protecting passwords
TRANSCRIPT
PROTECTING PASSWORDS
inaz2
#ssmjp 2016/06
2016/06/30
ABOUT ME
• inaz2
• Security Engineer & Python Programmer
• Blog: ももいろテクノロジー
• http://inaz2.hatenablog.com/
2
RECENT TOPICS ON PASSWORDS
• http://d.hatena.ne.jp/Kango/20160123/1453546824
3
RECENT TOPICS ON PASSWORDS
• http://d.hatena.ne.jp/Kango/20160518/1463586755
4
RECENT TOPICS ON PASSWORDS
• http://block.fm/news/Deadmau5_SChack.html
5
RECENT TOPICS ON PASSWORDS
• http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/
6
https://www.ipa.go.jp/security/keihatsu/munekyun-pw/slideshow/index.html
7
ねぇ…
私のパスワード
何がいけなかったのかな
WHAT SHOULD WE DO?
• Developers/Engineers
• Securing your authentication infrastructure
• Users
• Use strong passwords and manage them
• Researchers
• Do what you want UNDER THE LAW
8
SECURING YOUR AUTHENTICATION INFRASTRUCTURE
For Developers/Engineers
9
USING HTTPS
• HTTP is insecure
• Anyone can get plaintext passwords from captured packets
• The login form and endpoint should be delivered only via
HTTPS with valid certificate
• Basic auth over HTTPS is acceptable
• Use Digest auth for HTTP
10
MONITORING LOGIN FAILURE
• Check authentication logs
• Restrict maximum count of failures
• Fail2ban: http://www.fail2ban.org/
11
PASSWORD HASHING
• Never store plaintext passwords
• glibc’s crypt(3) supports salted SHA-256/512
• crypt.crypt (Python), String#crypt (Ruby), crypt (PHP)
• Key Derivation Functions (KDF) are recommended
• relatively long time to compute
• hashlib.pbkdf2_hmac (Python, PBKDF2),
OpenSSL::PKCS5 (Ruby, PBKDF2), password_hash (PHP, bcrypt)
• scrypt: http://www.tarsnap.com/scrypt.html
12
IDENTITY AND ACCESS MANAGEMENT (IAM)
• If you want the directory service,
→ Active Directory/LDAP
• If you use data of Twitter, Facebook etc.,
→ OAuth 2.0
• If the systems are various and large,
→ SAML/OpenID Connect
• Cloud solution: Identification as a Service (IDaaS)
13
EXTRA: TWO-FACTOR AUTHENTICATION (2FA)
• Combine password and card
• Random number table, Smart card
• Combine password and device implementing One-time password
(OTP) algorithm
• Mobile app (e.g. Google Authenticator), USB token (e.g. YubiKey)
• HOTP (RFC 4226), TOTP (RFC 6238)
• Combine password and biometric recognition
• Fingerprint, Finger vein, Iris etc.
14
USING STRONG PASSWORDS AND MANAGING THEM
For Users
15
TYPE OF ATTACKS
• Indiscriminate
• Attacking web services/servers
• e.g. SNS, Forums, EC sites, SSH servers
• Targeted
• Attacking specific person
• e.g. celebrities, VIPs, neighbors
16
ATTACK METHODS
• Brute force (including mask/hybrid)
• Hanako0101, Hanako0102, …, Hanako1231
• Dictionary
• 123456, P@ssw0rd, letmein, qwerty, football, welcome, …
• https://wiki.skullsecurity.org/Passwords
• Default Credential
• admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, …
• https://github.com/danielmiessler/SecLists/blob/master/Passwords/de
fault-passwords.csv
• Breached Credential
• Your breached Linkedin credential to Twitter, Facebook, iCloud, …
• https://haveibeenpwned.com/ 17
ATTACK METHODS
• Brute force (including mask/hybrid)
• Hanako0101, Hanako0102, …, Hanako1231
• Dictionary
• 123456, P@ssw0rd, letmein, qwerty, football, welcome, …
• https://wiki.skullsecurity.org/Passwords
• Default Credential
• admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, …
• https://github.com/danielmiessler/SecLists/blob/master/Passwords/de
fault-passwords.csv
• Breached Credential
• Your breached Linkedin credential to Twitter, Facebook, iCloud, …
• https://haveibeenpwned.com/ 18
Don’t use predictable rules
Use unique passwords
Change default passwords
Use different passwords
HOW TO MAKE STRONG PASSWORDS?
• http://windows.microsoft.com/en-US/windows-vista/tips-for-
creating-a-strong-password
• Is at least 8 characters long.
• Does not contain your user name, real name, or company name.
• Does not contain a complete word.
• Is significantly different from previous passwords.
• Contains characters from each of
uppercase/lowercase/numbers/symbols
19
USING MULTIPLE WORDS
• xkcd: Password Strength
• https://xkcd.com/936/
• In my opinion, it is better
to use non-English words
(ex. Japanese)
20
EXAMPLE (DON’T USE THIS)
AzunyanPeropero¥300!?
21
ANTI-PATTERN: USING REAL SECRETS
• Actually, Azunyan is not my favorite character.
• Your real favorite items/celebrities/characters/phrases are
predictable.
• i.e. weak against targeted attacks
• Choose the password that is safe even if others see.
• Systems may handle your passwords insecure.
22
RISK ASSESSMENT
• Classify services
• Bank / Public Services / SNS / Business / Oneshot
• Very important / Important / Moderate / Less important
• Use different passwords for different classes
• Adding prefix/suffix can be a mitigation for Breached Credential
attacks
• TAzunyanPeropero¥300!?, FAzunyanPeropero¥300!?, …
• Of course, the best is using completely different passwords
23
OTHER TOPICS
• Two-factor authentication
• Use as far as possible.
• Password manager
• Use if you want to.
• Periodically password change
• Do if you are forced to.
• Nobody can make it perfect. Do what you can do comparing cost
and benefit.
24
SOME FACTS
For Researchers
25
HASH CRACKING USING GPU
• oclHashcat benchmark
• http://inaz2.hatenablog.com/entry/2016/05/20/011353
• https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270
c40
26
Amazon EC2
g2.2xlarge
Nvidia GTX 1080
MD5 2,631,100,000 24,943,100,000
SHA-1 697,000,000 8,538,100,000
SHA-256 286,600,000 2,865,200,000
PBKDF2-HMAC-SHA256 114,800 1,173,100
scrypt 25,092 435,100
(hash/sec)
OBSERVING SSH ATTACKS
• Observed login trials on my SSH honeypot (58000 records)
• Most of trials was against root account
• A specific IP address tried with 4800 different passwords
• Some attackers tried with joe accounts
• admin/admin, guest/guest, ubuntu/ubuntu, oracle/oracle,
postgres/postgres, wordpress/wordpress, steam/steam etc.
27
RECAP
• Passwords play an essential role of authentication scheme
• Developers/engineers should secure their authentication
infrastructure
• HTTPS, Log monitoring, Password hashing, IAM, Two-factor auth
• Users should use strong passwords and manage them properly
• Don’t use passwords like “hanako0630”
• Change default passwords
28
REFERENCES
• Password strength - Wikipedia
• https://en.wikipedia.org/wiki/Password_strength
• チョコっとプラスパスワード|IPA 独立行政法人情報処理推進機構
• http://www.ipa.go.jp/chocotto/pw.html
• Password Guidance - Microsoft Research
• https://www.microsoft.com/en-us/research/publication/password-guidance/
• Password guidance: simplifying your approach - GOV.UK
• https://www.gov.uk/government/publications/password-policy-simplifying-
your-approach 29
THANK YOU!
inaz2
30