password storage sucks!
DESCRIPTION
Password storage strategiesTRANSCRIPT
Password Storage Sucks!How to properly store passwords in your database
Legal Disclaimers…Disclaimer 1:I make no guarantees about beard length. But a beard will always be attached to this sexy face.Disclaimer 2I curse, frequently… sorryDisclaimer 3Opinions are my own. Advice provided with no warranty.If you go back and implement an algorithm I told you to implement you do so at your own risk.In other words… Don’t come crying to me on twitter
Oh yeah… twitter … @nerdybeardo
http://www.nerdybeardo.com
Who am I?• I am Software architect on the .NET Stack• I study cryptography for fun (WTF?!?)• I study application security but not for fun… it’s scary• Most of my life is spent on a keyboard with the following
exceptions…• I managed to get married…• And against all odds… I somehow was able to pass on my genes
Credentials….• I have none…• Except I have a beard…• And because it’s so awesome people pay me a boat load of money
to fix their shit• Wait I lied… I’m a certified Scrum master• Or as my clients call me… The Scum Master• I’ve also been called Dragon Master
How to approach this talk•Don’t just look at this as a talk on password storage
•Look at the approach we’re taking to secure our passwords
•Use the same type of approach for all your PII Data
Why are we here?•Because developers suck at security!•And our users are paying for our suckiness!
How many people know what Angular is?
How many people know what a CSRF is?• How important CSRF is becoming because of single page sites?
• Do you know why it’s dangerous to allow your API’s to be hit as GET requests?
• Are you protecting your API’s with request forgery tokens?• In other words CSRF is much more dangerous because of the use of frameworks like Angular with a REST API, yet it’s rarely brought up as a topic.
I’m dizzy please stop!• The amount of new frameworks coming out is dizzying• We are WAY too focused on frameworks, and tools, and the next
thing that’s going to make our site look super awesome.
Newsflash!• Using Angular isn’t going to make you cool! (Is it still ok to say the
word cool?)• We will still be nerds. (or in my case Nerdy)• There is going to be a new framework tomorrow.• Your apps will still be broken!
Do you know who this is?
Game TheoryPl
ayer
1Player 2
Hawk Dove
Dov e
Hawk ,
0,V
V,0
,
Wild Wild West…• The internet is the Wild Wild West• “Cost” of playing hawk on the internet has gone down
tremendously• 17 year old in Eastern Europe can be the cause of 40 million credit
cards being stolen from Target
Pshhhhhh….“People will get their money back if my shit is owned, I don’t care…”
Yeah except…People in this room control…•Health Records•Financial data•Legal Data•Buying habits•Most people use the same passwords for all their sites
Oh the things I’ve seen….•Password stored only as hash values•User tables susceptible to SQL Injection attacks
•Backdoor “master” password access to all users
•“Encrypted” in the famous base64 encryption algorithm
•“Encrypted” in the famous plaintext algorithm
•No Password - How’s anybody going to get to this admin page? Nobody knows the URL…
So you think you’re secure…
Not the kind of hash you may be used to Blast From the Past College Professor’s told me.. I can use a hash function to “map” my data to a “bucket”
Mainly used in hash tables System.Collections.HashTable System.Collections.Generic.Diction
ary Fast storage and retrieval (ooooh yeah)
Example I have Bins buckets and 100 apples. I want to spread them evenly to all my bins.
h(x) = x mod 10
Why Not Encryption?H(x) = x mod 10
This ain’t yo mama’s Hash functionUse cryptographically secure hash functions for passwords• It should be hard given h(m) to find m’ such that h(m’) = h(m) (pre-image resistance)
• Should be difficult given a message m with hash h(m) to find a message m’ != m and h(m) = h(m’) (second pre-image)
• It should be difficult to find two messages m and m’ where h(m) = h(m’)
• Preferable to have a property called the avalanche effect• 1 bit difference causes at least 50% of the following
bits to change
Merkle Damgard Construction
We still have some problemsFact of life: All cryptographic hash functions are susceptible to collisions.• I’m lazy… so here’s my rule of thumb
• Take the output size of the hash algorithm and divide by 2 and our security level is 2^n
• Search Wikipedia for Birthday paradox for the proper math
Merriam Webster I Shake My Fist At You!• Forget all the theory…. • We can just pre-hash a dictionary and match the hash to the
original value. (Rainbow Tables)
Rainbow ConnectionRank Password MD5 SHA1
1123456e10adc3949ba59abbe56e057f20f883e
7c4a8d09ca3762af61e59520943dc26494f8941b
212345827ccb0eea8a706c4c34a16891f84e7b
8cb2237d0679ca88db6464eac60da96345513964
312345678925f9e794323b453885f5181f1b624d0b
f7c3bc1d808e04732adf679965ccc34ca7ae3441
4Passworddc647eb65e6711e155375218212b3964
8be3c943b1609fffbfc51aad666d0a04adf83c9d
5iloveyouf25a2fc72690b780b2a14e140ef6a9e0
ee8d8728f435fd550f83852aabab5234ce1da528
6princess8afa847f50a716e64932d995c8e7435a
775bb961b81da1ca49217a48e533c832c337154a
7rockyouf806fc5a2a0d5ba2471600758452799c
f1cf651ce1a2191a760c0b2f161234f7958e26e4
81234567fcea920f7412b5da7be0cf42b8c93759
20eabe5d64b0e216796e834f52d61fd0b70332fc
91234567825d55ad283aa400af464c76d713c07ad
7c222fb2927d828af22f592134e8932480637c0d
10abc123e99a18c428cb38d5f260853678922e03
6367c48dd193d56ea7b0baad25b19455e529f5ee
mmmm…. Salty• To get around the problem of rainbow tables add a random salt• Don’t just use random text! I see this time and time again.• Use Random bytes and add to the password before hashing
• Generate with System.Security.Cryptography.RNGCryptoServiceProvider• PHP openssl_random_pseudo_bytes• Ruby: OpenSSL::Random• Longer and more random is better
• Store the salt in a field in your db along with the username and password hash (can be unencrypted)
• PasswordField == Hash(saltBytes + GetBytes(passwordEntered))
Salty Hash is good but not that good…• Most cryptographic hash algorithms are made to perform over large files, so they are really fast
• My PC (Core i7 3930k) can do almost 360 Mb/s for SHA-1• So we can generate rainbow tables on the fly from password databases
• Need to slow it down! So we’ll introduce a work factor • Work factor tells the algorithm how much “work” to perform
• As computers get faster increase the work factor and re-hash as users log in
• Good examples are BCrypt, SCrypt, PBKDF2
PBKDF2PROS•Uses standard Hash Functions
•Takes Salt•Comes Standard in Many Frameworks (Rfc2898DeriveBytes)
CONS• Possible to mis-configure if using anything other than the standard Hash
• Standards for work factor are really unknown
• Can be attacked using GPU Array
• Can be attacked using FPGA Array
BCryptPROS• Very Old!• Open Source!• Has been used in many secure software programs
• Much Easier to Configure and use
•Salt, Iteration and Hash stored as one field
• Difficult to brute force on GPU
CONS• Open Source• Memory requirements make it vulnerable to things like FPGA
SCRYPTPROS•Open Source•Much Easier to Configure and use
•Salt, Iteration and Hash stored as one field
• Difficult to brute force on GPU
CONS• Relatively new• Open Source• Good implementations are harder to find
OMG WTF Am I gonna do?• If you’re not using a salted hash update all passwords with a more secure algorithm.
BCrypt(MD5(Password)) and store a version (Version 1). • When a user logs in simply upgrade on successful login and save to a new version (Version 2).
string function VerifyPassword(string input, string hash, int version) if version is 1 then input = md5(input) result = bcrypt.verifypassword(input, storedhash) if result is true and version is 1 then updatepassword(bcrypt(input,workfactor), 2) return resultend
What if I don’t have a hash at all?• Even though you are less secure than someone who went through
hashing you’re actually on an easier upgrade path• Simple compute the BCrypt hash (or whatever else you want to
use) over your user database and store it back in the database• If you have a lot of users (> 100,000 users) this will take a long
time, but you can take advantage of multi-threading and multiple cores.
• Make your users change their password on first login
Other recommendations• My #1 Recommendation for password storage
•DON’T• If you can get away with it use an open API like OpenID (google, facebook, yahoo
etc..) this removes the liability from your code and is safer for your users.• If you can use a standard authentication mechanism such as Active Directory, or a
corporate standard approved by your security team then use that instead.• Run your entire application under the least privileges you can get away with.• I highly recommend putting restrictions on which users are able to read the user
table, segregate that table away from the rest of the database if possible and only allow a single user to have read access, and a single user that has write access.
Last thoughts…•Developers need to engage the Infosec community
•OWASP Meeting’s•Local security meet ups!
Ok I’m done now…Follow me on twitter: @nerdybeardoBlog: http://www.nerdybeardo.com