+ - 0:00:00
Notes for current slide
Notes for next slide

SECURITY FOCUS

Broken Authentication

(AKA Bad Passwords and Login policies)

1 / 11

Cracking

2 / 11

Cracking

  • Brute-force attack that guesses repeatedly
2 / 11

Cracking

  • Brute-force attack that guesses repeatedly
  • The attack could literally try to login to the application repeatedly (if no checks prevent it)
2 / 11

Cracking

  • Brute-force attack that guesses repeatedly
  • The attack could literally try to login to the application repeatedly (if no checks prevent it)
  • Or guessing are repeated against known hashed passwords from a data breach (more on that next)
2 / 11

Rainbow Table Attacks

3 / 11

Rainbow Table Attacks

3 / 11

Your Data has been Leaked

4 / 11

Fortune Favors the Hackers

5 / 11

Fortune Favors the Hackers

  • The deck is currently stacked in the attacker's favor
5 / 11

Fortune Favors the Hackers

  • The deck is currently stacked in the attacker's favor
  • Enterprise software vendors haven't moved to stronger hash types
5 / 11

Fortune Favors the Hackers

  • The deck is currently stacked in the attacker's favor
  • Enterprise software vendors haven't moved to stronger hash types
  • Moore's law has helped attackers tremendously
5 / 11

Fortune Favors the Hackers

  • The deck is currently stacked in the attacker's favor
  • Enterprise software vendors haven't moved to stronger hash types
  • Moore's law has helped attackers tremendously
  • Existing defenses (password policies) have lead to exploitable predictability
5 / 11

Fortune Favors the Hackers

  • The deck is currently stacked in the attacker's favor
  • Enterprise software vendors haven't moved to stronger hash types
  • Moore's law has helped attackers tremendously
  • Existing defenses (password policies) have lead to exploitable predictability
  • pass-the-hash attacks, which can make password cracking unnecessary
5 / 11

Strong Passwords

6 / 11

Strong Passwords

  • The oldies but goodies
  • At least 1 uppercase character (A-Z)
  • At least 1 lowercase character (a-z)
  • At least 1 digit (0-9)
  • At least 1 special character (punctuation) — do not forget to treat space as special characters too
  • Not more than 2 identical characters in a row (e.g., 111 not allowed)
6 / 11

Strong Passwords P2

7 / 11

Strong Passwords P2

  • At least 10 characters
  • At most 128 characters (don't have a small max)
7 / 11

Strong Passwords P2

  • At least 10 characters
  • At most 128 characters (don't have a small max)
  • Long passwords can increase cracking time from hours to billions of years
7 / 11

Strong Passwords P2

  • At least 10 characters
  • At most 128 characters (don't have a small max)
  • Long passwords can increase cracking time from hours to billions of years
  • Check passwords against a list of known weak passwords (don't allow if found)
7 / 11

Password Topology

8 / 11

Password Topology

  • Predictable user behavior is BAD for security
    • WeakSauce@2018 -> WeakSauce@2018!
    • Oct0b3r! -> N0v3mb3r! -> D0c3mber!
8 / 11

Password Topology

  • Predictable user behavior is BAD for security
    • WeakSauce@2018 -> WeakSauce@2018!
    • Oct0b3r! -> N0v3mb3r! -> D0c3mber!
  • Attackers can reduce cracking time by focusing on known user behaviors and patterns
8 / 11

Password Topology

  • Predictable user behavior is BAD for security
    • WeakSauce@2018 -> WeakSauce@2018!
    • Oct0b3r! -> N0v3mb3r! -> D0c3mber!
  • Attackers can reduce cracking time by focusing on known user behaviors and patterns
  • Ban commonly used password topologies
8 / 11

Password Topology

  • Predictable user behavior is BAD for security
    • WeakSauce@2018 -> WeakSauce@2018!
    • Oct0b3r! -> N0v3mb3r! -> D0c3mber!
  • Attackers can reduce cracking time by focusing on known user behaviors and patterns
  • Ban commonly used password topologies
  • Force users to change topologies with each new password
8 / 11

Failed Logins

9 / 11

Failed Logins

  • Failed login messages should NOT indicate which part of the login was incorrect
9 / 11

Failed Logins

  • Failed login messages should NOT indicate which part of the login was incorrect
  • Limit the amount of failed logins during a certain time frame
9 / 11

Further Suggestions

10 / 11

Further Suggestions

  • Two Factor Authentication
    • Absolutely use it when possible
10 / 11

Further Suggestions

  • Two Factor Authentication
    • Absolutely use it when possible
  • Password Managers
    • Security comunity is mixed
    • if they lead to longer, safer, less predictable passwords then they are ok
10 / 11

The End

  • Now let's all go change our passwords
11 / 11

Cracking

2 / 11
Paused

Help

Keyboard shortcuts

, , Pg Up, k Go to previous slide
, , Pg Dn, Space, j Go to next slide
Home Go to first slide
End Go to last slide
b / m / f Toggle blackout / mirrored / fullscreen mode
c Clone slideshow
p Toggle presenter mode
t Restart the presentation timer
?, h Toggle this help
Esc Back to slideshow