Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fantastic passwords and where to find them @ WF...

Avatar for Phil Nash Phil Nash
March 26, 2020
Technology
0
500

Fantastic passwords and where to find them @ WFHConf

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html

Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn

@philnash/pwned: https://github.com/philnash/pwned.js

Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw
Avatar for Phil Nash

Phil Nash

March 26, 2020
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
Avatar for Phil Nash philnash
3
490
JavaScript Apps Go Intl - GIDS Live 2021
Avatar for Phil Nash philnash
2
310
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
Avatar for Phil Nash philnash
1
320
Better API DX with a CLI - APIdays Jakarta
Avatar for Phil Nash philnash
0
380
The trouble with webhooks - at Apidays Live Hong Kong
Avatar for Phil Nash philnash
2
230
Four steps from JavaScript to TypeScript
Avatar for Phil Nash philnash
0
430
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.2k
The trouble with webhooks - at APIdays Singapore
Avatar for Phil Nash philnash
0
330
What's going on with Project Fugu? at DevTalks Reimagined
Avatar for Phil Nash philnash
0
520

Other Decks in Technology

See All in Technology
GraphQLを活用したリアーキテクチャに対応するSLI/Oの再設計
Avatar for coconala_engineer coconala_engineer
0
200
Global Azure2025(GitHub Copilot ハンズオン)
Avatar for tomokusaba tomokusaba
2
620
雑に疎通確認だけしたい...せや!CloudShell使ったろ!
Avatar for alchemy1115 alchemy1115
0
150
AI 코딩 에이전트 더 똑똑하게 쓰기
Avatar for nacyot nacyot
0
530
時間がないなら、つくればいい 〜数十人規模のチームが自律性を発揮するために試しているいくつかのこと〜
Avatar for KAKEHASHI kakehashi
PRO
22
5k
Dataverseの検索列について
Avatar for MiyakeMito miyakemito
1
180
Новые мапы в Go. Вова Марунин, Clatch, МТС
Avatar for Lamoda Tech lamodatech
0
1.9k
Как мы автоматизировали интеграционное тестирование с Gonkey и не пожалели. Паша Егорычев, Кирилл Поляков
Avatar for Lamoda Tech lamodatech
0
2k
非root化Androidスマホでも動く仮想マシンアプリを試してみた
Avatar for Sora Arakawa arkw
0
120
Part1 GitHubってなんだろう?その2
Avatar for tomokusaba tomokusaba
2
620
Azure × MCP 入門
Avatar for Ryosuke Hyakuta ry0y4n
8
1.4k
AIにおけるソフトウェアテスト_ver1.00
Avatar for fumisuke fumisuke
1
360

Featured

See All Featured
Designing for Performance
Avatar for Lara Hogan lara
608
69k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
52
2.5k
KATA
Avatar for Megan Lloyd mclloyd
29
14k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
507
140k
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
52
7.6k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
10
780
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.7k
Side Projects
Avatar for Sacha Greif sachag
453
42k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
245
12k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
26k

Transcript

  1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

  2. Phil Nash @philnash @phil_nash https://philna.sh [email protected]

  3. My first password: “nash” “atom” @philnash

  4. I GOT HACKED @philnash

  5. PASSWORDS ARE TERRIBLE @philnash

  6. GUIDELINES @philnash

  7. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 3,392 11:56 PM - Oct 13, 2014 4,805 people are talking about this @philnash

  8. Guidelines • Uppercase • Lowercase • Numbers • Special characters

    @philnash

  9. password @philnash

  10. Password1! @philnash

  11. Guidelines Change passwords regularly @philnash

  12. Password123! @philnash

  13. PATTERNS @philnash

  14. Password1! @philnash

  15. ULLLLLLLDS @philnash

  16. AN EXAMPLE @philnash

  17. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

  18. Western Australia Government Security Audit @philnash

  19. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

  20. I GOT HACKED @philnash

  21. REPETITION @philnash

  22. BREACHES @philnash

  23. @philnash

  24. HOW DO WE FIX THIS? @philnash

  25. THE GUIDELINES WERE WRONG @philnash

  26. @philnash

  27. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

  28. IN NODE.JS? @philnash

  29. Suggestions if (user.password.length < 14) { // fail } password-validator

    @philnash

  30. password-validator const schema = new passwordValidator(); schema .has().uppercase() .has().lowercase() .has().digits()

    .has().not().spaces() 01. 02. 03. 04. 05. 06. @philnash

  31. password-validator const schema = new passwordValidator(); schema .is().min(14) .is().max(255) .is().not().oneOf(['password',

    'Password123']); schema.validate('password', { list: true }); // => ['min', 'oneOf'] 01. 02. 03. 04. 05. 06. 07. @philnash

  32. Suggestions if (user.password.length < 14) { // fail } password-validator

    zxcvbn @philnash

  33. DEMO @philnash

  34. INSECURE PASSWORDS? @philnash

  35. PWNED PASSWORDS @philnash

  36. Pwned Passwords 555,278,657 passwords previously exposed in data breaches @philnash

  37. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

  38. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

  39. Libraries • hibp • pwnedpasswords • pwned-pw • @philnash/pwned @philnash

  40. DEMO @philnash

  41. Help! @philnash/pwned https://github.com/philnash/pwned.js @philnash

  42. NEXT LEVEL @philnash

  43. TWO FACTOR AUTHENTICATION @philnash

  44. PASSWORDS ARE TERRIBLE @philnash

  45. PASSWORD GUIDELINES ARE WORSE @philnash

  46. MAKE PASSWORDS LONGER @philnash

  47. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

  48. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

  49. THANKS! @philnash

  50. Thanks! @philnash @phil_nash https://philna.sh [email protected]