$30 off During Our Annual Pro Sale. View Details »

To ••• With Passwords

To ••• With Passwords

Jacob Kaplan-Moss

November 02, 2019
Tweet

More Decks by Jacob Kaplan-Moss

Other Decks in Technology

Transcript

  1. TO •••• WITH
    PASSWORDS
    Jacob Kaplan-Moss
    [email protected]

    View Slide

  2. View Slide

  3. !

    View Slide

  4. Agenda
    1. Introduction to threat modeling
    2. Apply threat modeling to identity systems and discover that
    passwords are the root of many problems.
    3. If not passwords, then what?

    View Slide

  5. THREAT
    MODELING

    View Slide

  6. Scenario-Based Threat
    Modeling
    1. Scenario: tell a story about an
    imagined breach
    2. Pre-mortem: trace contributing
    events
    3. Mitigate: figure out where and how
    best to mitigate
    Photo by You X Ventures

    View Slide

  7. Threat Modeling Example
    — https://twitter.com/badthingsdaily/status/836984397819596800

    View Slide

  8. Threat Modeling Example
    Issue Mitigation
    CI/CD servers have over-
    scoped AWS keys
    Evidence: enable CloudTrail
    Contain: IAM roles
    Eliminate: pull-based deploys
    Code contains OAuth secrets Prevent: move keys to env
    Eliminate: use Vault/KMS

    View Slide

  9. THREAT
    MODELING
    PASSWORDS

    View Slide

  10. THREAT MODELING PASSWORDS:
    CLASSIC ATTACKS

    View Slide

  11. Shoulder Surfing
    Scenario: Jack, a disgruntled employee
    watches Alberta, the CFO, log in, and
    remembers her password. He can now
    use her password to embezzle funds.
    Photo by David Rangel

    View Slide

  12. Shoulder Surfing
    Issue Mitigation
    Jack saw Alberta's password Prevent: masked input
    Prevent: password complexity
    Jack can re-use Alberta's
    password (much) later
    Contain: password rotation
    Prevent: password complexity
    Eliminate: 2FA

    View Slide

  13. Password File Leak
    Scenario: a vulnerability in ping
    allowed Jack to read /etc/passwd1,
    which has everyone's passwords in it.
    1 Yes, I'm aware of /etc/shadow. I'm using this for simplicity.
    Photo by Matthew Brodeur

    View Slide

  14. Password File Leak
    Issue Mitigation
    Why didn't we fire Jack after the
    last time?
    ¯\_(ϑ)_/¯
    Jack can read anyone's password Prevent: hashed passwords
    Prevent: password complexity
    Jack can log in as anyone Contain: password rotation
    Eliminate: 2FA

    View Slide

  15. Classic Password Threat Mitigations
    • Masked input
    • Password complexity
    • Password rotation
    • Hashed passwords
    • Two-Factor authentication
    Are these mitigations effective?

    View Slide

  16. The only effective security measures
    are systemic
    AKA: "humans gonna human"

    View Slide

  17. The idea that a person is at fault when something goes wrong is deeply
    entrenched in society. […] More and more often the blame is attributed to
    “human error.” The person involved can be fined, punished, or fired. But
    […], human error usually is a result of poor design: it should be called
    system error. Humans err continually; it is an intrinsic part of our nature.
    System design should take this into account. Pinning the blame on the
    person may be a comfortable way to proceed, but why was the system
    ever designed so that a single act by a single person could cause
    calamity?
    — Donald Norman, The Design of Everyday Things

    View Slide

  18. Password complexity and rotation
    don't work

    View Slide

  19. Verifiers SHOULD NOT impose
    other composition rules (e.g.,
    requiring mixtures of different
    character types or prohibiting
    consecutively repeated characters)
    for memorized secrets. Verifiers
    SHOULD NOT require memorized
    secrets to be changed arbitrarily
    (e.g., periodically).
    — NIST SP 800-63B

    View Slide

  20. THREAT MODELING PASSWORDS:
    MODERN ATTACKS

    View Slide

  21. Phishing
    Scenario: Yesterday your CEO received
    an email that seemed to be from her
    admin, asking her to review some
    expenses on Dropbox. She followed
    the link, and entered her Dropbox
    account. Today, she realized when
    talking to her admin that he hadn't sent
    that email.

    View Slide

  22. Phishing
    Issue Mitigation
    The attacker has access to your
    Dropbox
    Prevent: 2FA
    Your CEO may have used her
    Dropbox password elsewhere
    Contain: Password managers
    Your CEO couldn't tell the difference
    between the phishing site and the
    real Dropbox
    Eliminate: U2F

    View Slide

  23. Credential Stuffing
    Scenario: A service you use announces that they've been
    breached, and that the attackers have everyone's email and
    passwords. Several of your staff use the same password for
    their corporate email..

    View Slide

  24. Credential Stuffing
    Issue Mitigation
    Password re-use Respond: monitor
    @haveibeenpwnd
    Contain: password managers
    Elminate: 2FA
    Elminate: SSO

    View Slide

  25. Common mitigations against modern attacks
    on passwords
    • Password managers
    • 2FA (especially U2F)
    • Single-sign on (SSO)
    Are these mitigations effective?

    View Slide

  26. Password managers remain out of reach for
    most normal computer users
    But I never found a way to get people onto 1password in a single training session. The
    setup process has a lot of moving parts, involving the desktop app, browser plugin, online
    service, mobile app, and app store. It requires repeatedly typing a long master passphrase.
    And then, once it is all set up, you have to train people on the unrelated skill of how to use
    the thing, starting with their most sensitive accounts. And then you leave.
    — Maciej Cegłowski, What I Learned Trying to Secure Congressional Campaigns

    View Slide

  27. Single sign-on is terrifically effective!

    View Slide

  28. SUMMARY:
    MITIGATIONS FOR
    PASSWORD THREATS

    View Slide

  29. Mitigation Effectiveness Usability
    Masked input not effective !
    Password complexity high, when used correctly !
    Password rotation not effective "
    Hashed passwords moderate, when used
    correctly

    Password managers high, if actually used !
    2FA (especially U2F) very effective !
    Single-sign on (SSO) very effective # ✨ %

    View Slide

  30. If U2F is more secure than passwords,
    why use passwords?
    If SSO is more than passwords,
    why use passwords?

    View Slide

  31. !
    WHAT IF PASSWORDS
    ARE THE PROBLEM?

    View Slide

  32. What would happen if we got rid of
    passwords?
    • Shoulder surfing?
    • Password leaks?
    • Phishing?
    • Credential Stufffing?
    None of these attacks are effective if users don't have
    passwords to steal.

    View Slide

  33. TO •••• WITH
    PASSWORDS!

    View Slide

  34. If not passwords... what then?
    • Federated identity (Facebook, Google, Github, etc)
    • Email login
    • Corporate identity (SAML/OIDC)

    View Slide

  35. Federated Identity
    • Great for most consumer-oriented
    identity systems
    • UX is good, though beware of too
    many identity options.
    • Unfortunately, forces a tradeoff
    between privacy and security.
    • I dream about IndieAuth become
    widespread, but don't hold your
    breath.

    View Slide

  36. Email-only login
    • More or less the same as Federated
    Identity, except using email
    • Traditional security people will feel
    weird about this. They're wrong.

    View Slide

  37. GOOGLE'S SECURITY TEAM
    IS BETTER THAN YOURS

    View Slide

  38. Corporate Identity
    • Almost every company with good
    security practices uses some sort of
    corporate identity provider. If you're
    selling to businesses, you need to
    support this.
    • Two standards: SAML and OpenID
    Connect. Implement SAML first.

    View Slide

  39. TO •••• WITH PASSWORDS!
    Stop using passwords. The alternatives are easier to use and
    more secure. Only roll your own identity system if you know
    what you're doing.
    Thanks!
    Jacob Kaplan-Moss
    [email protected]

    View Slide

  40. Further Reading
    • Post- and pre-mortem practice: The Infinite Hows (or, the Dangers Of
    The Five Whys)
    • A fun source for scenarios: @badthingsdaily
    • Data on real-world attacks:
    • Data Breach Information Report
    • BusinessInsider ($$$)
    • Cost of Data Breach Report
    • On mitigation: The “Five Factors” Used To Secure Systems

    View Slide