SlideShare une entreprise Scribd logo

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

Karthik Gaekwad
Karthik Gaekwad

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products. At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!

Technologie
1  sur  55
Télécharger pour lire hors ligne
User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
“That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
@iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
"We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
--Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
“Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Passwords Friday, October 25, 13
Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
“That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Recommandé

Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Docker management
Docker managementDocker management
Docker managementKarthik Gaekwad
 
Agile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsAgile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsKarthik Gaekwad
 
Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Karthik Gaekwad
 
We built this city on Dev and Ops
We built this city on Dev and OpsWe built this city on Dev and Ops
We built this city on Dev and OpsKarthik Gaekwad
 
Devopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdDevopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdKarthik Gaekwad
 
Postgres
PostgresPostgres
PostgresJeff Dickey
 
Developing on SQL Azure
Developing on SQL AzureDeveloping on SQL Azure
Developing on SQL AzureIke Ellis
 

Recommandé

Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Docker management
Docker managementDocker management
Docker managementKarthik Gaekwad
 
Agile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsAgile 2014- Metrics driven development and devops
Agile 2014- Metrics driven development and devopsKarthik Gaekwad
 
Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Cloud Austin 2013: Conferenced2013
Cloud Austin 2013: Conferenced2013Karthik Gaekwad
 
We built this city on Dev and Ops
We built this city on Dev and OpsWe built this city on Dev and Ops
We built this city on Dev and OpsKarthik Gaekwad
 
Devopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdDevopsdays Austin 2014 Ignite: Keep devops weird
Devopsdays Austin 2014 Ignite: Keep devops weirdKarthik Gaekwad
 
Postgres
PostgresPostgres
PostgresJeff Dickey
 
Developing on SQL Azure
Developing on SQL AzureDeveloping on SQL Azure
Developing on SQL AzureIke Ellis
 
Long Live and Prosper To Monolith
Long Live and Prosper To MonolithLong Live and Prosper To Monolith
Long Live and Prosper To MonolithAlex Soto
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?pqrs1234
 
Inspec one tool to rule them all
Inspec one tool to rule them allInspec one tool to rule them all
Inspec one tool to rule them allKimball Johnson
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
SQL Bits: Containers and Clones
SQL Bits: Containers and ClonesSQL Bits: Containers and Clones
SQL Bits: Containers and ClonesAlex Yates
 
[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks☁ Hicham KADIRI ☁
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL InjectionMudassir Hassan Khan
 
Improve your SQL workload with observability
Improve your SQL workload with observabilityImprove your SQL workload with observability
Improve your SQL workload with observabilityOVHcloud
 
What's new with Azure Sql Database
What's new with Azure Sql DatabaseWhat's new with Azure Sql Database
What's new with Azure Sql DatabaseMarco Parenzan
 
jDays Sweden 2016
jDays Sweden 2016jDays Sweden 2016
jDays Sweden 2016Alex Theedom
 
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...Insight Technology, Inc.
 
HTML5: Building for a Faster Web
HTML5: Building for a Faster WebHTML5: Building for a Faster Web
HTML5: Building for a Faster WebEric Bidelman
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with ChefJulian Dunn
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013Robert Treat
 
Top 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developersTop 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developersIke Ellis
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
So what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web storeSo what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web storeEric Bidelman
 
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to zNicolas Georgeault
 
Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud NativeKarthik Gaekwad
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 

Contenu connexe

Similaire à LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

Long Live and Prosper To Monolith
Long Live and Prosper To MonolithLong Live and Prosper To Monolith
Long Live and Prosper To MonolithAlex Soto
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?pqrs1234
 
Inspec one tool to rule them all
Inspec one tool to rule them allInspec one tool to rule them all
Inspec one tool to rule them allKimball Johnson
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
SQL Bits: Containers and Clones
SQL Bits: Containers and ClonesSQL Bits: Containers and Clones
SQL Bits: Containers and ClonesAlex Yates
 
[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks☁ Hicham KADIRI ☁
 
Improve your SQL workload with observability
Improve your SQL workload with observabilityImprove your SQL workload with observability
Improve your SQL workload with observabilityOVHcloud
 
What's new with Azure Sql Database
What's new with Azure Sql DatabaseWhat's new with Azure Sql Database
What's new with Azure Sql DatabaseMarco Parenzan
 
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...Insight Technology, Inc.
 
HTML5: Building for a Faster Web
HTML5: Building for a Faster WebHTML5: Building for a Faster Web
HTML5: Building for a Faster WebEric Bidelman
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with ChefJulian Dunn
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013Robert Treat
 
Top 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developersTop 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developersIke Ellis
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryNikhil Mittal
 
So what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web storeSo what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web storeEric Bidelman
 
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to zNicolas Georgeault
 

Similaire à LASCON 2013 Talk: User Auth for Winners, how to get it right the first time! (20)

Long Live and Prosper To Monolith
Long Live and Prosper To MonolithLong Live and Prosper To Monolith
Long Live and Prosper To Monolith
 
What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?What is SSL/TLS, 1-way and 2-way SSL?
What is SSL/TLS, 1-way and 2-way SSL?
 
Inspec one tool to rule them all
Inspec one tool to rule them allInspec one tool to rule them all
Inspec one tool to rule them all
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
 
SQL Bits: Containers and Clones
SQL Bits: Containers and ClonesSQL Bits: Containers and Clones
SQL Bits: Containers and Clones
 
[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks[Azure Governance] Lesson 2 : Azure Locks
[Azure Governance] Lesson 2 : Azure Locks
 
Google Dorks and SQL Injection
Google Dorks and SQL InjectionGoogle Dorks and SQL Injection
Google Dorks and SQL Injection
 
Improve your SQL workload with observability
Improve your SQL workload with observabilityImprove your SQL workload with observability
Improve your SQL workload with observability
 
What's new with Azure Sql Database
What's new with Azure Sql DatabaseWhat's new with Azure Sql Database
What's new with Azure Sql Database
 
jDays Sweden 2016
jDays Sweden 2016jDays Sweden 2016
jDays Sweden 2016
 
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
[db tech showcase Tokyo 2017] C32: Patterns for building hybrid scenarios wit...
 
HTML5: Building for a Faster Web
HTML5: Building for a Faster WebHTML5: Building for a Faster Web
HTML5: Building for a Faster Web
 
An Introduction to DevOps with Chef
An Introduction to DevOps with ChefAn Introduction to DevOps with Chef
An Introduction to DevOps with Chef
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013Past, Present, and Pachyderm - All Things Open - 2013
Past, Present, and Pachyderm - All Things Open - 2013
 
Top 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developersTop 5 things to know about sql azure for developers
Top 5 things to know about sql azure for developers
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
So what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web storeSo what's a web app? introduction to the chrome web store
So what's a web app? introduction to the chrome web store
 
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
#SPSOttawa #SharePoint and #Office365 hybrid configuration from a to z
 

Plus de Karthik Gaekwad

DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative worldKarthik Gaekwad
 
Mental Health studies and devops
Mental Health studies and devopsMental Health studies and devops
Mental Health studies and devopsKarthik Gaekwad
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native SecurityKarthik Gaekwad
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and youKarthik Gaekwad
 
Kube applications in action
Kube applications in actionKube applications in action
Kube applications in actionKarthik Gaekwad
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realistsKarthik Gaekwad
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realistsKarthik Gaekwad
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
Agile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingAgile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingKarthik Gaekwad
 
Sexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapSexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapKarthik Gaekwad
 
12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- StormpathKarthik Gaekwad
 

Plus de Karthik Gaekwad (20)

Why to Cloud Native
Why to Cloud NativeWhy to Cloud Native
Why to Cloud Native
 
DevSecOps in a cloudnative world
DevSecOps in a cloudnative worldDevSecOps in a cloudnative world
DevSecOps in a cloudnative world
 
Mental Health studies and devops
Mental Health studies and devopsMental Health studies and devops
Mental Health studies and devops
 
This is your community
This is your communityThis is your community
This is your community
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Kube Apps in action
Kube Apps in actionKube Apps in action
Kube Apps in action
 
KubeSecOps
KubeSecOpsKubeSecOps
KubeSecOps
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
 
Kubernetes security and you
Kubernetes security and youKubernetes security and you
Kubernetes security and you
 
Kube applications in action
Kube applications in actionKube applications in action
Kube applications in action
 
Devops and Dadops
Devops and DadopsDevops and Dadops
Devops and Dadops
 
Containers, microservices and serverless for realists
Containers, microservices and serverless for realistsContainers, microservices and serverless for realists
Containers, microservices and serverless for realists
 
Containers and microservices for realists
Containers and microservices for realistsContainers and microservices for realists
Containers and microservices for realists
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Why to docker
Why to dockerWhy to docker
Why to docker
 
Agile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes EverythingAgile 2013 Talk: How DevOps Changes Everything
Agile 2013 Talk: How DevOps Changes Everything
 
DevOps at the CIA
DevOps at the CIADevOps at the CIA
DevOps at the CIA
 
Sexy HTML with Twitter Bootstrap
Sexy HTML with Twitter BootstrapSexy HTML with Twitter Bootstrap
Sexy HTML with Twitter Bootstrap
 
12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath12 Clouds of Christmas 2012- Stormpath
12 Clouds of Christmas 2012- Stormpath
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Dernier (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

  • 1. User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 2. User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 3. Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
  • 4. Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 5. My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 6. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 7. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 8. Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 10. Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 11. Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 12. Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 13. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
  • 14. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 15. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 16. Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 17. Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 18. Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 19. Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 20. Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 21. Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 22. Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 23. Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 24. “That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 25. Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 26. Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 27. Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 28. Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 29. Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 30. Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 31. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 32. "We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 33. --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 34. “Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 35. Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 36. Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 37. Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 38. Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 40. Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 41. Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 42. Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 43. “That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 44. Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 46. Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 47. Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
  • 48. Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 49. Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 50. Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 51. Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 52. Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 53. Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 54. PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 55. Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101