passwords: security vs usability
DESCRIPTION
This is my presentation from ROOTS 2012 in Bergen, Norway. It was presented on April 27, security track.TRANSCRIPT
Passwords:
Security vs Usability?
ROOTS 2012
April 27, 2012
Per Thorsheim
CISA, CISM, CISSP-ISSAP
Security Advisor
Introduction
3
Google picture search
About me
Website
designer
Software
designer
Security
designer
First day at work
4
5
Windows 8 - Picture Password
https://blogs.msdn.com/b/b8/archive/2011/12/16/signing-in-with-a-picture-password.aspx
https://blogs.msdn.com/b/b8/archive/2011/12/19/optimizing-picture-password-security.aspx
Security should be simple…
6
…but not stupid…
7
But do remember: In general, 2-factor authentication is one thing you know and one thing you forgot at home.
Good? security usability does exist:
You should do risk analysis…
Page 8
(Your choice of methodology of course…)
[my personal clip art gallery]
(Mostly) Bad Examples
Tell everyone their new password in public
10
11
be careful with your requirements…
…but please do require something…
12
…accept end-users for as they are…
13
Store their credentials safely…
14
15
… and give them simple but useful help…
... And «write down your password» can be smart:
16
As long as you DO try to hide those POST-IT notes just a little bit!
http://securitynirvana.blogspot.com/2010/03/write-down-your-password.html
Hey, some actually do give sound advice!
17
18
19
20
21
22
www.ssllabs.com
Security questions are *hard* to do properly!
23
www.lightbluetouchpaper.org/2010/03/04/evaluating-statistical-attacks-on-personal-knowledge-questions/
Do NOT e-mail me my password!
24
Or else…..
25
Hall of shame
26
https://defuse.ca/password-policy-hall-of-shame.htm
27
E-mail can be used for password resets…
28
…but not everyone does it «correctly»
29
http://securitynirvana.blogspot.com/2010/11/revisiting-password-meters.html
Password meters are dangerous:
30
http://seclists.org/bugtraq/2012/Apr/185
No default passwords or backdoors, PLEASE!
Front-end admin access? (ATM screenshot)
31
Written Password Policies
33
Password policies should be simple to understand
34
… or passwords may end up here:
Our past is paved with bad examples…
36
…. REALLY bad examples in fact.
Page 37
38
Encrypt – or password protect?
AES-128 with PBKDF2/SHA-1
Account lifecycle management
• Register
• Maintain
• Monitor
• REMOVE old accounts
• CAPTCHA
• OOB authentication
• Password transmission
o Plaintextoffenders.com
o Passwordfail.com
o Blog posts on multicase etc, + presseoppslag
39
Now let me fix that password security for you…
WITHOUT affecting UX AT ALL
3 Blog posts and 1 academic paper:
1. «Enough with the rainbow tables: what you need to know about secure password schemes» http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
2. «Strong password hashing for ASP.NET» http://zetetic.net/blog/2012/3/29/strong-password-hashing-for-aspnet.html
3. «Why you should use Bcrypt to hash stored passwords» http://phpmaster.com/why-you-should-use-bcrypt-to-hash-stored-passwords/
4. «The quest to replace passwords: a framework for comparative evaluation of web authentication schemes» http://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-password--oakland.pdf
Recommendations
41
42
Rate-limiting online bruteforce attacks
43
http://tech.dropbox.com/?p=165 & https://github.com/lowe/zxcvbn
…Still want a password meter at your site?
And to break it all down at the end:
44
45
Thank you!
Per Thorsheim
securitynirvana.blogspot.com
@thorsheim
