SlideShare ist ein Scribd-Unternehmen logo

Secure management of credentials - Zouheir Abdulla

OWASP-Qatar Chapter
OWASP-Qatar Chapter

Presented in OWASP Qatar Chapter Meeting - June 2013

Technologie
1 von 40
Downloaden Sie, um offline zu lesen
Secure Management of Credentials Zouheir Abdallah, CISA Senior Risk Specialist – CS/QCERT
6/30/2013 1 Introduction • Since the introduction of the e-Commerce Law Decree No. (16) of 2010, web applications have been on the rise in Qatar. These portals grant the users the ability to perform various electronic transactions.
6/30/2013 2 Introduction • It is the responsibility of the owners of these web applications to safe guard the credentials that have been entrusted to them. Failure to properly secure the credentials of their user base, could lead to a huge loss on both the financial side and the business reputation side. http://money.cnn.com/2012/01/16/technology/zap pos_hack/index.htm?iid=EL#TOP
6/30/2013 3 Outline 1. Managing User IDs 2. Managing Passwords • Password Length • Password Complexity 3. Storage of Credentials • No Encryption • Hashing • Salting 4. Secure and Unsecure WebApp practices • Sending Passwords via email • One-Time Token via a URL 5. 2-Factor Authentication
6/30/2013 44 Managing User IDs
6/30/2013 55 Managing User IDs • A User ID is a unique identifier. • As a WebApp developer, make sure that the User IDs are case insensitive and the User ID “Ahmad” is the same as “ahmad” or “AHMAD”.
6/30/2013 66 Managing User IDs
6/30/2013 77 Managing Passwords
6/30/2013 88 Managing Passwords • In traditional authentication methods, the password and the User ID provide basic authentication.
6/30/2013 99 Managing Passwords ( Length) • Ideally, the longer the password the better. • The web application should set a minimum password length and enforce it on the user upon password entry. • Minimum length should be at least 8 characters long.
6/30/2013 1010 Managing Passwords ( Complexity) • A web application should enforce a certain password complexity schema to prevent users from using easy to guess passwords. • Allow the user to enter virtually any password and any character.
6/30/2013 1111 Managing Passwords ( Complexity) • Make sure that the application clearly states the password rules that are in violation of your password policy.
6/30/2013 1212 Managing Passwords ( Complexity) • Preferably the web application should have the functionality to force the users to choose passwords that adhere to specific criteria set by the developer, for example: • 1 Upper Case Letter • 1 Lower Case Letter • 1 Number • 1 Special Character
6/30/2013 1313 Storing Credentials
6/30/2013 1414 Storing Credentials • Credentials are essential to authenticating the users and granting them access to the application. • So it is only logical to enforce controls on the storage of these credentials to mitigate the risk associated with their leakage.
6/30/2013 1515 Storing Credentials • Credentials should NOT be stored in the database in a clear text form.
6/30/2013 1616 Storing Credentials • Passwords should be hashed rather than encrypted. • Hashing is a one way function, while encryption is a two way function and passwords can be decrypted and exposed. encrypt / decrypt Password DB Password Hash function DB
6/30/2013 1717 Storing Credentials (Salting) • Salts are stored in plain text in the database along with the Username and the SaltedHashed Password. • The purpose of salting is to prevent mass leakage of passwords IF the database was leaked. UserName Salt Hash Salted Password Mohammad 134a209 24bcde31100baccde2efgaedbc24 Omar abde312 a01bc34aef33120bge234666adcff Rayan a1345gb 4cba201ddeg27aegdac6324012ba
6/30/2013 1818 Storing Credentials (Salting) • Make sure that the passwords are salted before being hashed and then stored in the database. Salting adds an additional control to counter the mass leakage of passwords via rainbow dictionary attacks.
6/30/2013 1919 Storing Credentials (Salting) • Rainbow tables are precalculated databases of all possible hash values. Password Hash a……… abef013bae221221 aa…… cb1290abcd2231ae . . .. .. … … …. …. zzzzzzzzzzzzzzz 10cb2ae46dfg7120
6/30/2013 2020 Storing Credentials (Salting) • Attackers use them to find the passwords by comparing the hashes of pre-calculated passwords with the ones leaked. Leaked Database RainBow Table (Precalculated Hashes) Hash Password Hash 24bcde31100baccde2efgaedbc24 ….. ………………… a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. …………………
6/30/2013 2121 Storing Credentials (Salting) • Salting makes it hard for the attacker to mass “de-hash” the leaked passwords.
6/30/2013 2222 Storing Credentials (Salting) Leaked Salted Database RainBow Table (Precalculated Hashes) + Salt = abde312 Salt Hash Password Hash 134a209 24bcde31100baccde2efgaedbc24 ….. ………………… abde312 a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca a1345gb 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = 134a209 Password Hash ….. ………………… hEll0Every1 bb27cd134ca4200bdef4728100aca iLoveQatar acbde2431bdde567aed321004212 n0TTrue 24bcde31100baccde2efgaedbc24 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = a1345gb Password Hash ….. ………………… hEll0Every1 4cba201ddeg27aegdac6324012ba iLoveQatar fbcd200123adcbfgbge234666adcff n0TTrue acbde2431bdde567aed321004212 ….. …………………
6/30/2013 2323 Storing Credentials (Salting) • How to validate the credentials with the stored salted hash?
6/30/2013 2424 Secure and Un-Secure Practices
6/30/2013 2525 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
6/30/2013 2626 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
6/30/2013 2727 Secure & UnSecure Practices • In case the user has forgotten his password and clicked on the “I forgot my password”, send the user a One-Time token via a URL to his inbox. Make sure that this token has an expiry time.
6/30/2013 2828 2-Factor Authentication
6/30/2013 2929 2-Factor Authentication • 2-Factor Authentication requires an additional input to the traditional username and password combination. • By introducing the 2nd factor, the web application is further authenticating the true identity of the user via something the user knows (User ID, password, secret image..) and something the user has (Digital certificate, security token, mobile phone)
6/30/2013 3030 2-Factor Authentication • 2-FA OTP via Mobile Phone
6/30/2013 3131 2-Factor Authentication • 2-FA OTP via Security Token
6/30/2013 3232 2-Factor Authentication • 2-FA via Digital Certificate
6/30/2013 3333 2-Factor Authentication Case Study - Dropbox
6/30/2013 3434 Case Study - • Case Study of Dropbox’s flawed implementation of 2-FA. • Discovered and reported by Zouheir Abdallah on June 10th 2013 • Fixed by Dropbox’s security team on June 21st 2013. • Received acknowledgment and thanks from Dropbox…………… and a t-shirt.
6/30/2013 3535 Case Study - • Vulnerability 2-FA could be disabled for any person given that the attacker knows the username/password of the victim. • Attack Vector The emergency backup code that Dropbox generates for the user to use in case his/her 2-FA method is lost (Think lost mobile phone)
6/30/2013 3636 Case Study - • Vulnerability As mentioned earlier, the emergency backup code is flawed. The code of one account can be used on another account that is similar to the victim’s account.
6/30/2013 3737 Case Study - • Vulnerability Dropbox didn’t disclose what the vulnerability was, but according to QCERT’s analysis, the emergency backup generation tool is dropping the DOTs from its algorithm. So the emergency backup code for zuz……85@hotmail.com would work on the account zuz.85@hotmail.com
6/30/2013 3838 Case Study - • Vulnerability
6/30/2013 396/30/2013 39 Questions? Visit us on www.QCERT.org

Empfohlen

CONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleCONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleGlobal Negotiator
 
HotSec 2008 Presentation
HotSec 2008 PresentationHotSec 2008 Presentation
HotSec 2008 PresentationJeremy Clark
 
3 d secure password
3 d secure password3 d secure password
3 d secure passwordJai Chaudhary
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingAbhishek Kumar Sinha
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...IRJET Journal
 

Empfohlen

CONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleCONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleGlobal Negotiator
 
HotSec 2008 Presentation
HotSec 2008 PresentationHotSec 2008 Presentation
HotSec 2008 PresentationJeremy Clark
 
3 d secure password
3 d secure password3 d secure password
3 d secure passwordJai Chaudhary
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingAbhishek Kumar Sinha
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...IRJET Journal
 
3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importanceshubhangi singh
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption forShakas Technologies
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
3D Password
3D Password3D Password
3D PasswordPreethi AKNR
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAM Publications
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...IRJET Journal
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET Journal
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPTSeminar Links
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET Journal
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET Journal
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...Migrant Systems
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...TusharAgarwal49094
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 

Weitere ähnliche Inhalte

Ähnlich wie Secure management of credentials - Zouheir Abdulla

3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importanceshubhangi singh
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption forShakas Technologies
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAM Publications
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...IRJET Journal
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET Journal
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET Journal
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET Journal
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...Migrant Systems
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...TusharAgarwal49094
 

Ähnlich wie Secure management of credentials - Zouheir Abdulla (20)

3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importance
 
3D Password
3D Password3D Password
3D Password
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption for
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 
3D Password
3D Password3D Password
3D Password
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud Computing
 
3d authentication system
3d authentication system3d authentication system
3d authentication system
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPT
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using Blockchain
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...
 

Mehr von OWASP-Qatar Chapter

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOWASP-Qatar Chapter
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamOWASP-Qatar Chapter
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 

Mehr von OWASP-Qatar Chapter (8)

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay Jamaan
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry Sans
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 

Kürzlich hochgeladen

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

Secure management of credentials - Zouheir Abdulla

  • 1. Secure Management of Credentials Zouheir Abdallah, CISA Senior Risk Specialist – CS/QCERT
  • 2. 6/30/2013 1 Introduction • Since the introduction of the e-Commerce Law Decree No. (16) of 2010, web applications have been on the rise in Qatar. These portals grant the users the ability to perform various electronic transactions.
  • 3. 6/30/2013 2 Introduction • It is the responsibility of the owners of these web applications to safe guard the credentials that have been entrusted to them. Failure to properly secure the credentials of their user base, could lead to a huge loss on both the financial side and the business reputation side. http://money.cnn.com/2012/01/16/technology/zap pos_hack/index.htm?iid=EL#TOP
  • 4. 6/30/2013 3 Outline 1. Managing User IDs 2. Managing Passwords • Password Length • Password Complexity 3. Storage of Credentials • No Encryption • Hashing • Salting 4. Secure and Unsecure WebApp practices • Sending Passwords via email • One-Time Token via a URL 5. 2-Factor Authentication
  • 6. 6/30/2013 55 Managing User IDs • A User ID is a unique identifier. • As a WebApp developer, make sure that the User IDs are case insensitive and the User ID “Ahmad” is the same as “ahmad” or “AHMAD”.
  • 9. 6/30/2013 88 Managing Passwords • In traditional authentication methods, the password and the User ID provide basic authentication.
  • 10. 6/30/2013 99 Managing Passwords ( Length) • Ideally, the longer the password the better. • The web application should set a minimum password length and enforce it on the user upon password entry. • Minimum length should be at least 8 characters long.
  • 11. 6/30/2013 1010 Managing Passwords ( Complexity) • A web application should enforce a certain password complexity schema to prevent users from using easy to guess passwords. • Allow the user to enter virtually any password and any character.
  • 12. 6/30/2013 1111 Managing Passwords ( Complexity) • Make sure that the application clearly states the password rules that are in violation of your password policy.
  • 13. 6/30/2013 1212 Managing Passwords ( Complexity) • Preferably the web application should have the functionality to force the users to choose passwords that adhere to specific criteria set by the developer, for example: • 1 Upper Case Letter • 1 Lower Case Letter • 1 Number • 1 Special Character
  • 15. 6/30/2013 1414 Storing Credentials • Credentials are essential to authenticating the users and granting them access to the application. • So it is only logical to enforce controls on the storage of these credentials to mitigate the risk associated with their leakage.
  • 16. 6/30/2013 1515 Storing Credentials • Credentials should NOT be stored in the database in a clear text form.
  • 17. 6/30/2013 1616 Storing Credentials • Passwords should be hashed rather than encrypted. • Hashing is a one way function, while encryption is a two way function and passwords can be decrypted and exposed. encrypt / decrypt Password DB Password Hash function DB
  • 18. 6/30/2013 1717 Storing Credentials (Salting) • Salts are stored in plain text in the database along with the Username and the SaltedHashed Password. • The purpose of salting is to prevent mass leakage of passwords IF the database was leaked. UserName Salt Hash Salted Password Mohammad 134a209 24bcde31100baccde2efgaedbc24 Omar abde312 a01bc34aef33120bge234666adcff Rayan a1345gb 4cba201ddeg27aegdac6324012ba
  • 19. 6/30/2013 1818 Storing Credentials (Salting) • Make sure that the passwords are salted before being hashed and then stored in the database. Salting adds an additional control to counter the mass leakage of passwords via rainbow dictionary attacks.
  • 20. 6/30/2013 1919 Storing Credentials (Salting) • Rainbow tables are precalculated databases of all possible hash values. Password Hash a……… abef013bae221221 aa…… cb1290abcd2231ae . . .. .. … … …. …. zzzzzzzzzzzzzzz 10cb2ae46dfg7120
  • 21. 6/30/2013 2020 Storing Credentials (Salting) • Attackers use them to find the passwords by comparing the hashes of pre-calculated passwords with the ones leaked. Leaked Database RainBow Table (Precalculated Hashes) Hash Password Hash 24bcde31100baccde2efgaedbc24 ….. ………………… a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. …………………
  • 22. 6/30/2013 2121 Storing Credentials (Salting) • Salting makes it hard for the attacker to mass “de-hash” the leaked passwords.
  • 23. 6/30/2013 2222 Storing Credentials (Salting) Leaked Salted Database RainBow Table (Precalculated Hashes) + Salt = abde312 Salt Hash Password Hash 134a209 24bcde31100baccde2efgaedbc24 ….. ………………… abde312 a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca a1345gb 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = 134a209 Password Hash ….. ………………… hEll0Every1 bb27cd134ca4200bdef4728100aca iLoveQatar acbde2431bdde567aed321004212 n0TTrue 24bcde31100baccde2efgaedbc24 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = a1345gb Password Hash ….. ………………… hEll0Every1 4cba201ddeg27aegdac6324012ba iLoveQatar fbcd200123adcbfgbge234666adcff n0TTrue acbde2431bdde567aed321004212 ….. …………………
  • 24. 6/30/2013 2323 Storing Credentials (Salting) • How to validate the credentials with the stored salted hash?
  • 25. 6/30/2013 2424 Secure and Un-Secure Practices
  • 26. 6/30/2013 2525 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
  • 27. 6/30/2013 2626 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
  • 28. 6/30/2013 2727 Secure & UnSecure Practices • In case the user has forgotten his password and clicked on the “I forgot my password”, send the user a One-Time token via a URL to his inbox. Make sure that this token has an expiry time.
  • 30. 6/30/2013 2929 2-Factor Authentication • 2-Factor Authentication requires an additional input to the traditional username and password combination. • By introducing the 2nd factor, the web application is further authenticating the true identity of the user via something the user knows (User ID, password, secret image..) and something the user has (Digital certificate, security token, mobile phone)
  • 31. 6/30/2013 3030 2-Factor Authentication • 2-FA OTP via Mobile Phone
  • 32. 6/30/2013 3131 2-Factor Authentication • 2-FA OTP via Security Token
  • 33. 6/30/2013 3232 2-Factor Authentication • 2-FA via Digital Certificate
  • 35. 6/30/2013 3434 Case Study - • Case Study of Dropbox’s flawed implementation of 2-FA. • Discovered and reported by Zouheir Abdallah on June 10th 2013 • Fixed by Dropbox’s security team on June 21st 2013. • Received acknowledgment and thanks from Dropbox…………… and a t-shirt.
  • 36. 6/30/2013 3535 Case Study - • Vulnerability 2-FA could be disabled for any person given that the attacker knows the username/password of the victim. • Attack Vector The emergency backup code that Dropbox generates for the user to use in case his/her 2-FA method is lost (Think lost mobile phone)
  • 37. 6/30/2013 3636 Case Study - • Vulnerability As mentioned earlier, the emergency backup code is flawed. The code of one account can be used on another account that is similar to the victim’s account.
  • 38. 6/30/2013 3737 Case Study - • Vulnerability Dropbox didn’t disclose what the vulnerability was, but according to QCERT’s analysis, the emergency backup generation tool is dropping the DOTs from its algorithm. So the emergency backup code for zuz……85@hotmail.com would work on the account zuz.85@hotmail.com
  • 39. 6/30/2013 3838 Case Study - • Vulnerability