$30 off During Our Annual Pro Sale. View Details »

Fantastic passwords and where to find them @ WFHConf

Phil Nash
March 26, 2020
Technology
0
250

Fantastic passwords and where to find them @ WFHConf

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html

Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn

@philnash/pwned: https://github.com/philnash/pwned.js

Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw

Phil Nash

March 26, 2020
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
260
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
130
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
150
Better API DX with a CLI - APIdays Jakarta
philnash
0
240
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
110
Four steps from JavaScript to TypeScript
philnash
0
300
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
The trouble with webhooks - at APIdays Singapore
philnash
0
190
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
250

Other Decks in Technology

See All in Technology
LLMエンジニアリングを加速させるソフトウェアアーキテクチャ
tkikuchi1002
0
520
「極意本」サンプルコードをクラウド上で動かそう
upura
1
850
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.3k
コンテナ支部recapをrecapしよう_気になったコンテナの周りのアップデートを紹介.pdf
yoshiitaka
0
250
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
8
1k
提案段階のVS CodeのチャットエージェントAPIを動かしてみた
masa5555
0
130
つくばチャレンジ2023EX with PLATEAU@つくばセンター広場課題コース
tsukubachallenge
0
690
Java in containers and serverless
takesection
0
140
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
16
9.4k
CTO of the year 2023ピッチ資料(オーディエンス賞)チューリングCTO青木
aoshun7
0
680
NIKKEI COMPASSの Stripe決済フローと決済高速化の方法/20231205-compass
nikkei_engineer_recruiting
1
210
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Building Applications with DynamoDB
mza
87
5.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Designing for Performance
lara
601
66k
Writing Fast Ruby
sferik
615
59k
Designing Experiences People Love
moore
133
23k
Robots, Beer and Maslow
schacon
154
7.7k
What's new in Ruby 2.0
geeforr
335
30k
A better future with KSS
kneath
230
16k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Building Adaptive Systems
keathley
29
1.6k
Code Review Best Practice
trishagee
53
14k

Transcript

  1. FANTASTIC
    PASSWORDS
    AND WHERE
    TO FIND THEM
    @philnash

    View Slide

  2. Phil Nash
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide

  3. My first password:
    “nash”
    “atom”
    @philnash

    View Slide

  4. I GOT HACKED
    @philnash

    View Slide

  5. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  6. GUIDELINES
    @philnash

    View Slide

  7. Tom Carr
    @ItsMeTomC
    "Your password must contain at least 8 letters, a capital, a plot, a
    protagonist with good character development, a twist & a happy ending."
    3,392 11:56 PM - Oct 13, 2014
    4,805 people are talking about this
    @philnash

    View Slide

  8. Guidelines
    • Uppercase
    • Lowercase
    • Numbers
    • Special characters
    @philnash

    View Slide

  9. password
    @philnash

    View Slide

  10. Password1!
    @philnash

    View Slide

  11. Guidelines
    Change passwords regularly
    @philnash

    View Slide

  12. Password123!
    @philnash

    View Slide

  13. PATTERNS
    @philnash

    View Slide

  14. Password1!
    @philnash

    View Slide

  15. ULLLLLLLDS
    @philnash

    View Slide

  16. AN EXAMPLE
    @philnash

    View Slide

  17. Western Australia Government Security Audit
    234,000 passwords were assessed
    1/4 of passwords were deemed "weak" passwords
    1,464 passwords were "Password123"
    (source)
    @philnash

    View Slide

  18. Western Australia Government Security Audit
    @philnash

    View Slide

  19. My "best" password
    • 8 characters long
    • Numbers and letters (uppercase only)
    • Model number of my hi-fi
    @philnash

    View Slide

  20. I GOT HACKED
    @philnash

    View Slide

  21. REPETITION
    @philnash

    View Slide

  22. BREACHES
    @philnash

    View Slide

  23. @philnash

    View Slide

  24. HOW DO WE FIX
    THIS?
    @philnash

    View Slide

  25. THE GUIDELINES
    WERE WRONG
    @philnash

    View Slide

  26. @philnash

    View Slide

  27. New guidelines
    From the ACSC, the NCSC and NIST
    • At least 13 characters
    • Accept all characters
    • Don't allow insecure passwords
    • Dictionary words
    • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
    • Context specific words (e.g. username, email, app name)
    • Passwords that have been in a breach
    @philnash

    View Slide

  28. IN NODE.JS?
    @philnash

    View Slide

  29. Suggestions
    if (user.password.length < 14) { // fail }
    password-validator
    @philnash

    View Slide

  30. password-validator
    const schema = new passwordValidator();
    schema
    .has().uppercase()
    .has().lowercase()
    .has().digits()
    .has().not().spaces()
    01.
    02.
    03.
    04.
    05.
    06.
    @philnash

    View Slide

  31. password-validator
    const schema = new passwordValidator();
    schema
    .is().min(14)
    .is().max(255)
    .is().not().oneOf(['password', 'Password123']);
    schema.validate('password', { list: true });
    // => ['min', 'oneOf']
    01.
    02.
    03.
    04.
    05.
    06.
    07.
    @philnash

    View Slide

  32. Suggestions
    if (user.password.length < 14) { // fail }
    password-validator
    zxcvbn
    @philnash

    View Slide

  33. DEMO
    @philnash

    View Slide

  34. INSECURE
    PASSWORDS?
    @philnash

    View Slide

  35. PWNED
    PASSWORDS
    @philnash

    View Slide

  36. Pwned Passwords
    555,278,657 passwords previously exposed in data
    breaches
    @philnash

    View Slide

  37. Pwned Passwords API
    ⚠ Don't worry

    @philnash

    View Slide

  38. Pwned Passwords API
    1. Get the SHA1 hash of the password
    2. Take the first 5 characters of the hash
    3. https://api.pwnedpasswords.com/range/#{prefix}
    4. Check if the remainder of the hash is in the result
    @philnash

    View Slide

  39. Libraries
    • hibp
    • pwnedpasswords
    • pwned-pw
    • @philnash/pwned
    @philnash

    View Slide

  40. DEMO
    @philnash

    View Slide

  41. Help!
    @philnash/pwned
    https://github.com/philnash/pwned.js
    @philnash

    View Slide

  42. NEXT LEVEL
    @philnash

    View Slide

  43. TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  44. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  45. PASSWORD
    GUIDELINES ARE
    WORSE
    @philnash

    View Slide

  46. MAKE
    PASSWORDS
    LONGER
    @philnash

    View Slide

  47. CHECK AGAINST
    BREACHES
    AND
    DICTIONARIES
    @philnash

    View Slide

  48. IMPLEMENT
    TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  49. THANKS!
    @philnash

    View Slide

  50. Thanks!
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide