Passw3rd

Remember…

What is it?• Cross-platform, cross-language password management for

applications• Keeps passwords out of code and configuration files, but keeps

them in encrypted files that can be checked into version control

• Keys for dev/test can be checked in, but prod keys must be protected

Nerd stuff• Uses openssl to generate an AES-128 key and IV• The keys are stored in a location protected by OS access

controls• The password files are generated which store an encrypted

version of the password• Uses the cipher block chaining (CBC) mode of operation

• Bonus points: why not 256? Why create an IV?

Gotchas• EACH WEB APPLICATION MUST RUN AS A SEPARATE USER• But you already knew that• Why? Because one application can read any password file owned

by the same user/group/etc. • Can’t protect from in memory access• Anyone can put a logger in and see the password…

Give me the run down• Generate keys: passw3rd –g <path> generated keys in /Users/neil (creates .passw3rd-encryptionIV and .passw3rd-encryptionKey)

• Create a password file $ passw3rd –e file_name <-p path> <-k path> Enter the password: Wrote password to /Users/neil/file_name

• Verify the password can be retrieved $ passw3rd –d file_name <-p path> <-k path> The password is: asdf

Business model

Phase 1: Find Passwords

development: adapter: mysql database: rails_development username: app_user password: my super secret password

Phase 1: Collect Passwords

development: adapter: mysql database: rails_development username: app_user password: <%=get_password(’app’)%>

Phase 2

CHANGE ALL PASSWORDS!!!!

Phase 3: Profit• Need a password rotation?• Fine, just create a new password file for the affected accounts

• Need a new server?• Just make the keys part of your build script

• Need to rotate your key?• Trivial, decrypt with the old, encrypt with the new

Wait, hold on a second you can’t change… oh yeah that sounds like a good idea…

Performance$ time ruby -e "require 'passw3rd’; X.times {Passw3rd::PasswordService.get_password('asdf')}”

• X = 100: 0.281s• X = 1,000: 0.359s• X = 10,000: 1.081s• X = 100,000: 8.372s• X = 1,000,000: 1m21.007s

This is without optimization, the file is opened and read during each iteration

Passw3rd Current Support

Passw3rd Future Support• Python• .NET• PHP• <your language here>• Passw3rd is an official OWASP project, so there is an entire

community behind it

https://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About

Roadmap• Key rotation script• Multi-key support• Load encrypted password files in memory for rapid sequential

decryption

Go collect some underwear!

http://www.itd.umich.edu/posters/

Credits• Warren Liang for creating the project

that inspired passw3rd• Josh Drummond for using that project

in innovative ways • Joe Milora for the Spring

configuration file code

Questions?

https://github.com/oreoshake/passw3rdhttps://github.com/oreoshake/passw3rd_javahttp://rubygems.org/gems/passw3rdhttps://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About