Hunter2: A Symphony of Password Horror

Video in TIB AV-Portal: Hunter2: A Symphony of Password Horror

Formal Metadata

Hunter2: A Symphony of Password Horror
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
The year is 2017. We have hoverboards, jetpacks, solar-powered cars, and also so many awful passwords that it’s become trivial for pretty much anyone to have their accounts compromised. We’ve got passwords for our passwords. Eight-year-olds with a dictionary and a set of dice can generate mathematically stronger passwords than most corporations that have your credit card details. We spend our days wandering through endless forests of requirements to come up with something that contains no more than twelve letters, a special character, the eye of a newt, and at least one uppercase letter, only to be emailed it back in plaintext if you forget it. And then it goes on a Post-It note on a monitor. Do not despair - this talk is here to help! From beginners to experts, all technical folk have the power to build a post-password future. Lilly, an engineer and historian, will guide you through the history of how we got ourselves into this state, and explain why major companies still think that the best way to keep your stuff secure is to poke their heads out of the tree-house and ask you for the secret word. She will then hand you strong technical tools to help your clients and colleagues understand why there are better things out there than “Welcome1!”, and help you work together to bring a small ray of sunshine into our password-saturated world.
Personal digital assistant Password
Functional (mathematics) Touchscreen Link (knot theory) Multiplication sign Combinational logic 1 (number) Database Wave packet Medical imaging Goodness of fit Latent heat Word Process (computing) Software Meeting/Interview Internetworking Personal digital assistant Password Blog Operator (mathematics) Website Video game Traffic reporting Task (computing)
Point (geometry) Axiom of choice Authentication Addition Email Multiplication Service (economics) Information Software developer Database Mass Leak Number Message passing Process (computing) Password Single-precision floating-point format Software cracking Form (programming)
Meeting/Interview Code Multiplication sign Password
Implementation Multiplication sign System administrator 1 (number) Electronic mailing list Flow separation Information technology consulting Antivirus software Digital photography Lecture/Conference Different (Kate Ryan album) Password Software testing Family
Authentication Scaling (geometry) Password Multiplication sign Neighbourhood (graph theory) Series (mathematics) Event horizon Twitter
Game controller Message passing Nuclear space Internetworking Code String (computer science) Mereology Disk read-and-write head Code Physical system
Point (geometry) Inheritance (object-oriented programming) Computer file Block (periodic table) Multiplication sign Decision theory Student's t-test Flow separation Neuroinformatik Exterior algebra Password Universe (mathematics) Physical system
Sign (mathematics) Lecture/Conference Personal digital assistant Password Control flow Database Login Mereology Number Physical system
Point (geometry) Meeting/Interview Password Information security
Authentication Predictability Point (geometry) Randomization Service (economics) Length Multiplication sign Data storage device Counting Student's t-test Mereology Number Word Data management Arithmetic mean Personal digital assistant Internetworking Average Password String (computer science) Website Physical system
Context awareness Multiplication sign Client (computing) Function (mathematics) Permutation Facebook Mathematics Coefficient of determination Roundness (object) Different (Kate Ryan album) Cuboid Physical system Algorithm Digitizing Closed set Infinity Instance (computer science) Public-key cryptography Hash function Website Resultant Implementation Mobile app Service (economics) Link (knot theory) Divisor Token ring Patch (Unix) Web browser Theory Number 2 (number) Robotics Touch typing Task (computing) Authentication Default (computer science) Standard deviation Information Key (cryptography) Gender Projective plane Database Cryptography Computer animation Software Personal digital assistant Password Universe (mathematics) Communications protocol
Context awareness Randomization Building Length Multiplication sign System administrator Combinational logic 1 (number) Insertion loss Client (computing) Mereology Data dictionary Biostatistics Neuroinformatik Formal language Roundness (object) Hypermedia Different (Kate Ryan album) Computer configuration Cuboid Information security Position operator Physical system Identity management Vulnerability (computing) Social class Arm Feedback Sampling (statistics) Maxima and minima Sequence Data mining Data management Message passing Process (computing) Vector space Order (biology) Pattern language Quicksort Metric system Writing Row (database) Point (geometry) Slide rule Implementation Service (economics) Pay television Divisor Link (knot theory) Tournament (medieval) Real number Virtual machine Device driver Online help Number Goodness of fit Term (mathematics) String (computer science) Form (programming) Fingerprint Authentication Default (computer science) Information Gender Projective plane Database System call Symbol table Vector potential Subject indexing Word Software Personal digital assistant Password Video game Family
Metre Information Divisor Projective plane Motion capture Letterpress printing Mereology Flow separation Facebook Medical imaging Goodness of fit Lecture/Conference Average Smartphone Pattern language Figurate number Metric system Fingerprint
Computer animation Hash function Link (knot theory) Personal digital assistant Password Hash function Matrix (mathematics) Right angle Proper map Element (mathematics)
Password Bit
Coma Berenices
and the and
and over and there
and on the freeway that if it's if the audio quality is not great on OK thank you very much for coming along i'm Lily what I'm about to share with you as a horror story about past it's I'm also what about the ban on they have nothing to do this talk I'm using the most likely case of which I'm hoping will work you know the look at home accomplish so if we can and think don't no we on its the it's no good however was see how we go come anyway all you know now and again called
right to problem solve the ban on as a function of time we did so this is that this might no in case you the friends on the internet hum alright and as I said this is a horror story about processes and drawing on good horror stories and many use images here from the 19 22 movies Nosferatu which was the 1st vampire movie ever made and I'm using these because firstly like vampires the story of password is life training and keeps me awake at nite in terror and secondly because most password policies about as well written as twilight the if so my wife to I many mentioning a few Django specific packages in this talk of L of other blog posts and news articles and things like that so to say you taking pictures of anything that you wanna look operator while I'm talking I've collected all of my research and everything I've mentioned in this talk that I'm going to mention and put it in at this link on my website and I'll show this link again at the end of the talk so don't panic OK if you
follow tech news and pass the year every day about databases in username and password combinations being dumped out on the public Internet and these reports usually come with a heavy use of the word sidebar and maybe a picture of someone in Woody or screen with lots of zeros and ones maybe the word password in some way because the site is a very scary and you've been using the internet for while you know that task words kind of suck and if you've been working on software for a while you know the was really sigh the we'll consider
presence of passwords for granted you get it e-mail account that's a password you get high for a new job and you need to get in the way can that's another pass you signed up for Netflix and that's yet another password and probably a shared password because you share that account with everyone in household and you might put that on the French next to the Wi-Fi password which you will so hopefully
the we all know that the most common passwords is still pass surge and 1 2 3 4 5 6 and we know that most people use the same password for multiple accounts because it's easy to remember that way and we know that a lot that non-zero number of people put their password on a post-it note on 1 so that they can remember the and despite all of the interesting and glamorous software hacks that make the news password database leaks is still the most common way to quote on quote get hacked restrictive password policies mean that people make all possible choices and they repeat the possible the choices we make with how we store these passwords as software developers contributes to a lot of this information being leaked online and the fact that many services still have passwords as their own form of authentication contributes to pass being a single point of failure but despite being pretty basic in some ways all of these things are really important and how we got ourselves into this past with mass is important I want tell you about how we got to this point for 2 reasons firstly in addition to
being a person who does things with code I am also a historian which is a story for another time and interested in why we got to where they are and more importantly why we still keep doing this to us and the 2nd and
probably more urgent reason to tell you about passwords is because I'm bored of hearing about them all the time passwords are pretty
bad technology with several different bad implementations and I would rather be doing something more exciting with my time than running around cleaning up the mess left by past and the reason I but I wanna tell you folks about this is because With once you can really do something about it we are you're writing them and a test is on your system administrators sometimes we consultants sometimes will work in house and sometimes when once again called up our families to help them install anti virus and back up the photographs we are the ones who have the influence and the ability to do something about this so if use time as I am of hearing about passwords being leaked an accounts being trapped I really employee to join me and help fix this for everybody so here is a horrible story
of awful passwords followed by a list of 5 ways that we can stop doing this to ourselves over and over and over again because we deserve nice things it will the the but it the OK
once upon a time there was a password and its password was OpenSesame and protected cave for a bunch of thieves were hiding the trend that based on the there was no 2 two-factor authentication on the scale of 1 day a guy called
Ali Baba was in the neighborhood and he's all the thieves saying OpenSesame and getting into magic k so we exploited this by waiting until they had left walking up to the Trayvon saying OpenSesame that got and have a look around and he took a bag of coins that the thieves had stolen and he left the cave any water cool new house the the if these came up to him to kill him and to get back to what he'd stolen after protracted and dramatic series of events Ali Baba managed to kill all of the fees until he was the only 1 who knew the password to this magic K which is really have a 1st the should kept stock so that story which normally goes by the name of Ali Baba and the the 40 thieves is allegedly thousands of years old it is at least 300 years old which is still pretty old here's another 1 that's less open
that but still slightly older than the internet once upon a time in about the coldest part of the Cold War there was a president of an American this president decided that the United States stockpile of nuclear weapons probably needed some kind of controls so that they didn't get settled by accident or by just anyone because that would probably be bad
so the president asked the Secretary of Defense to make that happen and the Secretary of Defense made it mandatory for there to be a pass code lock on big red button that could make the world explode so that it would have to be communicated to people and and it's deliberately before they were really sure that they wanted all the fallout from that the we 2000 the guy who was in charge of Strategic Air Command thought that this was a ridiculous system because it got in the way of making it easy to push the big red bar and also the past heads are annoying to remember so he changed all the pass codes on all the copies of big red button to a string of 8 zeros not and this is why I
am pretty sure the rural living in some kind of alternate splinter universe because by some miracle we didn't all die and because the world survived to make more bad password decisions is 1 story for you once upon a time there was a guy called alan who is a PhD student at MIT and once he had a computer and much like my childhood there only 1 of and it was in very high demand because everybody wants to use it presumably a lot like my childhood because they all want to play rollercoaster tycoon the so MIT decided what most parents decide which is the shames nights and so they divided up computer time among the MIT researchers it's a several hour blocks and to stop people taking over other people's blocks of time they put a time lock system on a computer which meant that the and of your allocated time you be locked out and then the next person who come and Alan had been given 4 hours
a week on this computer which was actually pretty good to that point in time but not good enough for the research that Allen was doing Allen's opinion so we will look around on the computer and he discovered the file the checked all the usernames and passwords in this file was called passwords and was in plain text because this was the 1st time that anybody had ever thought to put passwords computer and he clearly hadn't heard the story of Ali Baba and the 40 seats so Allen printed out this file and then whenever you run out of these 4 hours he would just log out and he could Logan somebody else and he also dump this data for all of the other PhD students at MIT to use because he was nice and also because if everyone was doing it would be hard to pinpoint on him and Allen got away with it and people still get away with the ancient Greek warfare strategist
and this tactic as once said that a good password should be easy to remember the login
system for my bank once said that any password should be between 8 and 16 characters and contain at least at least 1 upper-case and 1 lower case letter I number and 1 special characters long is that special characters something like actual dollar sign and not something we had like until there was something of a break database like semicolon and passwords which use characters or fancy accented part so characters Asensio months or accented parts or or what the bead emoji and of very bad passwords will be sent to bed without dessert for the ability to pay your bills I use the past tense instead because when I
read this I switched banks that is more the point I'm telling you all of these stories is that we never really got to this point with regard to passwords we have always been exactly where we are are we just made cost was more and more mandatory to get anything done when they were already kind of a giant pain in the butt but security is also something that most people don't think about it all the the the and we'll it's hardly ever after
they aren't because this whole this whole situation is kind of almost 2 but we
know that we can do better we enable multi-factor authentication all counts we use a password manager we generate long passwords and we know that really the length of the password combined with unpredictability like a bunch of random words makes the password harder to crack rather than a short non-dictionary word with special characters but not everybody
knows that and it's everybody else who builds and uses the internet the majority of the time not just the people in this room so if we wanna get it right for us we have to make it right for them to so here are some recommendations for 5 simple things that we can do as technical people to make this ever so slightly better 2 n so of the are I get to the firstly sold and hash it profits that uses system stores I know that you can to this particular point is brought out in most talks about passwords but the reason I'm bringing it up again is because a scary number of Web sites and services still don't do this if you're working on a system that doesn't do this please make it do this and for those you're unsure how to do this is a quick overview here is an average password someone uses this password for an account on your system so your system needs to remember it however we don't want stories in plain text because if we do that then a PhD students of the PhD student islands of the world will do whatever they've been doing since the 19 sixties the so we need to add some salt salt in this case means a random string that your pen to a password before you saw it in a system which should ideally be a little bit long and and it should also be unique meaning that you don't use the same salt on all parts within a system and maybe keep it yourself don't publish this anywhere particularly important
then before you store it you run a password and the soul together through a hashing algorithm that the output of that algorithm may be run it again a few times to get the output that and then store that in your database this example uses shot 56 with only 1 round patch hashing I know that people have lots of opinions about which hashing algorithms are the best but there are 2 overall ducts regardless of which 1 use firstly please don't try to write your own national and their canonical the very good and were written by people with mathematics PhD's secondly please don't you sure 1 as you hashing algorithm because even was developed by people with mathematics phd's it's a pretty old algorithm and insecure by today's standards so if you hash insult all was the story even if your past database gets leaked it will be really difficult for an attacker to reverse that password because they won't be able to guess the password distillates hash by itself and they will also have to guess the salt that used for each password and how many times you want around which makes the task approximately infinity times more difficult and look I mean at the very very least please don't let your client store their passwords in plaintext the good news is that if you are wondering how to do this and use gender which I suspect some of you might have some gender does this by default instead of having to bring all this together manually which is also usually not the best idea Jango users P B K D F 2 to take care of all the hashing and assaulting and do this multiple times for the beginning of 2 is slow to compute but you want this because it also means that it takes to really it takes infinity times longer than that to someone else to run all the possible permutations of results and the hashes underground so even if your database is leads you users should still be reasonably well protected and if you don't use the gender default you can also use other to all the crypt by changing the password hashes setting and and in my resources I've honestly literally just added a link to the docks because the docks a really good and if I explain more I would just be reading them to you this not do that another thing you can do an agenda project to help with possibilities to implement a lockout on the number of paths what attempts that people have when they're trying to look at so someone does tried longer maliciously they only have they wanted to try very many times and they wanted to have service with failed requests Django axis has you covered there according to their dogs they're called axes because partly because access sounds like access and and also because access the thing that you can use hack stuff and I would prevent hacking yeah and thing while we here make sure your service uses HTTP S when you have a lot in because this number to do all this fancy hashing insulting and stuff if the past would get sent you in plain text the 1st time a case secondly implement multi-factor authentication every system that you work on that you can it passwords alone and not enough anymore multi-factor authentication means that we need a password AKA something we know and another piece of information AKA something that we have before we can lead you into your account universal 2nd factor or you to have is probably In my opinion the best 2nd factor of the implementation of the it's so if you can implement support for please do it you to ask for those who haven't had a chance to work with it yet requires a physical key like you key that speaks directly to your browser and uses public key cryptography to uniquely identify you when you try to look into your account it also requires you to touch the keypad once much like a banana and to prove that there's a light human at the other end which means that robots can't just try and run this over and over again you actually need that capacitive touch this also huge amount of ridiculously cool stuff going on going on under the that and so if you want to learn more dazzling to the UBT White Papers in my notes or come and find me after it's because I really enjoyed talking about unity and OK yes it's a physical theory I know this is annoying but it can be used across a bunch different sites without reusing credentials which is a lot unlike those that full our stated cities to have just because and you to it is also an open-source protocol which means that anyone should be able to pick it up and support Bill and Facebook to this and so too fast male so it gets co-opted box so to others and so could you there are a couple of other
software token ways to do multi-factor authentication but the most common is TO TP which is a time-based 1 time password which generates a one-time passes you could believe that it's usually 6 digits long and is based on a shared secret key and the current time and these temperate passwords usually don't live very long between about 30 seconds in 5 minutes depending on context you can deliver this token to user in a number of ways some people like to write their own apps that will generate the token some people will use their body like Authenticator lot of services semi sorta tokens by SMS but I would not recommend doing that because it's trivially easy for dedicated attack it close copies of CM all get a hold about SMS in some other way choosing unencrypted if they really want to do that SMS a 2nd factor delivery method has been deprecated by many people in lots of places and in some instances officially so avoid this mess if you can buy
multi-factor authentication is really easy which is great but not Saltzman gave a great talk Agenda Cont Australia last year which there's also a link to in my notes about how to implement two-factor authentication in gender so instead of repeating the whole talk I've added the link and you can go and look that up but the TOD our is that the gender two-factor off package contains everything you need to implement you to FTO P 2 other things the agenda and to the call going check back OK thirdly make more than 1 multi-factor authentication method available for people who want to use it for you to act and 1 time password plus a password itself make things even harder to your account to be broken into by somebody else not all services support multiple 2nd vectors and I can understand how turning down by default for many people would be kind of annoying but on the other hand I'm the kind of systems administrator who would really like this kind of option to be available to the users like me there are any to headlines over the last few years about how this so that technology is going to be the password killer but honestly I think that what's going to kill it is a combination of different factors which correspond to a thing you know anything you have and that's the way it's going to be eventually this means that 1 of these things doesn't necessarily need to be a traditional password it could be a pattern a sequence of something else that you can not and as an aside because I don't have time to cover absolutely everything about authentication tournaments supporting salmon 0 loss and other things federated login systems is also a really good idea I'm in my notes and added a link to phrase it Treadles Picon Australia at talk on federated identity which was given this year to really good media arm and he goes into all these technologies indexes from last week it's precurrent so don't take that but please remember even if you turn on all of the MFA breaking into these accounts is still not impossible nothing is ever 100 % secure it's not going to have that said implementing this stuff does make a whole lot harder to users have their accounts compromised by the average attack forcefully if that's thing help
clients right their password policies good password policies will get rid of the special character requirements in favor of a mandatory minimum password length and randomness check strictly speaking the best path with the long and hard to predict it doesn't matter what kinds of special characters and numbers that they have usually see mandatory maximum length of 16 sometimes 20 characters that I encourage you if you can't ditch these entirely longer is usually stronger and mandatory minimum length mandatory minimum length is the best way to get people to generate strong ones and tell you applies that I saw process by which I mean pass made up of 4 more random words which easy for humans to remember in a sequence but hard for computers to guess what are going on slides here is an example of what I generated last week this is a 40 character parts of this predictable is the predictable sentences not a quote from Shakespeare or something like that but it is definitely something that I could memorize if I really have to please make sure you pass a policy support passes that look like this 1 and rejected is weak because there are no symbols all numbers in it the some password managers will generate passes that look like this but if you don't have that option and you need to come up with 1 p itself I like to they can think of something that was on the shelf in my bedroom when I was a kid in a sequence of things in the order that I remember them all people suggest making up stories about this sequence of words to help you remember all these sorts of things I'm pretty much anything that is a sequence that only you can think of if you can get it generated by machine is probably the best thing to do but good pasta policies and meaningless if you don't bring your users along for the ride and using Dicer passwords is also pretty meaningless if you don't use a password manager to recall them because even though there long and easier for humans to remember and they're still really annoying and we still have so many accounts in our day-to-day lives that people will fall into the trap of just repeating them over and over again and someone's unhatched unsold database will get lead is inevitable and the past will become public so his point for a which is education for any of this to be really effective you need to educate people about would pass that ID and tell them about possible medals and by this I don't mean just your users specifically but also your friends I knew family because but pass with practice goes way outside the scope of your work projects this is a long-term real life meatspace at but please give to people subscriptions all leave keep asking the past X teach people how to use password managers so that we can write password policies that generate strong passwords I think password managers as kind of a band-aid on the whole problem passwords really so the fact that we have way too many passwords to deal with on a day-to-day basis but as the name suggests they do make posits easier to manage long strings like the ones in recommending a not so easy to handle without this last class 1 password in the past and dashed line and many all of them have their strengths and weaknesses but using any 1 of them is better than using to get out there and start showing people how to use back within the scope of your work projects a quick and easy way to educate your users about strong passwords this to give them automatic client-side feedback on passwords that they give you when you're signing up an account them all when a changing box came up with a really great tool called Zx CVD and which gives instant feedback to the user to your users on the strength of the passes that a try and give you an idea it determines strength on how long the string would take to break in terms of time rather than what kinds of uppercase letters and lower case letters and symbols that he uses it also contains a really good dictionary of common words and weak passwords to help people avoid those and it's important to Python and all languages so going try that out 5 rethink the idea of working on systems that using biometrics is the only form of authentication this is the medium length form of a particular rounds of mine but the basic thrust of it is that if you pass it gets compromised you can change it if your fingerprints that compromised it is very hard to bring you think it's a little and when say compromised by metrics can be compromised in many more ways than a straight up password can pass was get leads in database Thompson on Post-it notes or and actually might move the driver told me hose on the way back from the other 1 vibe we keep coming up with new ways to steal and fake biometric also it by metric information all the time late last year Adobe released a new piece of software called vocal which can generate samples of a human voice off being fed about 20 minutes of speaking data so when I don't have them and it called I'm I'm someone who narrates audio books in my spare time so I really appreciate the idea of not needing to be called back to the studio to do an extra 10 minutes recording but I am also someone who works very closely with authentication software and I can see the potential for someone to get 1 of my recordings a recording of this talk and feed into vocal and then have arrival of the pass-phrase for my phone banking account and for anyone thinking of doing this you what we would do this with bad service with any other service I Use please do not try it but if you have ever given a conference talk or appeared in a recording be aware of what is becoming possible don't enroll yourself in this stuff and don't build and your system and this more good news for a
given value of good In January so researchers in Japan discover that the average smartphone camera can get can capture detailed images of somebody's fingerprints from 3 meters away if the lighting is really good and this means that you can get fingerprint information from any Facebook Sophie Winthrop peace all you can still a fingerprint pattern of a public figure if they were photographed close enough and what when gloves not unrelated like a lot of recent breakthroughs in 3 D printing in medical technology mean that we are getting better at printing human skin which is great news for a lot of people but it also means that all of that Gallagher style by the creatures got real
but digital stealing faking is the softer approach in 2005 an accountant in Malaysia parted company with 1 of his fingertips after the people who stole his Mercedes from him at gunpoint realize that they needed his fingerprint to start it slightly less violently there was the story of the 6 year old girl in Arkansas who used to mothers fingerprint while she was asleep onlooker I and I have about 250 dollars worth of Pokémon toys biological looks really cool in the movies but the movies are also where people end up at the eyeballs being removed to bypass in and low and it is a lot of really cool stuff about living in the future but I don't wanna bring this part into it so if you're working on a project that is thinking about and see if there's something else that might fit that need instead and if you must use by metrics make sure that they are only 1 part of several factors needed to authenticate because they're very easy to hack both technologically and socially 6 year olds can do it so to
recap Sultan hash implement MFA 242 you to have enabled more than 1 and the right proper password policies and educate people about passwords and say no standalone by matrix and he is that link again to my notes to my
resources in case you want the picture look at least I don't we I know that these are really really small
things and it seems like really basic stuff and is that what make the world perfect and won't make people completely unhackable but will make the savings things a tiny bit better than the way that Watts I would love a happy ending to story passwords so please help me right 1 the thank
nerve so
fashion which by