Upload File

passwords

Download Passwords

If you can't read please download the document

Upload: charles-southerland

Post on 16-Apr-2017

257 views

Category:

Technology


0 download

Report

TRANSCRIPT

Passwords

Charles SoutherlandONEsite & DC405

Know anyone that...

...uses the same password for everything?

Multiple Passwords

Regarding multiple passwords......never write a password down or store it unencrypted (including email, SMS, etc.).

...avoid reusing a password for any two things.

if you feel you must reuse some passwords, never reuse a password for something which needs to be secure.

...many people have tricks based on what the password is for (Steve Gibson has a new one).

...you could use KeePass or LastPass.

Know anyone that...

...thinks it's a good idea to change passwords every 6 months?

Regular Password Changes

Changing your passwords every 6 months......does nothing to protect you.

...encourages bad password habits.

...gives a false sense of security.

...is much less secure than making your passwords a few characters longer.

...makes end users hate tech support. :(

Know anyone that...

...thinks it's okay to limit passwords to being between 8 and 25 characters in length?

Minimum Password Length

Passwords should be......made of not just lower-case letters.

...no less than 12 characters long given the power of the modern GPU.

...as long as is practical (more on this in a bit).

Password Haystacks

Which password will be caught first by most brute-force password cracking algorithms?D0g.....................

PrXyc.N(n4k77#L!eVdAfp9

Steve Gibson came up with the idea of Password Haystacks just a few months ago, and it is already starting to take off.

Know anyone that...

...thinks it's okay to have an upper limit on how many characters are in a password?Note: Not referring to an upper limit imposed by buffer size.

Upper Limits on Length

If someone gives you an upper limit on password length that isn't solely because of browser or server limitations......you need to be very concerned.

...they could be storing your password instead of storing its hash.

they could possibly get your password.

...an ID thief can probably get your password.

Know anyone that...

...stores passwords (plain or encrypted) in a database field?

Password Hashes

Passwords should......NEVER be stored in a database in such a way that they can be recreated.

...be checked by comparing the hash of the supplied password against the password hash stored in the database.

...be removed from RAM as quickly as possible.

...be salted by being padded and then encrypted using a combination of data that changes between users and a secret site key.

be hashed using a modern hashing algorithm like SHA-384.

Password Requirements

Passwords should be required to......have more than just lower-case letters.

...be at least 12 characters long.

...never be known, read, heard, or seen by anyone else ever, no exceptions.

...not have been guessed by a password cracker.

...be something the user has entered, and never be a temporary password given to the user by an admin or password reset email.

...be eneted only on pages protected by captchas whenever possible.

Know anyone that...

...doesn't always check that every page is HTTPS while logging in and while logged in?

HTTPS (as Client)

To protect yourself while browsing......make sure your browser no longer trusts the DigiNotar certificate authority!

...always make sure you have a secure connection before entering data.

...always make sure you have a secure connection if you are logged in.

...definitely get the HTTPS Everywhere plugin.

possibly get the Certificate Patrol plugin.

HTTPS (as Server)

HTTPS should always be required when......usernames and/or passwords are accepted.

...cookies are being sent or requested.

...the user is logged in.

...JavaScript is provided and sensitive data can be entered in forms on the page.

Other Notes

Whenever possible, use OpenID to handle users (so you can avoid any password-related pitfalls in the first place).

Never ask a user for credentials to another site; always use Oauth to enable such functionality.

If you believe any passwords have been compromised, inform everyone immediately; DigiNotar's fate was sealed when they chose not to responsibly disclose.

You need to start thinking about two-factor and three-factor authentication if you haven't started already.

About Cryptography

Cryptography......is not intuitive.

...can solve almost every problem in security.

...can often make up for PEBKAC.

...is going to become increasingly vital to your company.

...is something I hope you ask me more about.

Password Haystacks

https://www.grc.com/haystack.htm

HTTPS Everywhere

https://www.eff.org/https-everywhere


Access Control Passwords

Kill All Passwords

Passwords & pass phrases

Passwords#14 - mimikatz

Naturally Rehearsing Passwords

Passwords & corresponding accounts

Chapter 7 Passwords - cdn.ttgtmedia.comcdn.ttgtmedia.com/.../HackingforDummiesCh07.pdf · Chapter 7 Passwords ... Therefore, passwords are one of the weakest links in ... This includes

Secure Graphical Passwords

PDF Passwords-Eltima

Routers Default Passwords

LinkedIn Passwords Lifted

Using Hamiltonian Totems as Passwords Abstract 1 Visual passwords

UNDERSTANDING PASSWORDS

Protecting Passwords

Passwords presentation

Passwords and You CREATING AND MAINTAINING SECURE PASSWORDS

Passwords & security

STRONG PASSWORDS

Making Strong Passwords

Perfect Passwords

Strong Passwords

Human-Computable Passwords

Passwords, Passwords, Passwords - MemberClicks · Most common passwords of 2017 1. 123456 2. 123456789 3. qwerty 4. 12345678 5. 111111 6. 1234567890 7. 1234567 8. password 9. 123123

Passwords 101

3d passwords

8 login passwords

Passwords Everywhere

Kanishka_3D Passwords

Passwords And Security

Death To Passwords

Oracle Default Passwords

Passwords Defecto Routers

09 passwords

Passwords Issa

You$and$Your$Passwords$sites.duke.edu/training/files/2012/10/PasswordPresentation.pdf · Recommendaons$ • Notjustone$strong$passwords,$butmulLple$ strong$passwords$ • Password$Escrow$