SlideShare une entreprise Scribd logo

Secure management of credentials - Zouheir Abdulla

OWASP-Qatar Chapter
OWASP-Qatar Chapter

Presented in OWASP Qatar Chapter Meeting - June 2013

Technologie
1  sur  40
Télécharger pour lire hors ligne
Secure Management of Credentials Zouheir Abdallah, CISA Senior Risk Specialist – CS/QCERT
6/30/2013 1 Introduction • Since the introduction of the e-Commerce Law Decree No. (16) of 2010, web applications have been on the rise in Qatar. These portals grant the users the ability to perform various electronic transactions.
6/30/2013 2 Introduction • It is the responsibility of the owners of these web applications to safe guard the credentials that have been entrusted to them. Failure to properly secure the credentials of their user base, could lead to a huge loss on both the financial side and the business reputation side. http://money.cnn.com/2012/01/16/technology/zap pos_hack/index.htm?iid=EL#TOP
6/30/2013 3 Outline 1. Managing User IDs 2. Managing Passwords • Password Length • Password Complexity 3. Storage of Credentials • No Encryption • Hashing • Salting 4. Secure and Unsecure WebApp practices • Sending Passwords via email • One-Time Token via a URL 5. 2-Factor Authentication
6/30/2013 44 Managing User IDs
6/30/2013 55 Managing User IDs • A User ID is a unique identifier. • As a WebApp developer, make sure that the User IDs are case insensitive and the User ID “Ahmad” is the same as “ahmad” or “AHMAD”.
6/30/2013 66 Managing User IDs
6/30/2013 77 Managing Passwords
6/30/2013 88 Managing Passwords • In traditional authentication methods, the password and the User ID provide basic authentication.
6/30/2013 99 Managing Passwords ( Length) • Ideally, the longer the password the better. • The web application should set a minimum password length and enforce it on the user upon password entry. • Minimum length should be at least 8 characters long.
6/30/2013 1010 Managing Passwords ( Complexity) • A web application should enforce a certain password complexity schema to prevent users from using easy to guess passwords. • Allow the user to enter virtually any password and any character.
6/30/2013 1111 Managing Passwords ( Complexity) • Make sure that the application clearly states the password rules that are in violation of your password policy.
6/30/2013 1212 Managing Passwords ( Complexity) • Preferably the web application should have the functionality to force the users to choose passwords that adhere to specific criteria set by the developer, for example: • 1 Upper Case Letter • 1 Lower Case Letter • 1 Number • 1 Special Character
6/30/2013 1313 Storing Credentials
6/30/2013 1414 Storing Credentials • Credentials are essential to authenticating the users and granting them access to the application. • So it is only logical to enforce controls on the storage of these credentials to mitigate the risk associated with their leakage.
6/30/2013 1515 Storing Credentials • Credentials should NOT be stored in the database in a clear text form.
6/30/2013 1616 Storing Credentials • Passwords should be hashed rather than encrypted. • Hashing is a one way function, while encryption is a two way function and passwords can be decrypted and exposed. encrypt / decrypt Password DB Password Hash function DB
6/30/2013 1717 Storing Credentials (Salting) • Salts are stored in plain text in the database along with the Username and the SaltedHashed Password. • The purpose of salting is to prevent mass leakage of passwords IF the database was leaked. UserName Salt Hash Salted Password Mohammad 134a209 24bcde31100baccde2efgaedbc24 Omar abde312 a01bc34aef33120bge234666adcff Rayan a1345gb 4cba201ddeg27aegdac6324012ba
6/30/2013 1818 Storing Credentials (Salting) • Make sure that the passwords are salted before being hashed and then stored in the database. Salting adds an additional control to counter the mass leakage of passwords via rainbow dictionary attacks.
6/30/2013 1919 Storing Credentials (Salting) • Rainbow tables are precalculated databases of all possible hash values. Password Hash a……… abef013bae221221 aa…… cb1290abcd2231ae . . .. .. … … …. …. zzzzzzzzzzzzzzz 10cb2ae46dfg7120
6/30/2013 2020 Storing Credentials (Salting) • Attackers use them to find the passwords by comparing the hashes of pre-calculated passwords with the ones leaked. Leaked Database RainBow Table (Precalculated Hashes) Hash Password Hash 24bcde31100baccde2efgaedbc24 ….. ………………… a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. …………………
6/30/2013 2121 Storing Credentials (Salting) • Salting makes it hard for the attacker to mass “de-hash” the leaked passwords.
6/30/2013 2222 Storing Credentials (Salting) Leaked Salted Database RainBow Table (Precalculated Hashes) + Salt = abde312 Salt Hash Password Hash 134a209 24bcde31100baccde2efgaedbc24 ….. ………………… abde312 a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca a1345gb 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = 134a209 Password Hash ….. ………………… hEll0Every1 bb27cd134ca4200bdef4728100aca iLoveQatar acbde2431bdde567aed321004212 n0TTrue 24bcde31100baccde2efgaedbc24 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = a1345gb Password Hash ….. ………………… hEll0Every1 4cba201ddeg27aegdac6324012ba iLoveQatar fbcd200123adcbfgbge234666adcff n0TTrue acbde2431bdde567aed321004212 ….. …………………
6/30/2013 2323 Storing Credentials (Salting) • How to validate the credentials with the stored salted hash?
6/30/2013 2424 Secure and Un-Secure Practices
6/30/2013 2525 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
6/30/2013 2626 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
6/30/2013 2727 Secure & UnSecure Practices • In case the user has forgotten his password and clicked on the “I forgot my password”, send the user a One-Time token via a URL to his inbox. Make sure that this token has an expiry time.
6/30/2013 2828 2-Factor Authentication
6/30/2013 2929 2-Factor Authentication • 2-Factor Authentication requires an additional input to the traditional username and password combination. • By introducing the 2nd factor, the web application is further authenticating the true identity of the user via something the user knows (User ID, password, secret image..) and something the user has (Digital certificate, security token, mobile phone)
6/30/2013 3030 2-Factor Authentication • 2-FA OTP via Mobile Phone
6/30/2013 3131 2-Factor Authentication • 2-FA OTP via Security Token
6/30/2013 3232 2-Factor Authentication • 2-FA via Digital Certificate
6/30/2013 3333 2-Factor Authentication Case Study - Dropbox
6/30/2013 3434 Case Study - • Case Study of Dropbox’s flawed implementation of 2-FA. • Discovered and reported by Zouheir Abdallah on June 10th 2013 • Fixed by Dropbox’s security team on June 21st 2013. • Received acknowledgment and thanks from Dropbox…………… and a t-shirt.
6/30/2013 3535 Case Study - • Vulnerability 2-FA could be disabled for any person given that the attacker knows the username/password of the victim. • Attack Vector The emergency backup code that Dropbox generates for the user to use in case his/her 2-FA method is lost (Think lost mobile phone)
6/30/2013 3636 Case Study - • Vulnerability As mentioned earlier, the emergency backup code is flawed. The code of one account can be used on another account that is similar to the victim’s account.
6/30/2013 3737 Case Study - • Vulnerability Dropbox didn’t disclose what the vulnerability was, but according to QCERT’s analysis, the emergency backup generation tool is dropping the DOTs from its algorithm. So the emergency backup code for zuz……85@hotmail.com would work on the account zuz.85@hotmail.com
6/30/2013 3838 Case Study - • Vulnerability
6/30/2013 396/30/2013 39 Questions? Visit us on www.QCERT.org

Recommandé

CONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleCONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleGlobal Negotiator
 
HotSec 2008 Presentation
HotSec 2008 PresentationHotSec 2008 Presentation
HotSec 2008 PresentationJeremy Clark
 
3 d secure password
3 d secure password3 d secure password
3 d secure passwordJai Chaudhary
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingAbhishek Kumar Sinha
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...IRJET Journal
 

Recommandé

CONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleCONFIDENTIALITY AGREEMENT - Contract Template and Sample
CONFIDENTIALITY AGREEMENT - Contract Template and SampleGlobal Negotiator
 
HotSec 2008 Presentation
HotSec 2008 PresentationHotSec 2008 Presentation
HotSec 2008 PresentationJeremy Clark
 
3 d secure password
3 d secure password3 d secure password
3 d secure passwordJai Chaudhary
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
CyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityCyberSecurity and Importance of cybersecurity
CyberSecurity and Importance of cybersecurityHome
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computingAbhishek Kumar Sinha
 
So whats in a password
So whats in a passwordSo whats in a password
So whats in a passwordRob Gillen
 
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...
Survey on Fast Secure and Anonymous Key Agreement against Bad Randomness for ...IRJET Journal
 
3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importanceshubhangi singh
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption forShakas Technologies
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
3D Password
3D Password3D Password
3D PasswordPreethi AKNR
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAM Publications
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...IRJET Journal
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET Journal
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPTSeminar Links
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET Journal
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET Journal
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...Migrant Systems
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...TusharAgarwal49094
 
Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 

Contenu connexe

Similaire à Secure management of credentials - Zouheir Abdulla

3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importanceshubhangi singh
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption forShakas Technologies
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack AzureAbdul Khan
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAM Publications
 
3d authentication system
3d authentication system3d authentication system
3d authentication systemRicha Agarwal
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network SecurityAnjan Mahanta
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...IRJET Journal
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Kailas Patil
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET Journal
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET Journal
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET Journal
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...Migrant Systems
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile SecurityMichalis Kamprianis
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...TusharAgarwal49094
 

Similaire à Secure management of credentials - Zouheir Abdulla (20)

3D Password and its importance
3D Password and its importance3D Password and its importance
3D Password and its importance
 
3D Password
3D Password3D Password
3D Password
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
An efficient certificate less encryption for
An efficient certificate less encryption forAn efficient certificate less encryption for
An efficient certificate less encryption for
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 
3D Password
3D Password3D Password
3D Password
 
Advanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud ComputingAdvanced Multi-Encryption Technique in Cloud Computing
Advanced Multi-Encryption Technique in Cloud Computing
 
3d authentication system
3d authentication system3d authentication system
3d authentication system
 
13.02 Network Security
13.02 Network Security13.02 Network Security
13.02 Network Security
 
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
Fast Secure and Anonymous Key Agreement Against Bad Randomness for CloudCompu...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222Volume 1 number-2pp-216-222
Volume 1 number-2pp-216-222
 
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in CloudIRJET- Security Enhancement for Sharing Data within Group Members in Cloud
IRJET- Security Enhancement for Sharing Data within Group Members in Cloud
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPT
 
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
IRJET - Reliable and Efficient Revocation and Data Sharing using Identity...
 
IRJET - Improving Password System using Blockchain
IRJET - Improving Password System using BlockchainIRJET - Improving Password System using Blockchain
IRJET - Improving Password System using Blockchain
 
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
DECENTRALIZED ACCESS CONTROL OF DATA STORED IN CLOUD USING KEY POLICY ATTRIBU...
 
(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security(ISC)2 Kamprianis - Mobile Security
(ISC)2 Kamprianis - Mobile Security
 
Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...Data Privacy Patterns in databricks for data engineering professional certifi...
Data Privacy Patterns in databricks for data engineering professional certifi...
 

Plus de OWASP-Qatar Chapter

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaOWASP-Qatar Chapter
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanOWASP-Qatar Chapter
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOWASP-Qatar Chapter
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq OWASP-Qatar Chapter
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamOWASP-Qatar Chapter
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerOWASP-Qatar Chapter
 

Plus de OWASP-Qatar Chapter (8)

Introduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdullaIntroduction to Session Management Dana Al-abdulla
Introduction to Session Management Dana Al-abdulla
 
Securing the channel - Tarkay Jamaan
Securing the channel - Tarkay JamaanSecuring the channel - Tarkay Jamaan
Securing the channel - Tarkay Jamaan
 
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun GuptaOwasp qatar presentation top 10 changes 2013 - Tarun Gupta
Owasp qatar presentation top 10 changes 2013 - Tarun Gupta
 
Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq Implementing a comprehensive application security progaram - Tawfiq
Implementing a comprehensive application security progaram - Tawfiq
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry Sans
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 
Defending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason LamDefending Web Applications: first-principles- Jason Lam
Defending Web Applications: first-principles- Jason Lam
 
Application Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh UmmerApplication Security TRENDS – Lessons Learnt- Firosh Ummer
Application Security TRENDS – Lessons Learnt- Firosh Ummer
 

Dernier

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Secure management of credentials - Zouheir Abdulla

  • 1. Secure Management of Credentials Zouheir Abdallah, CISA Senior Risk Specialist – CS/QCERT
  • 2. 6/30/2013 1 Introduction • Since the introduction of the e-Commerce Law Decree No. (16) of 2010, web applications have been on the rise in Qatar. These portals grant the users the ability to perform various electronic transactions.
  • 3. 6/30/2013 2 Introduction • It is the responsibility of the owners of these web applications to safe guard the credentials that have been entrusted to them. Failure to properly secure the credentials of their user base, could lead to a huge loss on both the financial side and the business reputation side. http://money.cnn.com/2012/01/16/technology/zap pos_hack/index.htm?iid=EL#TOP
  • 4. 6/30/2013 3 Outline 1. Managing User IDs 2. Managing Passwords • Password Length • Password Complexity 3. Storage of Credentials • No Encryption • Hashing • Salting 4. Secure and Unsecure WebApp practices • Sending Passwords via email • One-Time Token via a URL 5. 2-Factor Authentication
  • 6. 6/30/2013 55 Managing User IDs • A User ID is a unique identifier. • As a WebApp developer, make sure that the User IDs are case insensitive and the User ID “Ahmad” is the same as “ahmad” or “AHMAD”.
  • 9. 6/30/2013 88 Managing Passwords • In traditional authentication methods, the password and the User ID provide basic authentication.
  • 10. 6/30/2013 99 Managing Passwords ( Length) • Ideally, the longer the password the better. • The web application should set a minimum password length and enforce it on the user upon password entry. • Minimum length should be at least 8 characters long.
  • 11. 6/30/2013 1010 Managing Passwords ( Complexity) • A web application should enforce a certain password complexity schema to prevent users from using easy to guess passwords. • Allow the user to enter virtually any password and any character.
  • 12. 6/30/2013 1111 Managing Passwords ( Complexity) • Make sure that the application clearly states the password rules that are in violation of your password policy.
  • 13. 6/30/2013 1212 Managing Passwords ( Complexity) • Preferably the web application should have the functionality to force the users to choose passwords that adhere to specific criteria set by the developer, for example: • 1 Upper Case Letter • 1 Lower Case Letter • 1 Number • 1 Special Character
  • 15. 6/30/2013 1414 Storing Credentials • Credentials are essential to authenticating the users and granting them access to the application. • So it is only logical to enforce controls on the storage of these credentials to mitigate the risk associated with their leakage.
  • 16. 6/30/2013 1515 Storing Credentials • Credentials should NOT be stored in the database in a clear text form.
  • 17. 6/30/2013 1616 Storing Credentials • Passwords should be hashed rather than encrypted. • Hashing is a one way function, while encryption is a two way function and passwords can be decrypted and exposed. encrypt / decrypt Password DB Password Hash function DB
  • 18. 6/30/2013 1717 Storing Credentials (Salting) • Salts are stored in plain text in the database along with the Username and the SaltedHashed Password. • The purpose of salting is to prevent mass leakage of passwords IF the database was leaked. UserName Salt Hash Salted Password Mohammad 134a209 24bcde31100baccde2efgaedbc24 Omar abde312 a01bc34aef33120bge234666adcff Rayan a1345gb 4cba201ddeg27aegdac6324012ba
  • 19. 6/30/2013 1818 Storing Credentials (Salting) • Make sure that the passwords are salted before being hashed and then stored in the database. Salting adds an additional control to counter the mass leakage of passwords via rainbow dictionary attacks.
  • 20. 6/30/2013 1919 Storing Credentials (Salting) • Rainbow tables are precalculated databases of all possible hash values. Password Hash a……… abef013bae221221 aa…… cb1290abcd2231ae . . .. .. … … …. …. zzzzzzzzzzzzzzz 10cb2ae46dfg7120
  • 21. 6/30/2013 2020 Storing Credentials (Salting) • Attackers use them to find the passwords by comparing the hashes of pre-calculated passwords with the ones leaked. Leaked Database RainBow Table (Precalculated Hashes) Hash Password Hash 24bcde31100baccde2efgaedbc24 ….. ………………… a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. …………………
  • 22. 6/30/2013 2121 Storing Credentials (Salting) • Salting makes it hard for the attacker to mass “de-hash” the leaked passwords.
  • 23. 6/30/2013 2222 Storing Credentials (Salting) Leaked Salted Database RainBow Table (Precalculated Hashes) + Salt = abde312 Salt Hash Password Hash 134a209 24bcde31100baccde2efgaedbc24 ….. ………………… abde312 a01bc34aef33120bge234666adcff hEll0Every1 bb27cd134ca4200bdef4728100aca a1345gb 4cba201ddeg27aegdac6324012ba iLoveQatar a01bc34aef33120bge234666adcff n0TTrue 345acbde236ab20dd01bc12f4f332 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = 134a209 Password Hash ….. ………………… hEll0Every1 bb27cd134ca4200bdef4728100aca iLoveQatar acbde2431bdde567aed321004212 n0TTrue 24bcde31100baccde2efgaedbc24 ….. ………………… RainBow Table (Precalculated Hashes) + Salt = a1345gb Password Hash ….. ………………… hEll0Every1 4cba201ddeg27aegdac6324012ba iLoveQatar fbcd200123adcbfgbge234666adcff n0TTrue acbde2431bdde567aed321004212 ….. …………………
  • 24. 6/30/2013 2323 Storing Credentials (Salting) • How to validate the credentials with the stored salted hash?
  • 25. 6/30/2013 2424 Secure and Un-Secure Practices
  • 26. 6/30/2013 2525 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
  • 27. 6/30/2013 2626 Secure & UnSecure Practices • Never send the user his/her password, neither via email nor via any other form of communication.
  • 28. 6/30/2013 2727 Secure & UnSecure Practices • In case the user has forgotten his password and clicked on the “I forgot my password”, send the user a One-Time token via a URL to his inbox. Make sure that this token has an expiry time.
  • 30. 6/30/2013 2929 2-Factor Authentication • 2-Factor Authentication requires an additional input to the traditional username and password combination. • By introducing the 2nd factor, the web application is further authenticating the true identity of the user via something the user knows (User ID, password, secret image..) and something the user has (Digital certificate, security token, mobile phone)
  • 31. 6/30/2013 3030 2-Factor Authentication • 2-FA OTP via Mobile Phone
  • 32. 6/30/2013 3131 2-Factor Authentication • 2-FA OTP via Security Token
  • 33. 6/30/2013 3232 2-Factor Authentication • 2-FA via Digital Certificate
  • 35. 6/30/2013 3434 Case Study - • Case Study of Dropbox’s flawed implementation of 2-FA. • Discovered and reported by Zouheir Abdallah on June 10th 2013 • Fixed by Dropbox’s security team on June 21st 2013. • Received acknowledgment and thanks from Dropbox…………… and a t-shirt.
  • 36. 6/30/2013 3535 Case Study - • Vulnerability 2-FA could be disabled for any person given that the attacker knows the username/password of the victim. • Attack Vector The emergency backup code that Dropbox generates for the user to use in case his/her 2-FA method is lost (Think lost mobile phone)
  • 37. 6/30/2013 3636 Case Study - • Vulnerability As mentioned earlier, the emergency backup code is flawed. The code of one account can be used on another account that is similar to the victim’s account.
  • 38. 6/30/2013 3737 Case Study - • Vulnerability Dropbox didn’t disclose what the vulnerability was, but according to QCERT’s analysis, the emergency backup generation tool is dropping the DOTs from its algorithm. So the emergency backup code for zuz……85@hotmail.com would work on the account zuz.85@hotmail.com
  • 39. 6/30/2013 3838 Case Study - • Vulnerability