Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation.

Published byEmma Burford Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation

2 The OWASP Foundation http://www.owasp.org

3 The OWASP Foundation http://www.owasp.org md5("password123!") = b7e283a09511d95d6eac86e39e7942c0 md5("86e39e7942c0password123!") = f3acf5189414860a9041a5e9ec1079ab http://www.md5decrypter.co.uk

4 The OWASP Foundation http://www.owasp.org 1)Do not limit the type of characters or length of user password within reason Limiting passwords to protect against injection is doomed to failure Use proper encoder and other defenses described instead Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013)

5 The OWASP Foundation http://www.owasp.org 2) Use a cryptographically strong credential-specific salt protect( [salt + password] ); Use a 32char or 64char salt (actual size dependent on protection function); Do not depend on hiding, splitting, or otherwise obscuring the salt

6 The OWASP Foundation http://www.owasp.org 3a) Impose difficult verification on [only] the attacker HMAC-SHA-256 ( private key, [salt + password] ) Protect this key as any private key using best practices Store the key outside the credential store Build the password-to-HMAC conversion as a separate web-service (cryptographic isolation).

7 The OWASP Foundation http://www.owasp.org 3b) Impose difficult verification on the attacker and defender (weak/slow) PBKDF2( [salt + password], c=10,000,000 ); Use PBKDF2 when FIPS certification or enterprise support on many platforms is required SCRYPT([salt + password], work factor 10,.5 GB ram) Use SCRYPT where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not

8 The OWASP Foundation http://www.owasp.org Password1!

9 The OWASP Foundation http://www.owasp.org Google, Facebook, PayPal, Apple, AWS, Dropbox, Twitter Blizzard's, Valve's Steam, Yahoo, Chase, RBS Bank

10 The OWASP Foundation http://www.owasp.org Forgot Password Secure Design Require identity questions  Last name, account number, email, DOB  Enforce lockout policy Ask one or more good security questions  https://www.owasp.org/index.php/Choosing_and_Using_Secur ity_Questions_Cheat_Sheet Send the user a randomly generated token via out-of-band  email, SMS or token Verify code in same web session  Enforce lockout policy Change password  Enforce password policy

Download ppt "The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation."

Similar presentations

Cryptography and the Internet Daryl Banttari

Cryptography and the Internet Daryl Banttari
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Online Privacy A Module of the CYC Course – Personal Security 8-9-10.

Online Privacy A Module of the CYC Course – Personal Security
1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Technical Presentation AIAC 2010-2011 Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
OWASP Mobile Top 10 Beau Woods

OWASP Mobile Top 10 Beau Woods
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Use of a One-Way Hash without a Salt

Use of a One-Way Hash without a Salt
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Do’s and Don’ts for web application developers

Do’s and Don’ts for web application developers
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
OWASP Principles for GIS Data Security Keeping your GIS data secure.

OWASP Principles for GIS Data Security Keeping your GIS data secure.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Similar presentations

Ads by Google