Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them - at NoRuKo

Phil Nash
August 21, 2020

Fantastic passwords and where to find them - at NoRuKo

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/envato/zxcvbn
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

Phil Nash

August 21, 2020
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. FANTASTIC
    PASSWORDS
    AND WHERE
    TO FIND THEM
    @philnash

    View full-size slide

  2. Phil Nash
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View full-size slide

  3. My first password:
    “nash”
    “atom”
    @philnash

    View full-size slide

  4. I GOT HACKED
    @philnash

    View full-size slide

  5. PASSWORDS ARE
    TERRIBLE
    @philnash

    View full-size slide

  6. GUIDELINES
    @philnash

    View full-size slide

  7. Guidelines
    • Uppercase
    • Lowercase
    • Numbers
    • Special characters
    @philnash

    View full-size slide

  8. password
    @philnash

    View full-size slide

  9. Password1!
    @philnash

    View full-size slide

  10. Guidelines
    Change passwords regularly
    @philnash

    View full-size slide

  11. Password123!
    @philnash

    View full-size slide

  12. PATTERNS
    @philnash

    View full-size slide

  13. Password1!
    @philnash

    View full-size slide

  14. ULLLLLLLDS
    @philnash

    View full-size slide

  15. AN EXAMPLE
    @philnash

    View full-size slide

  16. Western Australia Government Security Audit
    234,000 passwords were assessed
    1/4 of passwords were deemed "weak" passwords
    1,464 passwords were "Password123"
    (source)
    @philnash

    View full-size slide

  17. Western Australia Government Security Audit
    @philnash

    View full-size slide

  18. My "best" password
    • 8 characters long
    • Numbers and letters (uppercase only)
    • Model number of my hi-fi
    @philnash

    View full-size slide

  19. I GOT HACKED
    @philnash

    View full-size slide

  20. REPETITION
    @philnash

    View full-size slide

  21. BREACHES
    @philnash

    View full-size slide

  22. HOW DO WE FIX
    THIS?
    @philnash

    View full-size slide

  23. THE GUIDELINES
    WERE WRONG
    @philnash

    View full-size slide

  24. New guidelines
    From the ACSC, the NCSC and NIST
    • At least 13 characters
    • Accept all characters
    • Don't allow insecure passwords
    • Dictionary words
    • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
    • Context specific words (e.g. username, email, app name)
    • Passwords that have been in a breach
    @philnash

    View full-size slide

  25. IN RUBY?
    @philnash

    View full-size slide

  26. Devise
    config.password_length = 6..128
    @philnash

    View full-size slide

  27. Authlogic
    validates :password,
    confirmation: { if: require_password? },
    length: {
    minimum: 8,
    if: require_password?
    }
    01.
    02.
    03.
    04.
    05.
    06.
    @philnash

    View full-size slide

  28. Clearance
    # Nothing
    @philnash

    View full-size slide

  29. Suggestions
    validates :password, length: { minimum: 14 }
    nobspw
    strong_password
    zxcvbn
    @philnash

    View full-size slide

  30. nobspw
    pwc = NOBSPW::PasswordChecker.new password: 'philnashrules',
    name: 'Phil Nash',
    username: 'philnash',
    email: '[email protected]'
    pwc.strong?
    pwc.weak?
    pwd.weak_password_reasons
    01.
    02.
    03.
    04.
    05.
    06.
    07.
    @philnash

    View full-size slide

  31. zxcvbn
    test = Zxcvbn.test("philnashrules", ["philnash"])
    test.score
    test.feedback.suggestions
    01.
    02.
    03.
    @philnash

    View full-size slide

  32. DEMO
    @philnash

    View full-size slide

  33. INSECURE
    PASSWORDS?
    @philnash

    View full-size slide

  34. PWNED
    PASSWORDS
    @philnash

    View full-size slide

  35. Pwned Passwords
    572,611,621 passwords previously exposed in data
    breaches
    @philnash

    View full-size slide

  36. Pwned Passwords API
    ⚠ Don't worry

    @philnash

    View full-size slide

  37. Pwned Passwords API
    1. Get the SHA1 hash of the password
    2. Take the first 5 characters of the hash
    3. https://api.pwnedpasswords.com/range/#{prefix}
    4. Check if the remainder of the hash is in the result
    @philnash

    View full-size slide

  38. PWNED GEM
    @philnash

    View full-size slide

  39. DEMO
    @philnash

    View full-size slide

  40. Pwned
    https://github.com/philnash/pwned
    devise-pwned_password
    @philnash

    View full-size slide

  41. NEXT LEVEL
    @philnash

    View full-size slide

  42. TWO FACTOR
    AUTHENTICATION
    @philnash

    View full-size slide

  43. PASSWORDS ARE
    TERRIBLE
    @philnash

    View full-size slide

  44. PASSWORD
    GUIDELINES ARE
    WORSE
    @philnash

    View full-size slide

  45. MAKE
    PASSWORDS
    LONGER
    @philnash

    View full-size slide

  46. CHECK AGAINST
    BREACHES
    AND
    DICTIONARIES
    @philnash

    View full-size slide

  47. IMPLEMENT
    TWO FACTOR
    AUTHENTICATION
    @philnash

    View full-size slide

  48. Thanks!
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View full-size slide

  49. Tom Carr
    @ItsMeTomC
    "Your password must contain at least 8 letters, a capital, a
    plot, a protagonist with good character development, a twist
    & a happy ending."
    1156 PM · Oct 13, 2014
    3.3K 4.7K people are Tweeting about this
    @philnash

    View full-size slide