Behind Closed Doors: Managing Passwords in a Dangerous World

Video thumbnail (Frame 0) Video thumbnail (Frame 554) Video thumbnail (Frame 4671) Video thumbnail (Frame 5484) Video thumbnail (Frame 6210) Video thumbnail (Frame 8999) Video thumbnail (Frame 11862) Video thumbnail (Frame 14316) Video thumbnail (Frame 18093) Video thumbnail (Frame 18802) Video thumbnail (Frame 19420) Video thumbnail (Frame 20008) Video thumbnail (Frame 21756) Video thumbnail (Frame 26450) Video thumbnail (Frame 27218) Video thumbnail (Frame 28435) Video thumbnail (Frame 29476) Video thumbnail (Frame 31587) Video thumbnail (Frame 33438) Video thumbnail (Frame 35517) Video thumbnail (Frame 36430) Video thumbnail (Frame 38641) Video thumbnail (Frame 40107) Video thumbnail (Frame 40635)
Video in TIB AV-Portal: Behind Closed Doors: Managing Passwords in a Dangerous World

Formal Metadata

Behind Closed Doors: Managing Passwords in a Dangerous World
Title of Series
Part Number
Number of Parts
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Noah Kantrowitz - Behind Closed Doors: Managing Passwords in a Dangerous World A modern application has a lot of passwords and keys floating around. Encryptions keys, database passwords, and API credentials; often typed in to text files and forgotten. Fortunately a new wave of tools are emerging to help manage, update, and audit these secrets. Come learn how to avoid being the next TechCrunch headline. ----- Secrets come in many forms, passwords, keys, tokens. All crucial for the operation of an application, but each dangerous in its own way. In the past, many of us have pasted those secrets in to a text file and moved on, but in a world of config automation and ephemeral microservices these patterns are leaving our data at greater risk than ever before. New tools, products, and libraries are being released all the time to try to cope with this massive rise in threats, both new and old-but- ignored. This talk will cover the major types of secrets in a normal web application, how to model their security properties, what tools are best for each situation, and how to use them with major web frameworks.
Computer animation Open source Gastropod shell Code
Statistics Functional (mathematics) Server (computing) INTEGRAL Token ring Multiplication sign System administrator Password Mereology Information privacy Semantics (computer science) Theory Frequency Operator (mathematics) Encryption Software framework Data structure Proxy server Physical system Information Relational database Computer file Physical law Token ring Computer Plastikkarte Bit Database Sequence Category of being Type theory Word Web-Designer Password Speech synthesis Key (cryptography)
Logical constant Spectrum (functional analysis) Group action Multiplication sign Transport Layer Security Source code Perturbation theory Dichotomy Rotation Normal operator Revision control Mathematics Mechanism design Operator (mathematics) Entropie <Informationstheorie> Utility software Computing platform Physical system Coordinate system Database Perturbation theory Cartesian coordinate system Sequence Mathematics Type theory Word Customer relationship management Password Spectrum (functional analysis)
Point (geometry) Surface Leak Derivation (linguistics) Latent heat Web service Natural number Backup Endliche Modelltheorie Information security Computing platform Trail Information Mathematical analysis Code Bit Cartesian coordinate system Error correction model Category of being Arithmetic mean Root Computer animation Personal digital assistant Repository (publishing) Right angle Laptop Force Row (database)
Context awareness Run time (program lifecycle phase) Code Modal logic Equaliser (mathematics) 1 (number) Database Insertion loss Bit rate Mereology Rotation Variable (mathematics) Leak Web 2.0 Inference Sign (mathematics) Semiconductor memory Forest Information security Physical system Relational database Namespace Bit Variable (mathematics) Type theory Right angle Quicksort Information security Resultant Reverse engineering Point (geometry) Server (computing) Mobile app Divisor Token ring Motion capture Limit (category theory) Hypothesis Frequency Causality Internetworking Natural number Energy level Integrated development environment Mobile app Debugger Code Database Cartesian coordinate system Elliptic curve Subject indexing Computer animation Integrated development environment Web service Password Hybrid computer Universe (mathematics) Backup Point cloud Force
Laptop Slide rule Server (computing) Code Multiplication sign Software developer Workstation <Musikinstrument> Statute Number Root Computer animation Oval Personal digital assistant Cuboid Encryption Data structure Data conversion MiniDisc Laptop Vulnerability (computing)
Digital filter Group action Server (computing) Beta function Surface Computer file Online help Line (geometry) Cartesian coordinate system Login Power (physics) Theory Power (physics) Cryptography Computer animation Encryption Communications protocol Reading (process) Physical system Alpha (investment)
Computer chess Server (computing) Game controller Digital electronics Multiplication sign Workstation <Musikinstrument> 1 (number) Set (mathematics) Mereology Product (business) Latent heat Web service Different (Kate Ryan album) Natural number Analogy Encryption Symmetric-key algorithm Energy level Symmetric matrix Physical system Standard deviation Key (cryptography) Inheritance (object-oriented programming) Server (computing) Public-key cryptography Sequence Type theory Category of being Arithmetic mean Symmetric matrix Computer animation Integrated development environment Information retrieval Customer relationship management Blog Universe (mathematics) Right angle Encryption
Rotation Turtle graphics Key (cryptography) Variance Symmetric matrix Computer animation Pi SchlĂĽsselverteilung Customer relationship management Encryption Distributed computing Encryption Key (cryptography) Contrast (vision) Identity management Physical system
Building Computer animation Server (computing) Multiplication sign Transport Layer Security Data storage device Encryption Encryption Metric system Pressure Physical system
Point (geometry) Trail Digital electronics Confidence interval Multiplication sign Data storage device Methodenbank Mass Theory Usability Medical imaging Encryption Software testing Endliche Modelltheorie Physical system World Wide Web Consortium User interface Distribution (mathematics) Scaling (geometry) Validity (statistics) Key (cryptography) Computer file Moment (mathematics) Data storage device Bit Limit (category theory) Degree (graph theory) Type theory Wave Data model Process (computing) Computer animation Personal digital assistant Web service Customer relationship management Blog Revision control Pattern language Key (cryptography) Encryption Quicksort Electric generator
Server (computing) Context awareness Multiplication sign Plotter Source code Execution unit Data storage device Mass Event horizon Product (business) Number Software bug Revision control Medical imaging Data structure Endliche Modelltheorie Information security Traffic reporting Source code Standard deviation Key (cryptography) Data storage device Bit Complete metric space Sequence Particle system Computer animation Computer hardware Customer relationship management Hybrid computer Password Formal verification Video game console Routing
Point (geometry) Code INTEGRAL Mass Mereology Public key certificate Product (business) Web service Customer relationship management Determinant Information security Identity management Physical system Social class Public key certificate Client (computing) Evolute Template (C++) Connected space Category of being Arithmetic mean Word Computer animation Personal digital assistant Customer relationship management Password Rewriting Right angle Arithmetic progression Identity management
Open source Modal logic Client (computing) Template (C++) Mathematics Bit rate Read-only memory Semiconductor memory File system Directed set Installable File System Physical system Exception handling Stapeldatei Demon Structural load Computer file Shared memory Variable (mathematics) Template (C++) Orbit Message passing Computer animation Integrated development environment Internet service provider Synchronization Statement (computer science) Key (cryptography)
Surface Web service Type theory Trail Computer animation Multiplication sign
how so it's it's it's not a quick intro about me fairly active in the shell and brought them off world of uncovering true almost everywhere except where the where the name was taken from tension and from the world of miscellaneous open-source because of this stuff but stock 2 of this
talk is going to be that's the that's the infrastructure so I'm not talking about tremendously laptop not what about web development if you force me an answer in 1 word respectively by using 1 password and the 2 but this talk about about that the frequency of so what is the secret has changed in fact you could involve private information as secret like all user data that get funding really really quick so we focus on 3 properties that defined a secret as talking to person has to be small so then you could use everything in your database that related users secrets but no that's going to be really parts of the world and talk about a pass-phrase or something that you can use the encryption so the actual secrets that part of that is very smart now that's the way so when you're writing something you but the username and password we differentiate which 1 of those the secret by which 1 of the people are allowed to know their secret part of the past it's radioactive and it happens that the that as the user ID which maybe it's the name of of a what you really want to know use radio but it's not radioactive the same with a password what and the last may require usually talking about statistics can be something beyond recently thinking out of regional degradations due to be a secondary concern to everything else 4 types of secrets of kind values the 1st Arab passwords when we talk about profits here again we're talking about humans all kind of machine machine of integration but usually when you find the profits and systems originally designed for human so for example when you log into specialized using past that was originally designed for a human operator but a lot of times these days in US Bayesian framework or something like that so that's it's so server that is used in the past there going to be very small usually below 1 K in there the some sequences of asteroids so the exam will like this it's fostered speech the proxy passed with sliding past to contest the passwords spoken usually abbreviated built from the ground up understand there's going to be serviced server machine-to-machine but they also usually can be half the African cements the and some kind of irreversible actually passed the direct storing it in the text tokens usually happened actually the plaintext and function so some examples include that credentials like or all refresh access tokens users the user usually larger than passwords and tokens they have structure and semantics inside the fire so they have had a bit of new lights up like that TLS these estates but other than the theories
and then finally this long tail of miscellaneous some of them like the techniques those kind of look like he's we can manage and basically you wanted it the material exactly what all the admin Public ways but mostly I always like to say what is it that is health care care privacy laws United States things like that required totally customs IDSs selected files cumulative when you take credit card information for those all required dedicated to their still secrets but we're not really gonna talk about so we know
what type of secrets were talking about how many sick and hot secrets for online secrets are things use during normal operations and infrastructure so this means that there are still lack access and use that secret during normal operations without human intervention for example you application needs to authenticate to a database needs database is that you could have its human operators sit there and type constant in every time have explained to you figure out this is not going to get a lot of the think that is being an online or toxic to compare this cold
secrets are things that we want to keep stored in what say but they can be put behind lot walls so for example just master passwords or education the things we won't need very often and we do is going to be human settlement in the West misoprostol dichotomy is really clear in practice most citizens will fall somewhere in the middle so for example with smaller was when you stand out of the box and that requires human intervention to get the initial after 1 the box but after that it's going to run out on of the search starts cold and With secrets all the criticism of the source spectrum around how often it changes the most traditional online secret management systems are built around closely once a sequence set usually only changes either because you had some kind of emergency like compromise or you have an interest in the PCI DSS for you would encryption use rotating associated is usually human initiated action as usually not trivial enough you want you it very often but it will tell us well they change we've all had to sit there and utility it's plenty of times but did you think of as being relevant is that there are many people been written by the same that produces the so some newer platforms are bringing this concept of passing secrets which change in hours and minutes instead of days weeks or months so for example those CSG stapling is a technique in TLS that basically regenerated the elastic entropy is not there yet every 15 minutes or Amazon E C 2 will credentials which automatically every time a synchronous rotated invalidates all previous versions of that secret usually which means that they had lead but it's not been detected that the revenue this does not only own words close coordination between the secrets consumers because manager because the consumer understand exploration primary refresh mechanisms or just properties of
cigarettes technical properties of the different the principle of least access or principle of least privilege as least as a means science is generally attributed to Jerry Saltzer in 1974 ECM but this is mostly common sense but so often ignored incentive annotations In short the servicer tool to have access only to the secret requires and nothing else the quality and we see that as a platform to be judgment human what's the 1st principle of least privilege to solved in the 2nd half of all the information is recorded by the system so that when something goes wrong and it will you can sort out what other features are important and the Maker-Breaker use case was specific bit careful analysis of these 2 properties should always come 1st I was doing business 6 who did is fascinated with unrecoverable right so we've all of this we was that idea of women and why is that you know what done both of our that inference the 1st is we have director that relatively tight the access permissions to having access to the whole given that it is possible that means everything from the scope of its derivative is possible related and the 2nd is we have a lot of logging maybe we can control the military seafood that cloned repository for not using get out of but at best we get the phone records we have no idea who read this file because happens locally in it for only a year before so now we have a stronger feelings or maybe more than that we want to improve governance the next thing we have to figure out what kind of threats that we want to protect against not every secrets going to be equally valuable but whatever system of tools you used to be strong enough to withstand whatever your most valuable in itself from modeling is an examination of where attackers are most likely to strike and what a successful compromise of each particular attack service would bring tail
so this is the nature of use and again I'm not talking about application security that's a whole other talk and actually there are several here for this conference so we're looking at specifically moral points within infrastructure where an attack might have specific consequences so 1st
of reports that if you have a so that's on the internet the stop freedom happening for decades shows no signs of slowing of fossil because it happened so long we have a lot of tools and techniques to work around the 3 Australians always read access to use things so log onto the parts of effort is something that could be costly restrict access that they were going to talk about hypothetical application cluster running in the cloud somewhere that database server doesn't need to be on the internet don't put it on the internet then there's no of the Of course this way fewer and finally secret reflected if you've got what they relatively complex afterward they could take a 10 years the temperate cost if the security every 15 minutes no problem and finally the use of technology is that currently art beyond reporting like say a hybrid Taoiseach use elliptic curve however remember that's always going to be a moving target someone capture traffic data now and possibly the part of huge right next taxes come so this but serious business but we're not really concerned for the infrastructure and security according continue the public should be about we've all heard security security is not really that in this period all so no 1 hopefully is harboring passwords all over the web that this relation backup there's an Instagram
couple years ago that was 1 of the use of the of backup file to history and probably forgot about and they're what was in the field or impractical this is this is the set of appropriate because the code is probably going to be part of that because easy but also include things like the quality of it stops this to be a little bit more varied than it probably because you put your data is faster than that and they pile you forgot to exclude from the back the best way to work around this possibly on your backup system understand what is in their nature you're very careful to always things necessary but you can also support things only ran that use it's all part of the access that part to refer back to this as as far as inference goes on the once the type of like director across loss equal index and all those from an instructor point of universal that means that the see that the application has legitimate access to what the user is supposed to have access to the best defense here is you don't get apps secretly should have access to the general principle is that if we act doesn't have access to secret no amount of causal factors going to give an attacker access that also practiced about the security in the single context which for that as a result of the frequent reversals style tactics advantage of storing invite variable that's right environment but even the topic manifesto from review use of forest policy best-practice storing these tokens in America and the benefits from a lot of debugging tools things like century etc. they automatically sort of all environment variables and store them ontological so that it is possible whatever you want to hear that is now actually plain text in a log file on your you could do this carefully if you very very precise about everything but rejects so what they can do code execution from the next the next level whereas security no longer than the ones that execution is happening the only thing we have left of structural protection but when you talk about the execution we wanna use things like this problem so you have a key file you can make it only readable by what's your applications such as the read the file into memory and then try to report if the attacker gets put execution they still can't read that so all the news things like namespaces children's containers all that good stuff that limits the provisions of the runtime of the application 1 other
castigates helping to the inscription of and also you entered of the code execution Vulnerability is approach in which case scenario literally all we have a structure that but if there was a significant box the serious problem of a user be able to tell what's secret box accessed but gets here is useful because we want to know to retrieve all those very quickly made people ignore statute is unlikely but it can happen so be careful
another commonly ignored taxes based on that getting access to a developer workstation especially a lot smaller companies gives you on every server so that last slide times the number of servers and fortunately laptops usually used by humans is that so they can she humans are allowed to know it actually don't tell anyone else you use something like this conversion typically relative to the not as much of a problem and then finally the
higher power attack surface so for a lot of people draw the line either voluntarily or because they're dysregulations don't allow telling the government help I things like state-sponsored groups or advanced persistent threat which is for China North Korea they get increasingly difficult and you have to ask how far you want to know how far you can go and what you can do to Texas systems and on let's
call it a theory of exactly schools 2 minutes just like the top again manually files are basically or sometimes you'll just put things into text files and applications without some kind of a weird protocols secrets of course we have the SEC files like that's how a lot of women still these file from the CA is associated with the original forget but we're talking about bad solution the next global reach for it is I want to encourage my data because encryption makes it safer critics is the best the is that there's a whole lot of tools do get encryption of alpha beta concepts we still have no real we privilege because again we just have to sort filling maybe some of the tools and getting more audit logs are really not anything because everything is distributed so the actual file reads happening on every individual server also most of them are updated systems to explicitly model which files the correct reading if you I forget to mark a new file as being introduced you will put in plain text and they never realize you get to experience the joys of its funding files from history by important let's
talk about different types of this needs
to put on a symmetric encryption on a workstation we have a secrets we want to since this somewhere else safely so we generate a random the we use that the meaning that we somehow that lead to a target server we somehow have included blobs products and we use that lead to different the blog we get the original circuit back the interest this based method provided we have secret we generate a public private key pair on server we copy the public key of for workstations retrieval via sometimes service we generated a lot of using the public key we copy and machine we use the private key from the you care to the what this means that the user so that means that you have you used to be that a single standard will lead to every part of the 15 where is a set of these you can reset the parents just the right of are so this is going to be the ones that have it but it's not really a lot of commonalities between environment and get away to deeper consul at the Belgian having C systems used in control these access counsel cities OK but if you break also not a any person on the planet has ever implemented correctly so I probably wouldn't try this but if you really want to go for it there you have all the time in place to implement using secret management but it's very very difficult undirected except for also I see a lot of people find this but it is incorrect just like something from the encryption makes us feel warm and fuzzy again this is going to be a symmetric system so that means that we have a all of a sudden we're going to try to and move that the around in the same way that we do all of other secrets and now we have just move the so as it travels all the way down what it means is that most of the symmetric tools and only a whole bunch of 1 of the he used to manage all of the other secret is itself a sequence so you're not really solving the problems of what is going down a level and snowballs is similar to 7 properties that takes advantage of was face nature so instead of meeting the decryption key on all of the target machines union on the workstation the little better but still simpler mental problem and you get the on here at the end of the closest analog to review the example all the other world and the difference is that in public it does all the decryption the puppet master and that on the target servers what that means is that public master and see all of this for every machine and we tell it only give used to certain machines according to this policy we call this a trusted 3rd party system that means that the trusted 3rd parties it's problematic has access to the universe and we haven't made its internal access controls to only give things out according the policy in the way of master and slave is fine and does this problem as far as I know that any time you're evaluating had prompted the party system that particularly exact roles the chess specific to
always have called normally financial Mr. convinced that users are the pairs free the I had occasion to build a key distribution system for this next it's still kind of all those taking care of the passing you can use whichever occasion themselves not we generally very well managed you can do the rotation in the management of those variance due so if you're going to go this far out just the way writing to write a whole bunch of tool and
right another so I mentioned before about trusted 3rd parties systems and the contrast with the In the encryption
system will tell like this metric system we have we have secret with the negative log of secret we come the down to only the machines that should have access we copied from the lockdown down usually this involves putting it on some kind storage system where everybody can damage wants of but then only the machines that have the origin of the so what we're doing is basically doing all the access to all were have time based on who we said once the use of machine we can send you a lot of of want but we have to do this initial work ahead of time to get the use of machine building to get this to the fact of the
warning system we've got caught the Paris this we send the secret of the body system notice I never regretted it there's no encryption here it's gonna probably using TLS between all of these things but rather it's not actively underground from the of the party system has access to it in plain text all the time but with national policies they always this the user so that only BNC can access the same decay so again just party system has access to all the secrets ineffective plain text using a variant of the rest of the world effectively can get access to all secrets and we just give a policy saying we're so
leading into a problem or the stressed the process for all is probably 1 of the newest things that I mentioned but it's already making waves in secret world and its dedicated circuits mentioned by chance supports all the features you'd expect it to audit trails granularity CL models for patterns and that's really what we're teaching system fast slightly older but still very solid it's he wins so the more limited data model than hospitals interesting but that also means that it's valid test at a much higher degree people tend use it as a moment but he was demanding type secrets of files we can use fast and tokens but that's not really what it's for for for people on AWS the simple starting point you private history but it and I am policies and I've got some stuff online if you're interested in this but this is sort of the the simplest model that you won't understand all 8 of us all the time is use I roles and I'm policy for controlling the stuff on street you're going to what about the next couple of years I need to mention and the mass is not in itself a secret management tool to demonstrate that he has offer so all the time right so generated image intricate blog candles that's so you created he lives inside the as and you can send it to to be the baby intended it to be different but it's actually very sort you can type that in
some of tools of the world leads to the theory of command line tools including users can ask for handling the person has to leave from mandatory now again remember just like with the 3 I am stuff this is all based on the the systems you have to be willing to be tied to US for but if that's not a problem the income from a lot of people a sense of confidence from which is another solution of as that in this case that it is necessary dB for the storage and the command line tool it's a recipe I Experimental web interface that exist in the preceding 3 secrets politics going back to command line tools true so is similar to the sneaker but use in testing encryption GPG our very models for tracking and we usually reducing story of this means that the encryption is not tied in US and battle-tested GPG but also to be a little bit difficult to work with GTG is not well known in the user friendly and it does have some provisions for automated key management distribution but not a lot of them so if you're going to be doing large scale distribution GVG expected feel there
source from Mozilla combined problems the last few tools so that users can support more about but it doesn't handle storage management if you've got a hybrid and it is not obvious structure of the whole of Red October it plot where it's very very different more image and it you from the ground up for whole sequence so that it never the old and using a lot and the actually people trying to use the same time it's like that of sequence so you can set up secret is being used to have 3 we applied for you need a certain number of holders to coordinate to belong to high values for stuff like various massive passwords this can be very very you could use approximate by just saying basically is like 1 applies to anyone being you can access it but that's not really mentioned for completeness bargain was closely events that ensued but it's not and I mentioned Kondor specifically because when I see most often but this applies to all the security products fact-finding or whatever work served all with things like can ask for the past residual you have somewhat take report because they don't resource food and that's just the way the world works but in the right itself maybe demand a little bit more of the standard there in general if you can prove on the security guarantees assumed false until to and finally
because In this context it sounds horrible that's exists to hold the keys he cannot be extracted without disassembling which in most modern physical servers come with the little tiny version which is sampled at the end of the particle model the whole bunch of stuff other than what it adjustments you wouldn't have the units but otherwise it is and all the so if you wanna go down this route they are anomalies but also anomaly unbreakable if used properly there's tons of them they are widely varying or if you want to have expect higher at console also are jail around this so we
keep getting around the whole problem deep down any secret management system needs to establish an identity relationship between the thing that want secrets and the thing that has to generally was during production generally this initial trust relationship in a lot of our systems boils down to I'm going to miss each word in our community to achieve that I've got someone across and the answer is that SSH connection I'm going to assume that it is to assess the new real way to verify some violence have determinism so for example on easy to identity documents but in all cases you can do better than just across as a caller and I take as a given that you need to build this concept of identity of a secure reduction system like this is you can still secrets management altogether and can just use the also points to the properties of receiving progress directly support the last point certificates and you can still having a password this doesn't mean you have to manage the and public he used to be handled very carefully this in here but public interest if you are not reactants and with the right could be that the integrations on the easiest way like this is really directly from 1 of these guys services in your code so each class of all or part of work mass you're Director-General you that you were setting up pioneer itself directly as you next
up is the management of of its evolution but this applies to this all of them are things that command-line tools you very often have a need to improve preventive layer bacteria that
passes from you is to use file system that can act as a client portal users resting on his knees you use it with the actual tools like the in text you would tell it to load it's necessary skills the out of the from this is that some of thing you don't need to modify and that's all it will use safe happy in memory only never heard this you the a couple Templeton's originally designed for batch what's consuls discovery tool that we extended to work with the basketball as well and you use this in conjunction with your reaction system if you want to run at a higher rate of change in you seem to be so you can have your your share operand small running hello and content what's the handle reversing a 15 minute intervals and also so similar
orbits that are putting into templates statements that new environment variables remember I said I don't like this because of logging exception handlers but it's and summoned is similar but less probable providers is retained by counting but this is open source so so it's possible to commercial offerings but again environment variables using small so to
summarize the objective privileging erotic trailing whatever tool using and it takes a temperature of secrets the attack services and what you're going to do if their successfully attacked and that
but you're not and half in principle we don't have any time but I think it's very of some very important questions to some final into all find him as the questions just come out of and come up and ask me OK so