Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them - at...

Phil Nash
August 21, 2020
Programming
50
2.9k

Fantastic passwords and where to find them - at NoRuKo

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to strengthen our users' passwords. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:

How to Encourage Stronger Passwords: P1e@$e $t0p Using Bad Rules: https://www.twilio.com/blog/2018/05/encourage-stronger-passwords-stop-using-bad-password-rules.html
Better passwords in Ruby applications with the Pwned Passwords API:
https://www.twilio.com/blog/2018/03/better-passwords-in-ruby-applications-pwned-passwords-api.html
Round up: Libraries for checking Pwned Passwords in your 7 favorite languages: https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

1,464 Western Australian government officials used ‘Password123’ as their password. Cool, cool: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

Gems:

No BS Password checker: https://github.com/cmer/nobspw
zxcvbn-js: https://github.com/envato/zxcvbn
strong_password: https://github.com/bdmac/strong_password

Pwned: https://github.com/philnash/pwned
devise-pwned_password: https://github.com/michaelbanfield/devise-pwned_password

Phil Nash

August 21, 2020
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
410
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
260
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
270
Better API DX with a CLI - APIdays Jakarta
philnash
0
330
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
190
Four steps from JavaScript to TypeScript
philnash
0
390
The trouble with webhooks - at APIdays Singapore
philnash
0
290
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
420
Fantastic passwords and where to find them @ WFHConf
philnash
0
420

Other Decks in Programming

See All in Programming
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
520
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
300
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
170
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
140
プロジェクト新規参入者のリードタイム短縮の観点から見る、品質の高いコードとアーキテクチャを保つメリット
d_endo
1
1.1k
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
590
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
110
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
現場で役立つモデリング 超入門
masuda220
PRO
15
3.1k
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.2k
Amazon Qを使ってIaCを触ろう!
maruto
0
380

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Code Reviewing Like a Champion
maltzj
520
39k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The World Runs on Bad Software
bkeepers
PRO
65
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Automating Front-end Workflow
addyosmani
1366
200k
Visualization
eitanlees
145
15k
Building an army of robots
kneath
302
42k
BBQ
matthewcrist
85
9.3k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash @phil_nash https://philna.sh [email protected]

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash

  8. password @philnash

  9. Password1! @philnash

  10. Guidelines Change passwords regularly @philnash

  11. Password123! @philnash

  12. PATTERNS @philnash

  13. Password1! @philnash

  14. ULLLLLLLDS @philnash

  15. AN EXAMPLE @philnash

  16. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

  17. Western Australia Government Security Audit @philnash

  18. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

  19. I GOT HACKED @philnash

  20. REPETITION @philnash

  21. BREACHES @philnash

  22. @philnash

  23. HOW DO WE FIX THIS? @philnash

  24. THE GUIDELINES WERE WRONG @philnash

  25. @philnash

  26. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

  27. IN RUBY? @philnash

  28. Devise config.password_length = 6..128 @philnash

  29. Authlogic validates :password, confirmation: { if: require_password? }, length: {

    minimum: 8, if: require_password? } 01. 02. 03. 04. 05. 06. @philnash

  30. Clearance # Nothing @philnash

  31. Suggestions validates :password, length: { minimum: 14 } nobspw strong_password

    zxcvbn @philnash

  32. nobspw pwc = NOBSPW::PasswordChecker.new password: 'philnashrules', name: 'Phil Nash', username:

    'philnash', email: '[email protected]' pwc.strong? pwc.weak? pwd.weak_password_reasons 01. 02. 03. 04. 05. 06. 07. @philnash

  33. zxcvbn test = Zxcvbn.test("philnashrules", ["philnash"]) test.score test.feedback.suggestions 01. 02. 03.

    @philnash

  34. DEMO @philnash

  35. INSECURE PASSWORDS? @philnash

  36. PWNED PASSWORDS @philnash

  37. Pwned Passwords 572,611,621 passwords previously exposed in data breaches @philnash

  38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

  40. PWNED GEM @philnash

  41. DEMO @philnash

  42. Pwned https://github.com/philnash/pwned devise-pwned_password @philnash

  43. NEXT LEVEL @philnash

  44. TWO FACTOR AUTHENTICATION @philnash

  45. PASSWORDS ARE TERRIBLE @philnash

  46. PASSWORD GUIDELINES ARE WORSE @philnash

  47. MAKE PASSWORDS LONGER @philnash

  48. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  49. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  50. Thanks! @philnash @phil_nash https://philna.sh [email protected]

  51. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 1156 PM · Oct 13, 2014 3.3K 4.7K people are Tweeting about this @philnash