Contenu connexe Similaire à SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico (20) Plus de SBA Research (20) SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim Manico1. JIM MANICO Secure Coding Instructor www.manicode.com
Secure Password Policy and Storage
2. COPYRIGHT ©2019 MANICODE SECURITY
A little background dirt…
jim@manicode.com
@manicode
Former OWASP Global Board Member
Project manager of the
OWASP Cheat Sheet Series and
several other OWASP projects
20+ years of software
development experience
Author of "Iron-Clad Java,
Building Secure Web Applications”
from McGraw-Hill/Oracle-Press
Kauai, Hawaii Resident
2
3. COPYRIGHT ©2019 MANICODE SECURITY 3
WARNING: Please do not attempt to hack any
computer system without legal permission to do so.
Unauthorized computer hacking is illegal and can
be punishable by a range of penalties including
loss of job, monetary fines and possible imprisonment.
ALSO: The Free and Open Source Software presented in these
materials are examples of good secure development tools and
techniques. You may have unknown legal, licensing or technical issues
when making use of Free and Open Source Software. You should consult
your company's policy on the use of Free and Open Source Software
before making use of any software referenced in this material.
4. COPYRIGHT ©2019 MANICODE SECURITY
Authentication: Where are we going?
4
Modern Password Policy
Importance of Password Storage
Hashing and Salting
Adaptive Storage Algorithms
Other Considerations
7. COPYRIGHT ©2019 MANICODE SECURITY
Do Not Limit the Password Strength
Limiting passwords to protect against
injection is doomed to failure
Use query parameterization and other
defenses instead
Be sure to at least limit password size.
Very long passwords can cause DoS
7
8. COPYRIGHT ©2019 MANICODE SECURITY
Use a Modern Password Policy Scheme
Consider the password policy suggestions
from NIST
Do not depend on passwords as a sole
credential. It's past time to move to MFA.
Encourage and train your users to use a
password manager.
8
9. COPYRIGHT ©2019 MANICODE SECURITY
Credential Stuffing Safeguards
9
Stuffing Live Defense
Block use of known username/password pairs from past breaches
Implement Multi Factor Authentication (see below)
Consider avoiding email addresses for username
Bot Detection
3rd Party Password Breach Response
Scan for use of known username/password pairs from new
breach against entire existing userbase
Immediately invalidate user of existing username/password pairs
Force password reset on effected users
10. COPYRIGHT ©2019 MANICODE SECURITY
Special Publication SP800-63-B: Digital AuthN Guidelines
Favor the user. To begin with, make your password policies
user friendly and put the burden on the verifier when possible.
10
At least 8 characters and allow up to 64 (16+ Better)
Throttle or otherwise manage brute force attempts
Don’t force unnatural password special character rules
Don’t use password security questions or hints
No more mandatory password expiration for the sake of it
Allow all printable ASCII characters including spaces, and should
accept all UNICODE characters, too… including emoji.
Do not limit the characters of passwords
Check against a list of common passwords
Block context-specific passwords like the username or service name
Check against a list breached username/password pairs
11. COPYRIGHT ©2019 MANICODE SECURITY
Password Management Summary
Core Password Policy Rules (NIST 800-63 inspired)
• Do not limit the characters or length of user password
• Use a modern password policy scheme
• Enforce password length of at least 8 characters and allow up to 64 or
more (16+ better)
• Check against a list of common passwords (new!)
• Check against a list of breached and exposed username/password pairs
(credential stuffing) (new!)
• Do not enforce special character type rules on passwords (new!)
• Do not force mandatory expiration unless there is a good reason (new!)
• Throttle or otherwise manage brute force attempts
Additional Considerations (Dr De Ryck Suggestions)
• Include a password strength meter
• Ensure your password system is compatibility with password managers
• Offer an option to show the password while typing for mobile devices
11
12. COPYRIGHT ©2019 MANICODE SECURITY
Credential Strength / Password Policy
Users will make as simple passwords as you allow them to
Users will use the same password on multiple websites
Implement server-side enforcement
of password syntax and strength
– Minimum length
– Numbers/Symbols/Uppercase/Lowercase
– Ban commonly used passwords
– Ban passwords with dictionary words
– Ban commonly used password topologies
https://blog.korelogic.com/blog/2014/04/04/pathwell_topologies
– Force multiple users to use different password topologies
– Require a minimum topology change between old and new passwords
Also consider JavaScript password meters
Reference:
"Your password complexity requirements are worthless” https://www.youtube.com/watch?v=zUM7i8fsf0g
12
14. COPYRIGHT ©2019 MANICODE SECURITY
Twitter Password Ban-List: August 2014
14
8675309
987654
nnnnnn
nop123
nop123
nopqrs
noteglh
npprff
npprff14
npgvba
nyoreg
nyoregb
nyrkvf
nyrwnaqen
nyrwnaqeb
nznaqn
nzngrhe
nzrevpn
naqern
naqerj
natryn
natryf
navzny
nagubal
ncbyyb
nccyrf
nefrany
neguhe
nfqstu
nfqstu
nfuyrl
nffubyr
nhthfg
nhfgva
onqobl
onvyrl
onanan
onearl
onfronyy
ongzna
orngevm
ornire
ornivf
ovtpbpx
ovtqnqql
ovtqvpx
ovtqbt
ovtgvgf
oveqvr
ovgpurf
ovgrzr
oynmre
oybaqr
oybaqrf
oybjwbo
oybjzr
obaq007
obavgn
obaavr
obbobb
obbtre
obbzre
obfgba
oenaqba
oenaql
oenirf
oenmvy
oebapb
oebapbf
ohyyqbt
ohfgre
ohggre
ohggurnq
pnyiva
pnzneb
pnzreba
pnanqn
pncgnva
pneybf
pnegre
pnfcre
puneyrf
puneyvr
purrfr
puryfrn
purfgre
puvpntb
puvpxra
pbpnpbyn
pbssrr
pbyyrtr
pbzcnd
pbzchgre
pbafhzre
pbbxvr
pbbcre
pbeirggr
pbjobl
pbjoblf
pelfgny
phzzvat
phzfubg
qnxbgn
qnyynf
qnavry
qnavryyr
qroovr
qraavf
qvnoyb
qvnzbaq
qbpgbe
qbttvr
qbycuva
qbycuvaf
qbanyq
qentba
qernzf
qevire
rntyr1
rntyrf
rqjneq
rvafgrva
rebgvp
rfgeryyn
rkgerzr
snypba
sraqre
sreenev
sveroveq
svfuvat
sybevqn
sybjre
sylref
sbbgonyy
sberire
serqql
serrqbz
shpxrq
shpxre
shpxvat
shpxzr
shpxlbh
tnaqnys
tngrjnl
tngbef
trzvav
trbetr
tvnagf
tvatre
tvmzbqb
tbyqra
tbysre
tbeqba
tertbel
thvgne
thaare
unzzre
unaanu
uneqpber
uneyrl
urngure
uryczr
uragnv
ubpxrl
ubbgref
ubearl
ubgqbt
uhagre
uhagvat
vprzna
vybirlbh
vagrearg
vjnagh
wnpxvr
wnpxfba
wnthne
wnfzvar
wnfcre
wraavsre
wrerzl
wrffvpn
wbuaal
wbuafba
wbeqna
wbfrcu
wbfuhn
whavbe
whfgva
xvyyre
xavtug
ynqvrf
ynxref
ynhera
yrngure
yrtraq
yrgzrva
yrgzrva
yvggyr
ybaqba
ybiref
znqqbt
znqvfba
znttvr
zntahz
znevar
znevcbfn
zneyobeb
znegva
zneiva
znfgre
zngevk
znggurj
znirevpx
znkjryy
zryvffn
zrzore
zreprqrf
zreyva
zvpunry
zvpuryyr
zvpxrl
zvqavtug
zvyyre
zvfgerff
zbavpn
zbaxrl
zbaxrl
zbafgre
zbetna
zbgure
zbhagnva
zhssva
zhecul
zhfgnat
anxrq
anfpne
anguna
anhtugl
app1701
arjlbex
avpubynf
avpbyr
avccyr
avccyrf
byvire
benatr
cnpxref
cnagure
cnagvrf
cnexre
cnffjbeq
cnffjbeq
cnffjbeq1
cnffjbeq12
cnffjbeq123
cngevpx
crnpurf
crnahg
crccre
cunagbz
cubravk
cynlre
cyrnfr
cbbxvr
cbefpur
cevapr
cevaprff
cevingr
checyr
chffvrf
dnmjfk
djregl
djreglhv
enoovg
enpury
enpvat
envqref
envaobj
enatre
enatref
erorppn
erqfxvaf
erqfbk
erqjvatf
evpuneq
eboreg
eboregb
ebpxrg
ebfrohq
ehaare
ehfu2112
ehffvn
fnznagun
fnzzl
fnzfba
fnaqen
fnghea
fpbbol
fpbbgre
fpbecvb
fpbecvba
fronfgvna
frperg
frkfrk
funqbj
funaaba
funirq
fvreen
fvyire
fxvccl
fynlre
fzbxrl
16. COPYRIGHT ©2019 MANICODE SECURITY
"Researchers asked 43 freelance
developers to code the user registration for
a web app and assessed how they
implemented password storage. 26 devs
initially chose to leave passwords as
plaintext."
https://net.cs.uni-
bonn.de/fileadmin/user_upload/naiakshi/Nai
akshina_Password_Study.pdf
16
17. COPYRIGHT ©2019 MANICODE SECURITY
Why and
When
does
Password
Storage
Matter?
When considering password storage
strategies please note we are most
concerned about offline attacks.
Password Storage matters most after
your website is breached and attackers
have a copy of your stored password
data to analyze offline.
Attackers can achieve
supercomputing capability to discover
your password.
Using cloud services, computers with
many GPU's or custom hardware,
attackers can attempt trillions of
attempts per second to discover (or
"crack") stolen password data.
19. COPYRIGHT ©2019 MANICODE SECURITY
Password Storage Defense Overview
19
Offline Attacks Online Attacks
Avoid Hashing or Encryption by itself
for password storage
Use proper password hashing
Use random and unique
per-user salts
– Less effective against targeted
attacks, but use them anyhow
Strict Password Policy
Ban top X commonly used passwords
Ban top X commonly used passwords
Rate limiting
Multi-factor authentication
Behavior Analysis
– Trojan Combat
Anti-Phishing
– Early detection and takedown
Good Network Security
Reference: http://www.openwall.com/presentations
20. COPYRIGHT ©2019 MANICODE SECURITY
Cha-Ching! Estimated cost of hardware to crack password in 1 year
20
KDF 6 letters 8 letters 8 chars 10 chars 40-char text 80-char text
DES CRYPT <$1 <$1 <$1 <$1 <$1 <$1
MD5 <$1 <$1 <$1 $1.1k $1 $1.5T
MD5 CRYPT <$1 <$1 $130 $1.1M $1.4k $1.5 x 1015
PBKDF2 (100ms) <$1 <$1 $18k $160M $200k $2.2 x 1017
Bcrypt (95 ms) <$1 $4 $130k $1.2B $1.5M $48B
Scrypt (64 ms) <$1 $150 $4.8M $43B $52M $6 x 1019
PBKDF2 (5.0 s) <$1 $29 $920k $8.3B $10M $11 x 1018
Bcrypt (3.0 s) <$1 $130 $4.3M $39B $47M $1.5T
Scrypt (3.8 s) $900 $610k $19B $175T $210B $2.3 x 1023
Research by Colin Percival, https://www.tarsnap.com/scrypt/scrypt.pdf,
STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS
22. COPYRIGHT ©2019 MANICODE SECURITY
Wow.
Just… wow.
22
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours
23. COPYRIGHT ©2019 MANICODE SECURITY
Online
Hashcracking
Services
23
md5("86e39e7942c0password123!") = f3acf5189414860a9041a5e9ec1079ab
md5("password123!") = b7e283a09511d95d6eac86e39e7942c0
24. COPYRIGHT ©2019 MANICODE SECURITY
Password Storage Best Practices Overview
24
Store passwords as an
HMAC + good key
management as an extra
step
3
Use ARGON2i, bcrypt,
scrypt on the hash
2
Hash the salted password
using SHA2-512 or
another strong hash
1
25. COPYRIGHT ©2019 MANICODE SECURITY 25
Hash the Password
With a Strong Hash
If you ONLY hash a password it will be discovered in
a very short amount of time, especially for short
passwords. This is just one of several steps.
– Long passwords can cause DOS
– bcrypt truncates long passwords to 72 bytes, reducing the
strength of passwords
By applying the very fast algorithm SHA2-512 we can
quickly reduce long passwords to 512 bits, solving
both problems
https://blogs.dropbox.com/tech/2016/09/how-
dropbox-securely-stores-your-passwords/
1
26. COPYRIGHT ©2019 MANICODE SECURITY 26
Leverage an Password Hasher
bcrypt includes a work factor or time cost which defines
the execution time
scrypt includes a time cost as well as a memory cost,
which defines the memory usage
Argon2i includes a time cost, a memory cost and
a parallelism degree, which defines the number of
threads
Make the work factor and memory cost as strong as you
can tolerate and increase it over time!
Imposes difficult verification on the attacker and defender!
2
27. Is hash cracking really that fast?
MD5 SHA1 BCRYPT(13)
Hashespersecond
200,000 million
68 million
390
@PhilippeDeRyckDR. PHILIPPE DE RYCK
29. COPYRIGHT ©2019 MANICODE SECURITY 29
bcrypt in PHP
bcrypt in .NET
string password_hash
( string $password , integer $algo [, array $options ] )
Uses the bcrypt algorithm (default as of PHP 5.5.0)
https://github.com/BcryptNet/bcrypt.net
30. COPYRIGHT ©2019 MANICODE SECURITY
GPU Attacks on Modern Password KDF's
30
PBKDF2-HMAC-SHA-1
PBKDF2-HMAC-SHA-256
PBKDF2-HMAC-SHA-512
bcrypt
scrypt
STRONGER
Reference: Openwall and http://www.openwall.com/presentations/
31. COPYRIGHT ©2019 MANICODE SECURITY
ASIC/FPGA Attacks on Modern Password Hashes
31
PBKDF2-HMAC-SHA-1
PBKDF2-HMAC-SHA-256
PBKDF2-HMAC-SHA-512
scrypt below 16 MB
bcrypt (uses 4 KB)
scrypt at 16 MB
scrypt above 32 MB
STRONGER
Reference: Openwall and http://www.openwall.com/presentations/
32. COPYRIGHT ©2019 MANICODE SECURITY 32
Leverage Keyed Protection Solution
AES or HMAC-SHA-256([key], [salt] + [credential])
Protect this key as any private key using best
practices
Store the key outside the credential store
Isolate this process outside of your application layer
Imposes difficult verification on the attacker only!
3
33. COPYRIGHT ©2019 MANICODE SECURITY
YubiHSM: a USB Dongle for Servers
YubiHSM in a server’s internal USB port. Photo © Yubico, reproduced under the fair use doctrine.
33
34. COPYRIGHT ©2019 MANICODE SECURITY
HMAC’s in Action for YubiHSM
KEY for HMAC stored in
local key database only,
not retrievable
Key handle is the HSM ID
Data is password or KDF
of Password
HMAC @ Final is final
computed password hash
34
HMAC-SHA1
Key
Handle
Reset/F
inal
Data
Key Data
Base
HMAC @ Final
YubiHSM
Diagram © Yubico, reproduced under the fair use doctrine.
36. COPYRIGHT ©2019 MANICODE SECURITY
Basic Password Storage Workflow
(with hashing, bcrypt and AES)
Imposes difficult verification on the attacker and defender!
Also adds a keyed round!
36
pwHash = SHA-512(password);
adaptiveHash = bcrypt(512 bit pwHash, 13)
FinalCiphertext = AES-GCM(adaptiveHash, secretKey)
37. COPYRIGHT ©2019 MANICODE SECURITY
Basic Password Verification Workflow
(with hashing, bcrypt and AES)
37
submittedPWHash = SHA-512 (submittedPassword);
T/F = bcrypt_compare(submittedPWHash, adaptiveHashDatabase)
adaptiveHashDatabase = Decrypt AES-GCM(CiphertextDatabase, key)
38. Password Storage Summary
• Passwords are an attractive target in data breaches
Insecure backups or SQL injection vulnerabilities are the tip of the iceberg
Prepare for the worst.
Implement a secure password storage mechanism
• Legacy password storage mechanisms cannot withstand
modern attacks
Encryption can be broken by stealing the encryption key
Hashing can be broken by lookup tables or brute force attacks
• The proper way to store passwords is using a password-
hashing function like bcrypt, scrypt or Argon2
The variable cost factor makes the algorithm too expensive to brute force
• Legacy systems should be upgraded ASAP to a more
secure storage mechanism
@PhilippeDeRyckDR. PHILIPPE DE RYCK
39. COPYRIGHT ©2019 MANICODE SECURITY
Additional Topics
• How to upgrade legacy systems
• Storage of security questions, multi-factor
information and other authentication
verificatation information
• What to do in case of a breach
• Authentication mechanisms that do not
require passwords or password storage
• Performance and scale considerations
39
41. COPYRIGHT ©2019 MANICODE SECURITY
Do Not Hardcode Passwords or Keys!
41
if ("DoTheStankyLeg1".equals(password)) {
//why the heck why not?
admin=true;
}
static final String DB_URL = "jdbc:mysql://192.168.1.45/";
static final String USER = "root";
static final String PASS = "BringBackJarJar99!";
Hard Coded Passwords may expose elevated access to
critical systems to individuals who have product detail visibility
Hard Coded Passwords may lead to back doors that can
weaken the system
Please store critical passwords in a application secrets vault!
42. COPYRIGHT ©2019 MANICODE SECURITY
Authentication: Where are we going?
42
Modern Password Policy
Importance of Password Storage
Hashing and Salting
Adaptive Storage Algorithms
Other Considerations
43. JIM MANICO Secure Coding Instructor www.manicode.com
It’s been a pleasure.
jim@manicode.com