Presentation is loading. Please wait.

Presentation is loading. Please wait.

Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.

Published byGeorgiana Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013."— Presentation transcript:

1 Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013

2 About Me michael@ShapeSecurity.com

3 Password in the News

4 UNDERSTANDING PASSWORD THREATS

5 Online Attacks Attackers interact with web interface via scripts & automation Defenses Available: Account Lockout, Attacker Profiling, Anti-automation Example Online Attacks Password Brute Force - 4 variations Credential Stuffing - (Reuse of compromised passwords) Account Lockout

6 Offline Attacks Attackers have password hashes and are performing attacks against file Defenses Available: Only the strong hashing algorithm you selected Example Offline Attacks Hash brute force - dictionary or iterative Rainbow tables

7 OFFLINE PASSWORD STORAGE

8 Password Storage Bad Approaches Your own algorithm md5 sha1 encryption base64 encoding rot 13 Good Approach Bcrypt Scrypt PBKDF2 + Per user salt

9 ADDITIONAL ATTACKS

10 Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)

11 Denial of Service

12 DDOS Comparisons Traditional Network DDOS overwhelms target with volume exhausts bandwidth / capacity of network devices Requires large number of machines Defenses: CDN, anti-DDOS services Application Abuse DOS invokes computationally intense application functions exhausts CPU / memory of web servers Requires few machines Defenses: Few available, must customize

13 Credential Stuffing Account Take Over - Credential Stuffing

14 Distributed App Lock Out

15 Service Desk Overload

16 Take Aways Password Hashing – Don’t get breached - Defense in depth – Don’t exacerbate breach – use correct hashing Online Attacks – Prepare for automated attacks – Different attacks and motivation from Criminal Enterprises, Hacktivism, Nation State, etc

17 Thanks! michael@shapesecurity.com http://michael-coates.blogspot.com @_mwc

Download ppt "Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013."

Similar presentations

The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation.

The OWASP Foundation Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation.
Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Secure Password Storage JOSHUA SMALL HTTPS://GITHUB.COM/TECHNION/ LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE-2013-2352.

Secure Password Storage JOSHUA SMALL LHNSKEYHTTPS://GITHUB.COM/TECHNION/ LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Chapter 3 Passwords Principals Authenticate to systems.

Chapter 3 Passwords Principals Authenticate to systems.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.

1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.

CS795/895.NET Passport1. NET PASSPORT &TRUSTBRIDGE SHRIPAD PATIL CS795/895 SECURITY IN DISTRIBUTED SYSTEMS.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.
Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.

Time-Memory tradeoffs in password cracking 1. Basic Attacks Dictionary attack: –What if password is chosen well? Brute Force (online version): –Try all.
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Attacks Against Database By: Behnam Hossein Ami RNRN i { }

Attacks Against Database By: Behnam Hossein Ami RNRN i { }
ENTERPRISE COMPUTING QUIZ By: Lean F. Torida

ENTERPRISE COMPUTING QUIZ By: Lean F. Torida

Similar presentations

Ads by Google