Click here to load reader

Protecting Passwords

  • View
    2.522

  • Download
    1

Embed Size (px)

Text of Protecting Passwords

  • PROTECTING PASSWORDS

    inaz2

    #ssmjp 2016/06

    2016/06/30

  • ABOUT ME

    inaz2

    Security Engineer & Python Programmer

    Blog:

    http://inaz2.hatenablog.com/

    2

    http://inaz2.hatenablog.com/

  • RECENT TOPICS ON PASSWORDS

    http://d.hatena.ne.jp/Kango/20160123/1453546824

    3

    http://d.hatena.ne.jp/Kango/20160123/1453546824

  • RECENT TOPICS ON PASSWORDS

    http://d.hatena.ne.jp/Kango/20160518/1463586755

    4

    http://d.hatena.ne.jp/Kango/20160518/1463586755

  • RECENT TOPICS ON PASSWORDS

    http://block.fm/news/Deadmau5_SChack.html

    5

    http://block.fm/news/Deadmau5_SChack.html

  • RECENT TOPICS ON PASSWORDS

    http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/

    6

    http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/

  • https://www.ipa.go.jp/security/keihatsu/munekyun-pw/slideshow/index.html

    7

    https://www.ipa.go.jp/security/keihatsu/munekyun-pw/slideshow/index.html

  • WHAT SHOULD WE DO?

    Developers/Engineers

    Securing your authentication infrastructure

    Users

    Use strong passwords and manage them

    Researchers

    Do what you want UNDER THE LAW

    8

  • SECURING YOUR AUTHENTICATION INFRASTRUCTURE

    For Developers/Engineers

    9

  • USING HTTPS

    HTTP is insecure

    Anyone can get plaintext passwords from captured packets

    The login form and endpoint should be delivered only via

    HTTPS with valid certificate

    Basic auth over HTTPS is acceptable

    Use Digest auth for HTTP

    10

  • MONITORING LOGIN FAILURE

    Check authentication logs

    Restrict maximum count of failures

    Fail2ban: http://www.fail2ban.org/

    11

    http://www.fail2ban.org/

  • PASSWORD HASHING

    Never store plaintext passwords

    glibcs crypt(3) supports salted SHA-256/512

    crypt.crypt (Python), String#crypt (Ruby), crypt (PHP)

    Key Derivation Functions (KDF) are recommended

    relatively long time to compute

    hashlib.pbkdf2_hmac (Python, PBKDF2),

    OpenSSL::PKCS5 (Ruby, PBKDF2), password_hash (PHP, bcrypt)

    scrypt: http://www.tarsnap.com/scrypt.html

    12

    http://www.tarsnap.com/scrypt.html

  • IDENTITY AND ACCESS MANAGEMENT (IAM)

    If you want the directory service,

    Active Directory/LDAP

    If you use data of Twitter, Facebook etc.,

    OAuth 2.0

    If the systems are various and large,

    SAML/OpenID Connect

    Cloud solution: Identification as a Service (IDaaS)

    13

  • EXTRA: TWO-FACTOR AUTHENTICATION (2FA)

    Combine password and card

    Random number table, Smart card

    Combine password and device implementing One-time password

    (OTP) algorithm

    Mobile app (e.g. Google Authenticator), USB token (e.g. YubiKey)

    HOTP (RFC 4226), TOTP (RFC 6238)

    Combine password and biometric recognition

    Fingerprint, Finger vein, Iris etc.

    14

  • USING STRONG PASSWORDS AND MANAGING THEM

    For Users

    15

  • TYPE OF ATTACKS

    Indiscriminate

    Attacking web services/servers

    e.g. SNS, Forums, EC sites, SSH servers

    Targeted

    Attacking specific person

    e.g. celebrities, VIPs, neighbors

    16

  • ATTACK METHODS

    Brute force (including mask/hybrid)

    Hanako0101, Hanako0102, , Hanako1231

    Dictionary

    123456, [email protected], letmein, qwerty, football, welcome,

    https://wiki.skullsecurity.org/Passwords

    Default Credential

    admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp,

    https://github.com/danielmiessler/SecLists/blob/master/Passwords/de

    fault-passwords.csv

    Breached Credential

    Your breached Linkedin credential to Twitter, Facebook, iCloud,

    https://haveibeenpwned.com/ 17

    https://wiki.skullsecurity.org/Passwordshttps://github.com/danielmiessler/SecLists/blob/master/Passwords/default-passwords.csvhttps://haveibeenpwned.com/

  • ATTACK METHODS

    Brute force (including mask/hybrid)

    Hanako0101, Hanako0102, , Hanako1231

    Dictionary

    123456, [email protected], letmein, qwerty, football, welcome,

    https://wiki.skullsecurity.org/Passwords

    Default Credential

    admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp,

    https://github.com/danielmiessler/SecLists/blob/master/Passwords/de

    fault-passwords.csv

    Breached Credential

    Your breached Linkedin credential to Twitter, Facebook, iCloud,

    https://haveibeenpwned.com/ 18

    Dont use predictable rules

    Use unique passwords

    Change default passwords

    Use different passwords

    https://wiki.skullsecurity.org/Passwordshttps://github.com/danielmiessler/SecLists/blob/master/Passwords/default-passwords.csvhttps://haveibeenpwned.com/

  • HOW TO MAKE STRONG PASSWORDS?

    http://windows.microsoft.com/en-US/windows-vista/tips-for-

    creating-a-strong-password

    Is at least 8 characters long.

    Does not contain your user name, real name, or company name.

    Does not contain a complete word.

    Is significantly different from previous passwords.

    Contains characters from each of

    uppercase/lowercase/numbers/symbols

    19

    http://windows.microsoft.com/en-US/windows-vista/tips-for-creating-a-strong-password

  • USING MULTIPLE WORDS

    xkcd: Password Strength

    https://xkcd.com/936/

    In my opinion, it is better

    to use non-English words

    (ex. Japanese)

    20

    https://xkcd.com/936/

  • EXAMPLE (DONT USE THIS)

    AzunyanPeropero300!?

    21

  • ANTI-PATTERN: USING REAL SECRETS

    Actually, Azunyan is not my favorite character.

    Your real favorite items/celebrities/characters/phrases are

    predictable.

    i.e. weak against targeted attacks

    Choose the password that is safe even if others see.

    Systems may handle your passwords insecure.

    22

  • RISK ASSESSMENT

    Classify services

    Bank / Public Services / SNS / Business / Oneshot

    Very important / Important / Moderate / Less important

    Use different passwords for different classes

    Adding prefix/suffix can be a mitigation for Breached Credential

    attacks

    TAzunyanPeropero300!?, FAzunyanPeropero300!?,

    Of course, the best is using completely different passwords

    23

  • OTHER TOPICS

    Two-factor authentication

    Use as far as possible.

    Password manager

    Use if you want to.

    Periodically password change

    Do if you are forced to.

    Nobody can make it perfect. Do what you can do comparing cost

    and benefit.

    24

  • SOME FACTS

    For Researchers

    25

  • HASH CRACKING USING GPU

    oclHashcat benchmark

    http://inaz2.hatenablog.com/entry/2016/05/20/011353

    https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270

    c40

    26

    Amazon EC2

    g2.2xlarge

    Nvidia GTX 1080

    MD5 2,631,100,000 24,943,100,000

    SHA-1 697,000,000 8,538,100,000

    SHA-256 286,600,000 2,865,200,000

    PBKDF2-HMAC-SHA256 114,800 1,173,100

    scrypt 25,092 435,100

    (hash/sec)

    http://inaz2.hatenablog.com/entry/2016/05/20/011353https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40

  • OBSERVING SSH ATTACKS

    Observed login trials on my SSH honeypot (58000 records)

    Most of trials was against root account

    A specific IP address tried with 4800 different passwords

    Some attackers tried with joe accounts

    admin/admin, guest/guest, ubuntu/ubuntu, oracle/oracle,

    postgres/postgres, wordpress/wordpress, steam/steam etc.

    27

  • RECAP

    Passwords play an essential role of authentication scheme

    Developers/engineers should secure their authentication

    infrastructure

    HTTPS, Log monitoring, Password hashing, IAM, Two-factor auth

    Users should use strong passwords and manage them properly

    Dont use passwords like hanako0630

    Change default passwords

    28

  • REFERENCES

    Password strength - Wikipedia

    https://en.wikipedia.org/wiki/Password_strength

    IPA

    http://www.ipa.go.jp/chocotto/pw.html

    Password Guidance - Microsoft Research

    https://www.microsoft.com/en-us/research/publication/password-guidance/

    Password guidance: simplifying your approach - GOV.UK

    https://www.gov.uk/government/publications/password-policy-simplifying-

    your-approach 29

    https://en.wikipedia.org/wiki/Password_strengthhttp://www.ipa.go.jp/chocotto/pw.htmlhttps://www.microsoft.com/en-us/research/publication/password-guidance/https://www.gov.uk/government/publications/password-policy-simplifying-your-approach

  • THANK YOU!

    inaz2

    30

Search related