Managing passwords is a critical developer task. Developers tasked with building or augmenting legacy authentication systems have a daunting task when facing modern adversaries. This talk will review some of the changes suggested in NIST SP800-63b the “Digital Identity Guideline on Authentication and Lifecycle Management regarding password policy”. We’ll discuss topics such as credential stuffing and the importance of managing common passwords found in public breaches. We’ll also discuss various strategies around storing passwords using modern algorithms and methods.
* Importance of Password Storage
* Credential Stuffing
* Password Policy Updates from NIST[masked]b
* Password Topologies
* Offline Password Attacks
* Password Cracking
* Password Hashing Strategies
* Password Keyed Protections
* Hard-Coded Passwords and Backdoors
Speaker:
Jim Manico, Manicode Security
Talk language: English
About the Speaker:
*********************
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.
38. Password Storage Summary
• Passwords are an attractive target in data breaches
Insecure backups or SQL injection vulnerabilities are the tip of the iceberg
Prepare for the worst.
Implement a secure password storage mechanism
• Legacy password storage mechanisms cannot withstand
modern attacks
Encryption can be broken by stealing the encryption key
Hashing can be broken by lookup tables or brute force attacks
• The proper way to store passwords is using a password-
hashing function like bcrypt, scrypt or Argon2
The variable cost factor makes the algorithm too expensive to brute force
• Legacy systems should be upgraded ASAP to a more
secure storage mechanism
@PhilippeDeRyckDR. PHILIPPE DE RYCK