The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation.

Slides:

Advertisements

Similar presentations

Cryptography and the Internet Daryl Banttari

Advertisements

Nick Feamster CS 6262 Spring 2009

Online Privacy A Module of the CYC Course – Personal Security

1 Identification Who are you? How do I know you are who you say you are?

Technical Presentation AIAC Group 11. System Rationale System Architecture Secure Channel Establishment Username/Password Cartão Cidadão Digital.

Why Eve & Mallory Love Android

OWASP Mobile Top 10 Beau Woods

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Use of a One-Way Hash without a Salt

Lecture 5: Cryptographic Hashes

Do’s and Don’ts for web application developers

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

SEC835 OWASP Top Ten Project.

Digital Signatures and Hash Functions. Digital Signatures.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

OWASP Principles for GIS Data Security Keeping your GIS data secure.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Cryptographic Technologies

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Steps to Compliance: Electronic Devices Overview PRESENTED BY.

Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.

Security Testing Kevin Brey, Ryan Clark, Luke Joswiak, Jeff Lawinger, Jake Lokkesmoe.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Electronic Mail Security

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.

* A mechanism in which retailor does not keep goods in stock, but instead transfers customer orders to the manufacturer who then ships.

CIS 450 – Network Security Chapter 8 – Password Security.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

Security.  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Lecture 11: Strong Passwords

Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)

1 A Secure System Based on Fingerprint Authentication Scheme Author ： Zhe Wu,Jie Tian,Liang Li, Cai-ping Jiang,Xin Yang Prestented by Chia Jui Hsu.

Types of Electronic Infection

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

Chapter 15: Electronic Mail Security

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.

Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Evil Code and how to defend against it CSCI 4300

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Security  is one of the most widely used and regarded network services  currently message contents are not secure may be inspected either.

Chris Calderon – February 2016 MIS 534 Information Security Management.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Access Account Activation and Electronic Signature Web Application.

By Jimmy Segretto. Explain what an authenticator is. Why should I use one? How does it work? Different kinds of authenticators. Companies who use Authenticators.

@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.

1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.

How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:

Web Applications Security Cryptography 1

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Canberra OWASP Chapter meeting

Saving private Token.

Google 2 Step Verification Backup Codes Google 2 Steps Verification Backup Codes is very important to get access Gmail account. Backup codes is usually.

An Introduction to Web Application Security

How To Recover Outlook Password? | OUTLOOK CUSTOMER CARE NUMBER

Presentation transcript:

The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation

The OWASP Foundation

The OWASP Foundation md5("password123!") = b7e283a09511d95d6eac86e39e7942c0 md5("86e39e7942c0password123!") = f3acf a9041a5e9ec1079ab

The OWASP Foundation 1)Do not limit the type of characters or length of user password within reason Limiting passwords to protect against injection is doomed to failure Use proper encoder and other defenses described instead Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013)

The OWASP Foundation 2) Use a cryptographically strong credential-specific salt protect( [salt + password] ); Use a 32char or 64char salt (actual size dependent on protection function); Do not depend on hiding, splitting, or otherwise obscuring the salt

The OWASP Foundation 3a) Impose difficult verification on [only] the attacker HMAC-SHA-256 ( private key, [salt + password] ) Protect this key as any private key using best practices Store the key outside the credential store Build the password-to-HMAC conversion as a separate web-service (cryptographic isolation).

The OWASP Foundation 3b) Impose difficult verification on the attacker and defender (weak/slow) PBKDF2( [salt + password], c=10,000,000 ); Use PBKDF2 when FIPS certification or enterprise support on many platforms is required SCRYPT([salt + password], work factor 10,.5 GB ram) Use SCRYPT where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not

The OWASP Foundation Password1!

The OWASP Foundation Google, Facebook, PayPal, Apple, AWS, Dropbox, Twitter Blizzard's, Valve's Steam, Yahoo, Chase, RBS Bank

The OWASP Foundation Forgot Password Secure Design Require identity questions  Last name, account number, , DOB  Enforce lockout policy Ask one or more good security questions  ity_Questions_Cheat_Sheet Send the user a randomly generated token via out-of-band  , SMS or token Verify code in same web session  Enforce lockout policy Change password  Enforce password policy