Passwords

Passwords
PasswordsPasswords Charles SoutherlandCharles Southerland ONEsite & DC405ONEsite & DC405
Know anyone that...Know anyone that... ...uses the same...uses the same password forpassword for everything?everything?
Multiple PasswordsMultiple Passwords Regarding multiple passwords...Regarding multiple passwords... • ...never write a password down or store it...never write a password down or store it unencrypted (including email, SMS, etc.).unencrypted (including email, SMS, etc.). • ...avoid reusing a password for any two things....avoid reusing a password for any two things. • ……if you feel you must reuse some passwords,if you feel you must reuse some passwords, never reuse a password for something whichnever reuse a password for something which needs to be secure.needs to be secure. • ...many people have tricks based on what the...many people have tricks based on what the password is for (Steve Gibson has a new one).password is for (Steve Gibson has a new one). • ...you could use KeePass or LastPass....you could use KeePass or LastPass.
Know anyone that...Know anyone that... ...thinks it's a good idea...thinks it's a good idea to change passwordsto change passwords every 6 months?every 6 months?
Regular PasswordRegular Password ChangesChanges Changing your passwords every 6 months...Changing your passwords every 6 months... • ...does nothing to protect you....does nothing to protect you. • ...encourages bad password habits....encourages bad password habits. • ...gives a false sense of security....gives a false sense of security. • ...is much less secure than making your...is much less secure than making your passwords a few characters longer.passwords a few characters longer. • ...makes end users hate tech support. :(...makes end users hate tech support. :(
Know anyone that...Know anyone that... ...thinks it's okay to limit...thinks it's okay to limit passwords to beingpasswords to being between 8 and 25between 8 and 25 characters in length?characters in length?
Minimum PasswordMinimum Password LengthLength Passwords should be...Passwords should be... • ...made of not just lower-case letters....made of not just lower-case letters. • ...no less than 12 characters long given...no less than 12 characters long given the power of the modern GPU.the power of the modern GPU. • ...as long as is practical (more on this in...as long as is practical (more on this in a bit).a bit).
Password HaystacksPassword Haystacks Which password will be caught first by mostWhich password will be caught first by most brute-force password cracking algorithms?brute-force password cracking algorithms? • D0g.....................D0g..................... • PrXyc.N(n4k77#L!eVdAfp9PrXyc.N(n4k77#L!eVdAfp9 Steve Gibson came up with the idea ofSteve Gibson came up with the idea of “Password Haystacks” just a few months ago,“Password Haystacks” just a few months ago, and it is already starting to take off.and it is already starting to take off.
Know anyone that...Know anyone that... ...thinks it's okay to have...thinks it's okay to have an upper limit on howan upper limit on how many characters are in amany characters are in a password?password? Note: Not referring to an upper limit imposed by buffer size.Note: Not referring to an upper limit imposed by buffer size.
Upper Limits on LengthUpper Limits on Length If someone gives you an upper limit onIf someone gives you an upper limit on password length that isn't solely because ofpassword length that isn't solely because of browser or server limitations...browser or server limitations... • ...you need to be very concerned....you need to be very concerned. • ...they could be storing your password instead...they could be storing your password instead of storing its hash.of storing its hash. • ……they could possibly get your password.they could possibly get your password. • ...an ID thief can probably get your password....an ID thief can probably get your password.
Know anyone that...Know anyone that... ...stores passwords...stores passwords (plain or encrypted) in a(plain or encrypted) in a database field?database field?
Password HashesPassword Hashes Passwords should...Passwords should... • ......NEVERNEVER be stored in a database in such a way that theybe stored in a database in such a way that they can be recreated.can be recreated. • ...be checked by comparing the hash of the supplied...be checked by comparing the hash of the supplied password against the password hash stored in thepassword against the password hash stored in the database.database. • ...be removed from RAM as quickly as possible....be removed from RAM as quickly as possible. • ...be salted by being padded and then encrypted using a...be salted by being padded and then encrypted using a combination of data that changes between users and acombination of data that changes between users and a secret site key.secret site key. • ……be hashed using a modern hashing algorithm like SHA-be hashed using a modern hashing algorithm like SHA- 384.384.
Password RequirementsPassword Requirements Passwords should be required to...Passwords should be required to... • ...have more than just lower-case letters....have more than just lower-case letters. • ...be at least 12 characters long....be at least 12 characters long. • ...never be known, read, heard, or seen by anyone else...never be known, read, heard, or seen by anyone else ever, no exceptions.ever, no exceptions. • ...not have been guessed by a password cracker....not have been guessed by a password cracker. • ...be something the user has entered, and never be a...be something the user has entered, and never be a temporary password given to the user by an admin ortemporary password given to the user by an admin or password reset email.password reset email. • ...be eneted only on pages protected by captchas...be eneted only on pages protected by captchas whenever possible.whenever possible.
Know anyone that...Know anyone that... ...doesn't always check...doesn't always check that every page isthat every page is HTTPS while logging inHTTPS while logging in and while logged in?and while logged in?
HTTPS (as Client)HTTPS (as Client) To protect yourself while browsing...To protect yourself while browsing... • ...make sure your browser no longer trusts the...make sure your browser no longer trusts the DigiNotar certificate authority!DigiNotar certificate authority! • ...always make sure you have a secure...always make sure you have a secure connection before entering data.connection before entering data. • ...always make sure you have a secure...always make sure you have a secure connection if you are logged in.connection if you are logged in. • ...definitely get the HTTPS Everywhere plugin....definitely get the HTTPS Everywhere plugin. • ……possibly get the Certificate Patrol plugin.possibly get the Certificate Patrol plugin.
HTTPS (as Server)HTTPS (as Server) HTTPS should always be required when...HTTPS should always be required when... • ...usernames and/or passwords are...usernames and/or passwords are accepted.accepted. • ...cookies are being sent or requested....cookies are being sent or requested. • ...the user is logged in....the user is logged in. • ...JavaScript is provided and sensitive data...JavaScript is provided and sensitive data can be entered in forms on the page.can be entered in forms on the page.
Other NotesOther Notes • Whenever possible, use OpenID to handle users (soWhenever possible, use OpenID to handle users (so you can avoid any password-related pitfalls in the firstyou can avoid any password-related pitfalls in the first place).place). • Never ask a user for credentials to another site; alwaysNever ask a user for credentials to another site; always use Oauth to enable such functionality.use Oauth to enable such functionality. • If you believe any passwords have been compromised,If you believe any passwords have been compromised, inform everyone immediately; DigiNotar's fate wasinform everyone immediately; DigiNotar's fate was sealed when they chose not to responsibly disclose.sealed when they chose not to responsibly disclose. • You need to start thinking about two-factor and three-You need to start thinking about two-factor and three- factor authentication if you haven't started already.factor authentication if you haven't started already.
About CryptographyAbout Cryptography Cryptography...Cryptography... • ...is not intuitive....is not intuitive. • ...can solve almost every problem in security....can solve almost every problem in security. • ...can often make up for PEBKAC....can often make up for PEBKAC. • ...is going to become increasingly vital to your...is going to become increasingly vital to your company.company. • ...is something I hope you ask me more about....is something I hope you ask me more about.
Password HaystacksPassword Haystacks https://www.grc.com/haystack.hthttps://www.grc.com/haystack.ht mm
HTTPS EverywhereHTTPS Everywhere https://www.eff.org/https-everywherehttps://www.eff.org/https-everywhere

Check these out next

Passwords

Recommandé

Contenu connexe

Similaire à Passwords(20)

Plus de Charles Southerland(6)

Dernier(20)

Passwords