Fantastic passwords and where to find them - at NoRuKo

Transcript

1. FANTASTIC PASSWORDS AND WHERE TO FIND THEM @philnash

2. Phil Nash @philnash @phil_nash https://philna.sh [email protected]

3. My first password: “nash” “atom” @philnash

4. I GOT HACKED @philnash

5. PASSWORDS ARE TERRIBLE @philnash

6. GUIDELINES @philnash

7. Guidelines • Uppercase • Lowercase • Numbers • Special characters

   @philnash

8. password @philnash

9. Password1! @philnash

10. Guidelines Change passwords regularly @philnash

11. Password123! @philnash

12. PATTERNS @philnash

13. Password1! @philnash

14. ULLLLLLLDS @philnash

15. AN EXAMPLE @philnash

16. Western Australia Government Security Audit 234,000 passwords were assessed 1/4

    of passwords were deemed "weak" passwords 1,464 passwords were "Password123" (source) @philnash

17. Western Australia Government Security Audit @philnash

18. My "best" password • 8 characters long • Numbers and

    letters (uppercase only) • Model number of my hi-fi @philnash

19. I GOT HACKED @philnash

20. REPETITION @philnash

21. BREACHES @philnash

22. @philnash

23. HOW DO WE FIX THIS? @philnash

24. THE GUIDELINES WERE WRONG @philnash

25. @philnash

26. New guidelines From the ACSC, the NCSC and NIST •

    At least 13 characters • Accept all characters • Don't allow insecure passwords • Dictionary words • Repeated or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) • Context specific words (e.g. username, email, app name) • Passwords that have been in a breach @philnash

27. IN RUBY? @philnash

28. Devise config.password_length = 6..128 @philnash

29. Authlogic validates :password, confirmation: { if: require_password? }, length: {

    minimum: 8, if: require_password? } 01. 02. 03. 04. 05. 06. @philnash

30. Clearance # Nothing @philnash

31. Suggestions validates :password, length: { minimum: 14 } nobspw strong_password

    zxcvbn @philnash

32. nobspw pwc = NOBSPW::PasswordChecker.new password: 'philnashrules', name: 'Phil Nash', username:

    'philnash', email: '[email protected]' pwc.strong? pwc.weak? pwd.weak_password_reasons 01. 02. 03. 04. 05. 06. 07. @philnash

33. zxcvbn test = Zxcvbn.test("philnashrules", ["philnash"]) test.score test.feedback.suggestions 01. 02. 03.

    @philnash

34. DEMO @philnash

35. INSECURE PASSWORDS? @philnash

36. PWNED PASSWORDS @philnash

37. Pwned Passwords 572,611,621 passwords previously exposed in data breaches @philnash

38. Pwned Passwords API ⚠ Don't worry ⚠ @philnash

39. Pwned Passwords API 1. Get the SHA1 hash of the

    password 2. Take the first 5 characters of the hash 3. https://api.pwnedpasswords.com/range/#{prefix} 4. Check if the remainder of the hash is in the result @philnash

40. PWNED GEM @philnash

41. DEMO @philnash

42. Pwned https://github.com/philnash/pwned devise-pwned_password @philnash

43. NEXT LEVEL @philnash

44. TWO FACTOR AUTHENTICATION @philnash

45. PASSWORDS ARE TERRIBLE @philnash

46. PASSWORD GUIDELINES ARE WORSE @philnash

47. MAKE PASSWORDS LONGER @philnash

48. CHECK AGAINST BREACHES AND DICTIONARIES @philnash

49. IMPLEMENT TWO FACTOR AUTHENTICATION @philnash

50. Thanks! @philnash @phil_nash https://philna.sh [email protected]

51. Tom Carr @ItsMeTomC "Your password must contain at least 8

    letters, a capital, a plot, a protagonist with good character development, a twist & a happy ending." 1156 PM · Oct 13, 2014 3.3K 4.7K people are Tweeting about this @philnash