from RAM as quickly as possible. • ...be salted by being padded and then encrypted using a...be salted by being padded and then encrypted using a combination of data that changes between users and acombination of data that changes between users and a secret site key.secret site key. • ……be hashed using a modern hashing algorithm like SHA-be hashed using a modern hashing algorithm like SHA- 384.384.
Password RequirementsPassword Requirements Passwords should be required to...Passwords should be required to... • ...have more than just lower-case letters....have more than just lower-case letters. • ...be at least 12 characters long....be at least 12 characters long. • ...never be known, read, heard, or seen by anyone else...never be known, read, heard, or seen by anyone else ever, no exceptions.ever, no exceptions. • ...not have been guessed by a password cracker....not have been guessed by a password cracker. • ...be something the user has entered, and never be a...be something the user has entered, and never be a temporary password given to the user by an admin ortemporary password given to the user by an admin or password reset email.password reset email. • ...be eneted only on pages protected by captchas...be eneted only on pages protected by captchas whenever possible.whenever possible.
Know anyone that...Know anyone that... ...doesn't always check...doesn't always check that every page isthat every page is HTTPS while logging inHTTPS while logging in and while logged in?and while logged in?
HTTPS (as Client)HTTPS (as Client) To protect yourself while browsing...To protect yourself while browsing... • ...make sure your browser no longer trusts the...make sure your browser no longer trusts the DigiNotar certificate authority!DigiNotar certificate authority! • ...always make sure you have a secure...always make sure you have a secure connection before entering data.connection before entering data. • ...always make sure you have a secure...always make sure you have a secure connection if you are logged in.connection if you are logged in. • ...definitely get the HTTPS Everywhere plugin....definitely get the HTTPS Everywhere plugin. • ……possibly get the Certificate Patrol plugin.possibly get the Certificate Patrol plugin.
HTTPS (as Server)HTTPS (as Server) HTTPS should always be required when...HTTPS should always be required when... • ...usernames and/or passwords are...usernames and/or passwords are accepted.accepted. • ...cookies are being sent or requested....cookies are being sent or requested. • ...the user is logged in....the user is logged in. • ...JavaScript is provided and sensitive data...JavaScript is provided and sensitive data can be entered in forms on the page.can be entered in forms on the page.
Other NotesOther Notes • Whenever possible, use OpenID to handle users (soWhenever possible, use OpenID to handle users (so you can avoid any password-related pitfalls in the firstyou can avoid any password-related pitfalls in the first place).place). • Never ask a user for credentials to another site; alwaysNever ask a user for credentials to another site; always use Oauth to enable such functionality.use Oauth to enable such functionality. • If you believe any passwords have been compromised,If you believe any passwords have been compromised, inform everyone immediately; DigiNotar's fate wasinform everyone immediately; DigiNotar's fate was sealed when they chose not to responsibly disclose.sealed when they chose not to responsibly disclose. • You need to start thinking about two-factor and three-You need to start thinking about two-factor and three- factor authentication if you haven't started already.factor authentication if you haven't started already.
About CryptographyAbout Cryptography Cryptography...Cryptography... • ...is not intuitive....is not intuitive. • ...can solve almost every problem in security....can solve almost every problem in security. • ...can often make up for PEBKAC....can often make up for PEBKAC. • ...is going to become increasingly vital to your...is going to become increasingly vital to your company.company. • ...is something I hope you ask me more about....is something I hope you ask me more about.
Password HaystacksPassword Haystacks https://www.grc.com/haystack.hthttps://www.grc.com/haystack.ht mm
HTTPS EverywhereHTTPS Everywhere https://www.eff.org/https-everywherehttps://www.eff.org/https-everywhere

Empfohlen

Linux Users are People, Too!
Linux Users are People, Too!Linux Users are People, Too!
Linux Users are People, Too!
Charles Southerland
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And Backups
Charles Southerland
 
HTTPS Sucks
HTTPS SucksHTTPS Sucks
HTTPS Sucks
Charles Southerland
 
C Is Not Dead Yet
C Is Not Dead YetC Is Not Dead Yet
C Is Not Dead Yet
Charles Southerland
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
Cap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludableCap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludable
iSalutacasa
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Jan Schaumann
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
nerdybeardo
 

Empfohlen

Linux Users are People, Too!
Linux Users are People, Too!Linux Users are People, Too!
Linux Users are People, Too!
Charles Southerland
 
Logs And Backups
Logs And BackupsLogs And Backups
Logs And Backups
Charles Southerland
 
HTTPS Sucks
HTTPS SucksHTTPS Sucks
HTTPS Sucks
Charles Southerland
 
C Is Not Dead Yet
C Is Not Dead YetC Is Not Dead Yet
C Is Not Dead Yet
Charles Southerland
 
Authentication Concepts
Authentication ConceptsAuthentication Concepts
Authentication Concepts
Charles Southerland
 
Cap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludableCap a un envelliment actiu i saludable
Cap a un envelliment actiu i saludable
iSalutacasa
 
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might WorkCrazy Like A Fox - #Infosec Ideas That Just Might Work
Crazy Like A Fox - #Infosec Ideas That Just Might Work
Jan Schaumann
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
nerdybeardo
 
Crypto storage
Crypto storageCrypto storage
Crypto storage
Graham Lee
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
Anthony Ferrara
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
Will Alexander
 
Lets talk passwords
Lets talk passwordsLets talk passwords
Lets talk passwords
Jaime534243
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)
Justin Bull
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
IT-oLogy
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
Christopher Allen
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
Mohammed Almeshekah
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
SherefHesham
 
Dark Side of the Net Lecture 2 Cryptography
Dark Side of the Net Lecture 2 CryptographyDark Side of the Net Lecture 2 Cryptography
Dark Side of the Net Lecture 2 Cryptography
Marcus Leaning
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
zaimorkai
 
Passwords
PasswordsPasswords
Passwords
Kevin OBrien
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
mozilla.presentations
 
Tweakers Anonymous
Tweakers AnonymousTweakers Anonymous
Tweakers Anonymous
John Anderson
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKI
Rabei Hassan
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
Matthew Bricker
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
Charles Southerland
 
RSA
RSARSA
RSA
Charles Southerland
 

Weitere ähnliche Inhalte

Ähnlich wie Passwords

The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
Ryan Kovar
 
Tweakers Anonymous
Tweakers AnonymousTweakers Anonymous
Tweakers Anonymous
John Anderson
 

Ähnlich wie Passwords (20)

Crypto storage
Crypto storageCrypto storage
Crypto storage
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Lets talk passwords
Lets talk passwordsLets talk passwords
Lets talk passwords
 
Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)Basic Security for Digital Companies - #MarketersUnbound (2014)
Basic Security for Digital Companies - #MarketersUnbound (2014)
 
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningThe Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine Learning
 
Passwords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim SalterPasswords in the Internet Age - Jim Salter
Passwords in the Internet Age - Jim Salter
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
 
Truth and Consequences
Truth and ConsequencesTruth and Consequences
Truth and Consequences
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Dark Side of the Net Lecture 2 Cryptography
Dark Side of the Net Lecture 2 CryptographyDark Side of the Net Lecture 2 Cryptography
Dark Side of the Net Lecture 2 Cryptography
 
11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home11 Commandments of Cyber Security for the Home
11 Commandments of Cyber Security for the Home
 
Passwords
PasswordsPasswords
Passwords
 
Beyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UIBeyond The Padlock: New Ideas in Browser Security UI
Beyond The Padlock: New Ideas in Browser Security UI
 
Tweakers Anonymous
Tweakers AnonymousTweakers Anonymous
Tweakers Anonymous
 
Cryptography and PKI
Cryptography and PKICryptography and PKI
Cryptography and PKI
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 

Mehr von Charles Southerland

Mehr von Charles Southerland (6)

hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)hextime (OKC LUGnuts 5C393C35)
hextime (OKC LUGnuts 5C393C35)
 
RSA
RSARSA
RSA
 
Program Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime OrderProgram Derivation of Operations in Finite Fields of Prime Order
Program Derivation of Operations in Finite Fields of Prime Order
 
Program Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GFProgram Derivation of Matrix Operations in GF
Program Derivation of Matrix Operations in GF
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
One-Time Pad Encryption
One-Time Pad EncryptionOne-Time Pad Encryption
One-Time Pad Encryption
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Kürzlich hochgeladen (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Passwords

  • 2. Know anyone that...Know anyone that... ...uses the same...uses the same password forpassword for everything?everything?
  • 3. Multiple PasswordsMultiple Passwords Regarding multiple passwords...Regarding multiple passwords... • ...never write a password down or store it...never write a password down or store it unencrypted (including email, SMS, etc.).unencrypted (including email, SMS, etc.). • ...avoid reusing a password for any two things....avoid reusing a password for any two things. • ……if you feel you must reuse some passwords,if you feel you must reuse some passwords, never reuse a password for something whichnever reuse a password for something which needs to be secure.needs to be secure. • ...many people have tricks based on what the...many people have tricks based on what the password is for (Steve Gibson has a new one).password is for (Steve Gibson has a new one). • ...you could use KeePass or LastPass....you could use KeePass or LastPass.
  • 4. Know anyone that...Know anyone that... ...thinks it's a good idea...thinks it's a good idea to change passwordsto change passwords every 6 months?every 6 months?
  • 5. Regular PasswordRegular Password ChangesChanges Changing your passwords every 6 months...Changing your passwords every 6 months... • ...does nothing to protect you....does nothing to protect you. • ...encourages bad password habits....encourages bad password habits. • ...gives a false sense of security....gives a false sense of security. • ...is much less secure than making your...is much less secure than making your passwords a few characters longer.passwords a few characters longer. • ...makes end users hate tech support. :(...makes end users hate tech support. :(
  • 6. Know anyone that...Know anyone that... ...thinks it's okay to limit...thinks it's okay to limit passwords to beingpasswords to being between 8 and 25between 8 and 25 characters in length?characters in length?
  • 7. Minimum PasswordMinimum Password LengthLength Passwords should be...Passwords should be... • ...made of not just lower-case letters....made of not just lower-case letters. • ...no less than 12 characters long given...no less than 12 characters long given the power of the modern GPU.the power of the modern GPU. • ...as long as is practical (more on this in...as long as is practical (more on this in a bit).a bit).
  • 8. Password HaystacksPassword Haystacks Which password will be caught first by mostWhich password will be caught first by most brute-force password cracking algorithms?brute-force password cracking algorithms? • D0g.....................D0g..................... • PrXyc.N(n4k77#L!eVdAfp9PrXyc.N(n4k77#L!eVdAfp9 Steve Gibson came up with the idea ofSteve Gibson came up with the idea of “Password Haystacks” just a few months ago,“Password Haystacks” just a few months ago, and it is already starting to take off.and it is already starting to take off.
  • 9. Know anyone that...Know anyone that... ...thinks it's okay to have...thinks it's okay to have an upper limit on howan upper limit on how many characters are in amany characters are in a password?password? Note: Not referring to an upper limit imposed by buffer size.Note: Not referring to an upper limit imposed by buffer size.
  • 10. Upper Limits on LengthUpper Limits on Length If someone gives you an upper limit onIf someone gives you an upper limit on password length that isn't solely because ofpassword length that isn't solely because of browser or server limitations...browser or server limitations... • ...you need to be very concerned....you need to be very concerned. • ...they could be storing your password instead...they could be storing your password instead of storing its hash.of storing its hash. • ……they could possibly get your password.they could possibly get your password. • ...an ID thief can probably get your password....an ID thief can probably get your password.
  • 11. Know anyone that...Know anyone that... ...stores passwords...stores passwords (plain or encrypted) in a(plain or encrypted) in a database field?database field?
  • 12. Password HashesPassword Hashes Passwords should...Passwords should... • ......NEVERNEVER be stored in a database in such a way that theybe stored in a database in such a way that they can be recreated.can be recreated. • ...be checked by comparing the hash of the supplied...be checked by comparing the hash of the supplied password against the password hash stored in thepassword against the password hash stored in the database.database. • ...be removed from RAM as quickly as possible....be removed from RAM as quickly as possible. • ...be salted by being padded and then encrypted using a...be salted by being padded and then encrypted using a combination of data that changes between users and acombination of data that changes between users and a secret site key.secret site key. • ……be hashed using a modern hashing algorithm like SHA-be hashed using a modern hashing algorithm like SHA- 384.384.
  • 13. Password RequirementsPassword Requirements Passwords should be required to...Passwords should be required to... • ...have more than just lower-case letters....have more than just lower-case letters. • ...be at least 12 characters long....be at least 12 characters long. • ...never be known, read, heard, or seen by anyone else...never be known, read, heard, or seen by anyone else ever, no exceptions.ever, no exceptions. • ...not have been guessed by a password cracker....not have been guessed by a password cracker. • ...be something the user has entered, and never be a...be something the user has entered, and never be a temporary password given to the user by an admin ortemporary password given to the user by an admin or password reset email.password reset email. • ...be eneted only on pages protected by captchas...be eneted only on pages protected by captchas whenever possible.whenever possible.
  • 14. Know anyone that...Know anyone that... ...doesn't always check...doesn't always check that every page isthat every page is HTTPS while logging inHTTPS while logging in and while logged in?and while logged in?
  • 15. HTTPS (as Client)HTTPS (as Client) To protect yourself while browsing...To protect yourself while browsing... • ...make sure your browser no longer trusts the...make sure your browser no longer trusts the DigiNotar certificate authority!DigiNotar certificate authority! • ...always make sure you have a secure...always make sure you have a secure connection before entering data.connection before entering data. • ...always make sure you have a secure...always make sure you have a secure connection if you are logged in.connection if you are logged in. • ...definitely get the HTTPS Everywhere plugin....definitely get the HTTPS Everywhere plugin. • ……possibly get the Certificate Patrol plugin.possibly get the Certificate Patrol plugin.
  • 16. HTTPS (as Server)HTTPS (as Server) HTTPS should always be required when...HTTPS should always be required when... • ...usernames and/or passwords are...usernames and/or passwords are accepted.accepted. • ...cookies are being sent or requested....cookies are being sent or requested. • ...the user is logged in....the user is logged in. • ...JavaScript is provided and sensitive data...JavaScript is provided and sensitive data can be entered in forms on the page.can be entered in forms on the page.
  • 17. Other NotesOther Notes • Whenever possible, use OpenID to handle users (soWhenever possible, use OpenID to handle users (so you can avoid any password-related pitfalls in the firstyou can avoid any password-related pitfalls in the first place).place). • Never ask a user for credentials to another site; alwaysNever ask a user for credentials to another site; always use Oauth to enable such functionality.use Oauth to enable such functionality. • If you believe any passwords have been compromised,If you believe any passwords have been compromised, inform everyone immediately; DigiNotar's fate wasinform everyone immediately; DigiNotar's fate was sealed when they chose not to responsibly disclose.sealed when they chose not to responsibly disclose. • You need to start thinking about two-factor and three-You need to start thinking about two-factor and three- factor authentication if you haven't started already.factor authentication if you haven't started already.
  • 18. About CryptographyAbout Cryptography Cryptography...Cryptography... • ...is not intuitive....is not intuitive. • ...can solve almost every problem in security....can solve almost every problem in security. • ...can often make up for PEBKAC....can often make up for PEBKAC. • ...is going to become increasingly vital to your...is going to become increasingly vital to your company.company. • ...is something I hope you ask me more about....is something I hope you ask me more about.