$30 off During Our Annual Pro Sale. View Details »

Fantastic passwords and where to find them @ WFHConf

Fantastic passwords and where to find them @ WFHConf

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users?

Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from "password1" to "correct horse battery staple" and beyond!

--

Links:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Western Australia Government passwords: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/

New passphrase requirements:
ACSC: https://www.cyber.gov.au/advice/EasyStepsGuide
NSCS: https://www.ncsc.gov.uk/collection/passwords
NIST: https://pages.nist.gov/800-63-3/sp800-63b.html

Password Validator: https://www.npmjs.com/package/password-validator
zxcvbn: https://github.com/dropbox/zxcvbn

@philnash/pwned: https://github.com/philnash/pwned.js

Other Pwned Passwords libraries:
https://www.npmjs.com/package/hibp
https://www.npmjs.com/package/pwnedpasswords
https://www.npmjs.com/package/pwned-pw

Phil Nash

March 26, 2020
Tweet

More Decks by Phil Nash

Other Decks in Technology

Transcript

  1. FANTASTIC
    PASSWORDS
    AND WHERE
    TO FIND THEM
    @philnash

    View Slide

  2. Phil Nash
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide

  3. My first password:
    “nash”
    “atom”
    @philnash

    View Slide

  4. I GOT HACKED
    @philnash

    View Slide

  5. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  6. GUIDELINES
    @philnash

    View Slide

  7. Tom Carr
    @ItsMeTomC
    "Your password must contain at least 8 letters, a capital, a plot, a
    protagonist with good character development, a twist & a happy ending."
    3,392 11:56 PM - Oct 13, 2014
    4,805 people are talking about this
    @philnash

    View Slide

  8. Guidelines
    • Uppercase
    • Lowercase
    • Numbers
    • Special characters
    @philnash

    View Slide

  9. password
    @philnash

    View Slide

  10. Password1!
    @philnash

    View Slide

  11. Guidelines
    Change passwords regularly
    @philnash

    View Slide

  12. Password123!
    @philnash

    View Slide

  13. PATTERNS
    @philnash

    View Slide

  14. Password1!
    @philnash

    View Slide

  15. ULLLLLLLDS
    @philnash

    View Slide

  16. AN EXAMPLE
    @philnash

    View Slide

  17. Western Australia Government Security Audit
    234,000 passwords were assessed
    1/4 of passwords were deemed "weak" passwords
    1,464 passwords were "Password123"
    (source)
    @philnash

    View Slide

  18. Western Australia Government Security Audit
    @philnash

    View Slide

  19. My "best" password
    • 8 characters long
    • Numbers and letters (uppercase only)
    • Model number of my hi-fi
    @philnash

    View Slide

  20. I GOT HACKED
    @philnash

    View Slide

  21. REPETITION
    @philnash

    View Slide

  22. BREACHES
    @philnash

    View Slide

  23. @philnash

    View Slide

  24. HOW DO WE FIX
    THIS?
    @philnash

    View Slide

  25. THE GUIDELINES
    WERE WRONG
    @philnash

    View Slide

  26. @philnash

    View Slide

  27. New guidelines
    From the ACSC, the NCSC and NIST
    • At least 13 characters
    • Accept all characters
    • Don't allow insecure passwords
    • Dictionary words
    • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
    • Context specific words (e.g. username, email, app name)
    • Passwords that have been in a breach
    @philnash

    View Slide

  28. IN NODE.JS?
    @philnash

    View Slide

  29. Suggestions
    if (user.password.length < 14) { // fail }
    password-validator
    @philnash

    View Slide

  30. password-validator
    const schema = new passwordValidator();
    schema
    .has().uppercase()
    .has().lowercase()
    .has().digits()
    .has().not().spaces()
    01.
    02.
    03.
    04.
    05.
    06.
    @philnash

    View Slide

  31. password-validator
    const schema = new passwordValidator();
    schema
    .is().min(14)
    .is().max(255)
    .is().not().oneOf(['password', 'Password123']);
    schema.validate('password', { list: true });
    // => ['min', 'oneOf']
    01.
    02.
    03.
    04.
    05.
    06.
    07.
    @philnash

    View Slide

  32. Suggestions
    if (user.password.length < 14) { // fail }
    password-validator
    zxcvbn
    @philnash

    View Slide

  33. DEMO
    @philnash

    View Slide

  34. INSECURE
    PASSWORDS?
    @philnash

    View Slide

  35. PWNED
    PASSWORDS
    @philnash

    View Slide

  36. Pwned Passwords
    555,278,657 passwords previously exposed in data
    breaches
    @philnash

    View Slide

  37. Pwned Passwords API
    ⚠ Don't worry

    @philnash

    View Slide

  38. Pwned Passwords API
    1. Get the SHA1 hash of the password
    2. Take the first 5 characters of the hash
    3. https://api.pwnedpasswords.com/range/#{prefix}
    4. Check if the remainder of the hash is in the result
    @philnash

    View Slide

  39. Libraries
    • hibp
    • pwnedpasswords
    • pwned-pw
    • @philnash/pwned
    @philnash

    View Slide

  40. DEMO
    @philnash

    View Slide

  41. Help!
    @philnash/pwned
    https://github.com/philnash/pwned.js
    @philnash

    View Slide

  42. NEXT LEVEL
    @philnash

    View Slide

  43. TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  44. PASSWORDS ARE
    TERRIBLE
    @philnash

    View Slide

  45. PASSWORD
    GUIDELINES ARE
    WORSE
    @philnash

    View Slide

  46. MAKE
    PASSWORDS
    LONGER
    @philnash

    View Slide

  47. CHECK AGAINST
    BREACHES
    AND
    DICTIONARIES
    @philnash

    View Slide

  48. IMPLEMENT
    TWO FACTOR
    AUTHENTICATION
    @philnash

    View Slide

  49. THANKS!
    @philnash

    View Slide

  50. Thanks!
    @philnash
    @phil_nash
    https://philna.sh
    [email protected]

    View Slide