SlideShare ist ein Scribd-Unternehmen logo

User Credential handling in Web Applications done right

Als ODP, PDF herunterladen
T
tladesignz

In my work I often see very bad practices how the users' passwords are treated in web applications. This is a short summary of the current state of the art, how to do it the right way.

Technologie
1 von 15
User Credential handling in Web Applications done right Benjamin Erhart be@benjaminerhart.com
Often seen situations ● Passwords are stored in cleartext (EEEEVIL!) ● Passwords are stored as MD5 hash (slightly less evil, but not much...) ● Passwords are sent as GET query parameters over unencrypted connections
Why Care? Your mama will leak your database https://www.youtube.com/watch?v=aPWN683KsqU Need rainbow tables? https://www.google.com/search?q=md5+5f4dcc3b5aa
Rainbows, Brony? Cute! ● Rainbow Tables are precalculated reverse lookup tables for hash digests. ● Just ask Google for the easy ones. ● Find more specialized tables on shady sites. ● Calculate your own, while you're not mining for BitCoins. ● Having the proper RT enables attackers to find your users passwords in minutes!
So, now? The bare minimum for your everyday inhouse app: use Digest::SHA qw(sha256); sub authenticate { my ($self, $password) = @_; if ( $self->password_digest eq sha256( $self->salt . $self->system->salt . $password ) ) { return 1; } return 0; } Add salts to your user's passwords! TWO OF THEM! And fuckin' use state-of-the-art hashing algorithms!
User Salt ● Generated on password creation/update ● Unique per user ● Store with the user in the database (own column or within password digest column using some delimiter) ● Use as much randomness as you can get! (Quick bet: UUIDs) ● This effectively destroys attackers possibility of using a single rainbow table.
System Salt ● Generated once for your application ● Lives outside the database (e.g. config file) ● Destroys the attackers ability to brute-force the passwords easily, when they already have the database dump.
For your brand new web 2.0 social app: KDF ● Kraft Durch Freude? ● Key Derivation Functions! ● Hashing functions are designed to be fast. ● We don't process passwords by the millions normally. ● We don't need it fast! ● KDFs are about doing it slowly, so to make it harder for the attacker to crack our passwords.
(PB)KDF self-made sub kdf { my ($password, $salt, $algo, $iter) = @_; my $digest = $password; for (my $i = 0; $i < $iter; $i++) { $digest = $algo( $salt . $digest ); } return $digest; } You can store the number of needed iterations with the user. Vary, if you want, but use many! (>1000) Should I mention that? Use standard KDF libraries of your language of choice!
Transmitting Passwords ● We ain't gonna transmit passwords in the clear in 2012! ● Bring yourself up to speed, how to configure your environment for SSL/TLS! Use CAcert for inhouse apps. (I can assure you, if you want.) ● StartSSL issues free certs which most browsers recognize without warning.
Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
But I can't log in with other credentials for debugging now! ● That's really NOT a good reason to save passwords in the clear. ● Add a feature which allows your admin users to impersonate any other user on the system!
Password Strength ● Educate your users ● Show password strength meters in your change-password-forms ● Disallow weak passwords (server side!!)
Web Services ● Do not use username/password credentials, especially, if you can't use encryption on transport. ● Treating web services like users gives another attack vector. And there's always this one place, where you broke your authorization... ● Treat them with different mechanisms, give out API keys for them, restrict them to IP adresses, domain names, time constraints...

Empfohlen

Very Xd
Very XdVery Xd
Very Xd
Yi-Ting Cheng
 
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
When all you have is a hammer, everything looks like Javascript - ebookcraft ...When all you have is a hammer, everything looks like Javascript - ebookcraft ...
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
BookNet Canada
 
Ch7(publishing my sql data on the web)
Ch7(publishing my sql data on the web)Ch7(publishing my sql data on the web)
Ch7(publishing my sql data on the web)
Chhom Karath
 
Novajs
NovajsNovajs
Novajs
wearefractal
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling Twitter
Blaine
 
Responsive Design with WordPress
Responsive Design with WordPressResponsive Design with WordPress
Responsive Design with WordPress
Joe Casabona
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
Andy Dai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 

Empfohlen

Very Xd
Very XdVery Xd
Very Xd
Yi-Ting Cheng
 
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
When all you have is a hammer, everything looks like Javascript - ebookcraft ...When all you have is a hammer, everything looks like Javascript - ebookcraft ...
When all you have is a hammer, everything looks like Javascript - ebookcraft ...
BookNet Canada
 
Ch7(publishing my sql data on the web)
Ch7(publishing my sql data on the web)Ch7(publishing my sql data on the web)
Ch7(publishing my sql data on the web)
Chhom Karath
 
Novajs
NovajsNovajs
Novajs
wearefractal
 
Scaling Twitter
Scaling TwitterScaling Twitter
Scaling Twitter
Blaine
 
Responsive Design with WordPress
Responsive Design with WordPressResponsive Design with WordPress
Responsive Design with WordPress
Joe Casabona
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
Andy Dai
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Responsive Design with WordPress (WCPHX)
Responsive Design with WordPress (WCPHX)Responsive Design with WordPress (WCPHX)
Responsive Design with WordPress (WCPHX)
Joe Casabona
 
OUTDATED (Encore)
OUTDATED (Encore)OUTDATED (Encore)
OUTDATED (Encore)
Stefan Adolf
 
브라우저에 날개를 달자
브라우저에 날개를 달자브라우저에 날개를 달자
브라우저에 날개를 달자
NAVER SHOPPING
 
Learning jQuery @ MIT
Learning jQuery @ MITLearning jQuery @ MIT
Learning jQuery @ MIT
jeresig
 
The Dean wants to Make this WordPress Site Responsive
The Dean wants to Make this WordPress Site ResponsiveThe Dean wants to Make this WordPress Site Responsive
The Dean wants to Make this WordPress Site Responsive
Joe Casabona
 
WCCHS: Responsive Design with WordPress
WCCHS: Responsive Design with WordPressWCCHS: Responsive Design with WordPress
WCCHS: Responsive Design with WordPress
Joe Casabona
 
Node.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseNode.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash Course
Aaron Silverman
 
Optimizing Your Site
Optimizing Your SiteOptimizing Your Site
Optimizing Your Site
rtvenge
 
Optimizing AngularJS Application
Optimizing AngularJS ApplicationOptimizing AngularJS Application
Optimizing AngularJS Application
Md. Ziaul Haq
 
Asynchronous JavaScript loading
Asynchronous JavaScript loadingAsynchronous JavaScript loading
Asynchronous JavaScript loading
yay w00t
 
Node intro
Node introNode intro
Node intro
Vishal Sharma
 
Real-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet ElasticsearchReal-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet Elasticsearch
Alexei Gorobets
 
Introduction to REST API with Node.js
Introduction to REST API with Node.jsIntroduction to REST API with Node.js
Introduction to REST API with Node.js
Yoann Gotthilf
 
DevNexus 2016
DevNexus 2016DevNexus 2016
DevNexus 2016
Stephanie Brubaker
 
An Overview on Nuxt.js
An Overview on Nuxt.jsAn Overview on Nuxt.js
An Overview on Nuxt.js
Squash Apps Pvt Ltd
 
On Demand Javascript - Scalecamp 2009
On Demand Javascript - Scalecamp 2009On Demand Javascript - Scalecamp 2009
On Demand Javascript - Scalecamp 2009
Michael Mahemoff
 
Lecture: Webpack 4
Lecture: Webpack 4Lecture: Webpack 4
Lecture: Webpack 4
Sergei Iastrebov
 
A slightly advanced introduction to node.js
A slightly advanced introduction to node.jsA slightly advanced introduction to node.js
A slightly advanced introduction to node.js
Sudar Muthu
 
Hello npm
Hello npmHello npm
Hello npm
Muyuu Fujita
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
Hamdi Hmidi
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
Iftach Ian Amit
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Real-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet ElasticsearchReal-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet Elasticsearch
Alexei Gorobets
 

Was ist angesagt? (20)

Responsive Design with WordPress (WCPHX)
Responsive Design with WordPress (WCPHX)Responsive Design with WordPress (WCPHX)
Responsive Design with WordPress (WCPHX)
 
OUTDATED (Encore)
OUTDATED (Encore)OUTDATED (Encore)
OUTDATED (Encore)
 
브라우저에 날개를 달자
브라우저에 날개를 달자브라우저에 날개를 달자
브라우저에 날개를 달자
 
Learning jQuery @ MIT
Learning jQuery @ MITLearning jQuery @ MIT
Learning jQuery @ MIT
 
The Dean wants to Make this WordPress Site Responsive
The Dean wants to Make this WordPress Site ResponsiveThe Dean wants to Make this WordPress Site Responsive
The Dean wants to Make this WordPress Site Responsive
 
WCCHS: Responsive Design with WordPress
WCCHS: Responsive Design with WordPressWCCHS: Responsive Design with WordPress
WCCHS: Responsive Design with WordPress
 
Node.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash CourseNode.js & Twitter Bootstrap Crash Course
Node.js & Twitter Bootstrap Crash Course
 
Optimizing Your Site
Optimizing Your SiteOptimizing Your Site
Optimizing Your Site
 
Optimizing AngularJS Application
Optimizing AngularJS ApplicationOptimizing AngularJS Application
Optimizing AngularJS Application
 
Asynchronous JavaScript loading
Asynchronous JavaScript loadingAsynchronous JavaScript loading
Asynchronous JavaScript loading
 
Node intro
Node introNode intro
Node intro
 
Real-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet ElasticsearchReal-time search in Drupal. Meet Elasticsearch
Real-time search in Drupal. Meet Elasticsearch
 
Introduction to REST API with Node.js
Introduction to REST API with Node.jsIntroduction to REST API with Node.js
Introduction to REST API with Node.js
 
DevNexus 2016
DevNexus 2016DevNexus 2016
DevNexus 2016
 
An Overview on Nuxt.js
An Overview on Nuxt.jsAn Overview on Nuxt.js
An Overview on Nuxt.js
 
On Demand Javascript - Scalecamp 2009
On Demand Javascript - Scalecamp 2009On Demand Javascript - Scalecamp 2009
On Demand Javascript - Scalecamp 2009
 
Lecture: Webpack 4
Lecture: Webpack 4Lecture: Webpack 4
Lecture: Webpack 4
 
A slightly advanced introduction to node.js
A slightly advanced introduction to node.jsA slightly advanced introduction to node.js
A slightly advanced introduction to node.js
 
Hello npm
Hello npmHello npm
Hello npm
 
Ng init | EPI Sousse
Ng init | EPI SousseNg init | EPI Sousse
Ng init | EPI Sousse
 

Ähnlich wie User Credential handling in Web Applications done right

Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
Iftach Ian Amit
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
Damien Antipa
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
Puppet
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 

Ähnlich wie User Credential handling in Web Applications done right (20)

Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
How to Use Cryptography Properly: The Common Mistakes People Make When Using ...
 
You wanna crypto in AEM
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeedAD113 Speed Up Your Applications w/ Nginx and PageSpeed
AD113 Speed Up Your Applications w/ Nginx and PageSpeed
 
Coding for production
Coding for productionCoding for production
Coding for production
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
PuppetConf 2017: Securing Secrets for Puppet, Without Interrupting Flow- Ryan...
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

User Credential handling in Web Applications done right

  • 1. User Credential handling in Web Applications done right Benjamin Erhart be@benjaminerhart.com
  • 2. Often seen situations ● Passwords are stored in cleartext (EEEEVIL!) ● Passwords are stored as MD5 hash (slightly less evil, but not much...) ● Passwords are sent as GET query parameters over unencrypted connections
  • 3. Why Care? Your mama will leak your database https://www.youtube.com/watch?v=aPWN683KsqU Need rainbow tables? https://www.google.com/search?q=md5+5f4dcc3b5aa
  • 4. Rainbows, Brony? Cute! ● Rainbow Tables are precalculated reverse lookup tables for hash digests. ● Just ask Google for the easy ones. ● Find more specialized tables on shady sites. ● Calculate your own, while you're not mining for BitCoins. ● Having the proper RT enables attackers to find your users passwords in minutes!
  • 5. So, now? The bare minimum for your everyday inhouse app: use Digest::SHA qw(sha256); sub authenticate { my ($self, $password) = @_; if ( $self->password_digest eq sha256( $self->salt . $self->system->salt . $password ) ) { return 1; } return 0; } Add salts to your user's passwords! TWO OF THEM! And fuckin' use state-of-the-art hashing algorithms!
  • 6. User Salt ● Generated on password creation/update ● Unique per user ● Store with the user in the database (own column or within password digest column using some delimiter) ● Use as much randomness as you can get! (Quick bet: UUIDs) ● This effectively destroys attackers possibility of using a single rainbow table.
  • 7. System Salt ● Generated once for your application ● Lives outside the database (e.g. config file) ● Destroys the attackers ability to brute-force the passwords easily, when they already have the database dump.
  • 8. For your brand new web 2.0 social app: KDF ● Kraft Durch Freude? ● Key Derivation Functions! ● Hashing functions are designed to be fast. ● We don't process passwords by the millions normally. ● We don't need it fast! ● KDFs are about doing it slowly, so to make it harder for the attacker to crack our passwords.
  • 9. (PB)KDF self-made sub kdf { my ($password, $salt, $algo, $iter) = @_; my $digest = $password; for (my $i = 0; $i < $iter; $i++) { $digest = $algo( $salt . $digest ); } return $digest; } You can store the number of needed iterations with the user. Vary, if you want, but use many! (>1000) Should I mention that? Use standard KDF libraries of your language of choice!
  • 10. Transmitting Passwords ● We ain't gonna transmit passwords in the clear in 2012! ● Bring yourself up to speed, how to configure your environment for SSL/TLS! Use CAcert for inhouse apps. (I can assure you, if you want.) ● StartSSL issues free certs which most browsers recognize without warning.
  • 11. Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
  • 12. Transmitting Passwords cont'd ● If SSL is really too much effort: ● Do not use credentials in GET queries, these get stored in HTTP server logs, which will leak! ● At least, use HTTP digest authentication, which doesn't transmit the users password. ● Or use a JavaScript Challenge-Response Authentication (but be really careful about that!)
  • 13. But I can't log in with other credentials for debugging now! ● That's really NOT a good reason to save passwords in the clear. ● Add a feature which allows your admin users to impersonate any other user on the system!
  • 14. Password Strength ● Educate your users ● Show password strength meters in your change-password-forms ● Disallow weak passwords (server side!!)
  • 15. Web Services ● Do not use username/password credentials, especially, if you can't use encryption on transport. ● Treating web services like users gives another attack vector. And there's always this one place, where you broke your authorization... ● Treat them with different mechanisms, give out API keys for them, restrict them to IP adresses, domain names, time constraints...