Protecting Passwords

30
PROTECTING PASSWORDS inaz2 # ssmjp 2016/06 2016/06/30

Transcript of Protecting Passwords

Page 1: Protecting Passwords

PROTECTING PASSWORDS

inaz2

#ssmjp 2016/06

2016/06/30

Page 2: Protecting Passwords

ABOUT ME

• inaz2

• Security Engineer & Python Programmer

• Blog: ももいろテクノロジー

• http://inaz2.hatenablog.com/

2

Page 3: Protecting Passwords

RECENT TOPICS ON PASSWORDS

• http://d.hatena.ne.jp/Kango/20160123/1453546824

3

Page 4: Protecting Passwords

RECENT TOPICS ON PASSWORDS

• http://d.hatena.ne.jp/Kango/20160518/1463586755

4

Page 5: Protecting Passwords

RECENT TOPICS ON PASSWORDS

• http://block.fm/news/Deadmau5_SChack.html

5

Page 6: Protecting Passwords

RECENT TOPICS ON PASSWORDS

• http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/

6

Page 7: Protecting Passwords

https://www.ipa.go.jp/security/keihatsu/munekyun-pw/slideshow/index.html

7

ねぇ…

私のパスワード

何がいけなかったのかな

Page 8: Protecting Passwords

WHAT SHOULD WE DO?

• Developers/Engineers

• Securing your authentication infrastructure

• Users

• Use strong passwords and manage them

• Researchers

• Do what you want UNDER THE LAW

8

Page 9: Protecting Passwords

SECURING YOUR AUTHENTICATION INFRASTRUCTURE

For Developers/Engineers

9

Page 10: Protecting Passwords

USING HTTPS

• HTTP is insecure

• Anyone can get plaintext passwords from captured packets

• The login form and endpoint should be delivered only via

HTTPS with valid certificate

• Basic auth over HTTPS is acceptable

• Use Digest auth for HTTP

10

Page 11: Protecting Passwords

MONITORING LOGIN FAILURE

• Check authentication logs

• Restrict maximum count of failures

• Fail2ban: http://www.fail2ban.org/

11

Page 12: Protecting Passwords

PASSWORD HASHING

• Never store plaintext passwords

• glibc’s crypt(3) supports salted SHA-256/512

• crypt.crypt (Python), String#crypt (Ruby), crypt (PHP)

• Key Derivation Functions (KDF) are recommended

• relatively long time to compute

• hashlib.pbkdf2_hmac (Python, PBKDF2),

OpenSSL::PKCS5 (Ruby, PBKDF2), password_hash (PHP, bcrypt)

• scrypt: http://www.tarsnap.com/scrypt.html

12

Page 13: Protecting Passwords

IDENTITY AND ACCESS MANAGEMENT (IAM)

• If you want the directory service,

→ Active Directory/LDAP

• If you use data of Twitter, Facebook etc.,

→ OAuth 2.0

• If the systems are various and large,

→ SAML/OpenID Connect

• Cloud solution: Identification as a Service (IDaaS)

13

Page 14: Protecting Passwords

EXTRA: TWO-FACTOR AUTHENTICATION (2FA)

• Combine password and card

• Random number table, Smart card

• Combine password and device implementing One-time password

(OTP) algorithm

• Mobile app (e.g. Google Authenticator), USB token (e.g. YubiKey)

• HOTP (RFC 4226), TOTP (RFC 6238)

• Combine password and biometric recognition

• Fingerprint, Finger vein, Iris etc.

14

Page 15: Protecting Passwords

USING STRONG PASSWORDS AND MANAGING THEM

For Users

15

Page 16: Protecting Passwords

TYPE OF ATTACKS

• Indiscriminate

• Attacking web services/servers

• e.g. SNS, Forums, EC sites, SSH servers

• Targeted

• Attacking specific person

• e.g. celebrities, VIPs, neighbors

16

Page 17: Protecting Passwords

ATTACK METHODS

• Brute force (including mask/hybrid)

• Hanako0101, Hanako0102, …, Hanako1231

• Dictionary

• 123456, P@ssw0rd, letmein, qwerty, football, welcome, …

• https://wiki.skullsecurity.org/Passwords

• Default Credential

• admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, …

• https://github.com/danielmiessler/SecLists/blob/master/Passwords/de

fault-passwords.csv

• Breached Credential

• Your breached Linkedin credential to Twitter, Facebook, iCloud, …

• https://haveibeenpwned.com/ 17

Page 18: Protecting Passwords

ATTACK METHODS

• Brute force (including mask/hybrid)

• Hanako0101, Hanako0102, …, Hanako1231

• Dictionary

• 123456, P@ssw0rd, letmein, qwerty, football, welcome, …

• https://wiki.skullsecurity.org/Passwords

• Default Credential

• admin/admin, ubuntu/ubuntu, pi/raspberry, PlcmSpIp/PlcmSpIp, …

• https://github.com/danielmiessler/SecLists/blob/master/Passwords/de

fault-passwords.csv

• Breached Credential

• Your breached Linkedin credential to Twitter, Facebook, iCloud, …

• https://haveibeenpwned.com/ 18

Don’t use predictable rules

Use unique passwords

Change default passwords

Use different passwords

Page 19: Protecting Passwords

HOW TO MAKE STRONG PASSWORDS?

• http://windows.microsoft.com/en-US/windows-vista/tips-for-

creating-a-strong-password

• Is at least 8 characters long.

• Does not contain your user name, real name, or company name.

• Does not contain a complete word.

• Is significantly different from previous passwords.

• Contains characters from each of

uppercase/lowercase/numbers/symbols

19

Page 20: Protecting Passwords

USING MULTIPLE WORDS

• xkcd: Password Strength

• https://xkcd.com/936/

• In my opinion, it is better

to use non-English words

(ex. Japanese)

20

Page 21: Protecting Passwords

EXAMPLE (DON’T USE THIS)

AzunyanPeropero¥300!?

21

Page 22: Protecting Passwords

ANTI-PATTERN: USING REAL SECRETS

• Actually, Azunyan is not my favorite character.

• Your real favorite items/celebrities/characters/phrases are

predictable.

• i.e. weak against targeted attacks

• Choose the password that is safe even if others see.

• Systems may handle your passwords insecure.

22

Page 23: Protecting Passwords

RISK ASSESSMENT

• Classify services

• Bank / Public Services / SNS / Business / Oneshot

• Very important / Important / Moderate / Less important

• Use different passwords for different classes

• Adding prefix/suffix can be a mitigation for Breached Credential

attacks

• TAzunyanPeropero¥300!?, FAzunyanPeropero¥300!?, …

• Of course, the best is using completely different passwords

23

Page 24: Protecting Passwords

OTHER TOPICS

• Two-factor authentication

• Use as far as possible.

• Password manager

• Use if you want to.

• Periodically password change

• Do if you are forced to.

• Nobody can make it perfect. Do what you can do comparing cost

and benefit.

24

Page 25: Protecting Passwords

SOME FACTS

For Researchers

25

Page 26: Protecting Passwords

HASH CRACKING USING GPU

• oclHashcat benchmark

• http://inaz2.hatenablog.com/entry/2016/05/20/011353

• https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270

c40

26

Amazon EC2

g2.2xlarge

Nvidia GTX 1080

MD5 2,631,100,000 24,943,100,000

SHA-1 697,000,000 8,538,100,000

SHA-256 286,600,000 2,865,200,000

PBKDF2-HMAC-SHA256 114,800 1,173,100

scrypt 25,092 435,100

(hash/sec)

Page 27: Protecting Passwords

OBSERVING SSH ATTACKS

• Observed login trials on my SSH honeypot (58000 records)

• Most of trials was against root account

• A specific IP address tried with 4800 different passwords

• Some attackers tried with joe accounts

• admin/admin, guest/guest, ubuntu/ubuntu, oracle/oracle,

postgres/postgres, wordpress/wordpress, steam/steam etc.

27

Page 28: Protecting Passwords

RECAP

• Passwords play an essential role of authentication scheme

• Developers/engineers should secure their authentication

infrastructure

• HTTPS, Log monitoring, Password hashing, IAM, Two-factor auth

• Users should use strong passwords and manage them properly

• Don’t use passwords like “hanako0630”

• Change default passwords

28

Page 29: Protecting Passwords

REFERENCES

• Password strength - Wikipedia

• https://en.wikipedia.org/wiki/Password_strength

• チョコっとプラスパスワード|IPA 独立行政法人情報処理推進機構

• http://www.ipa.go.jp/chocotto/pw.html

• Password Guidance - Microsoft Research

• https://www.microsoft.com/en-us/research/publication/password-guidance/

• Password guidance: simplifying your approach - GOV.UK

• https://www.gov.uk/government/publications/password-policy-simplifying-

your-approach 29

Page 30: Protecting Passwords

THANK YOU!

inaz2

30