1 / 17

Passwords Breaches, Storage, Attacks

Passwords Breaches, Storage, Attacks. OWASP AppSec USA 2013. About Me. michael@ShapeSecurity.com. Password in the News. Understanding Password Threats. Online Attacks. Online Attacks Attackers interact with web interface via scripts & automation

medea
Download Presentation

Passwords Breaches, Storage, Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PasswordsBreaches, Storage, Attacks OWASP AppSec USA 2013

  2. About Me michael@ShapeSecurity.com

  3. Password in the News

  4. Understanding Password Threats

  5. Online Attacks • Online Attacks • Attackers interact with web interface via scripts & automation • Defenses Available: Account Lockout, Attacker Profiling, Anti-automation • Example Online Attacks • Password Brute Force - 4 variations • Credential Stuffing - (Reuse of compromised passwords) • Account Lockout

  6. Offline Attacks • Offline Attacks • Attackers have password hashes and are performing attacks against file • Defenses Available: Only the strong hashing algorithm you selected • Example Offline Attacks • Hash brute force - dictionary or iterative • Rainbow tables

  7. Offline Password Storage

  8. Password Storage • Good Approach • Bcrypt • Scrypt • PBKDF2 + Per user salt • Bad Approaches • Your own algorithm • md5 • sha1 • encryption • base64 encoding • rot 13

  9. Additional Attacks

  10. Denial of Service Denial of Service (DOS) Distributed Denial of Service (DDOS)

  11. Denial of Service

  12. DDOS Comparisons Application Abuse DOS • invokes computationally intense application functions • exhausts CPU / memory of web servers • Requires few machines • Defenses: Few available, must customize Traditional Network DDOS • overwhelms target with volume • exhausts bandwidth / capacity of network devices • Requires large number of machines • Defenses: CDN, anti-DDOS services

  13. Credential Stuffing Account Take Over - Credential Stuffing

  14. Distributed App Lock Out Distributed App Lock Out

  15. Service Desk Overload Service Desk Overload

  16. Take Aways • Password Hashing • Don’t get breached - Defense in depth • Don’t exacerbate breach – use correct hashing • Online Attacks • Prepare for automated attacks • Different attacks and motivation from Criminal Enterprises,Hacktivism, Nation State, etc

  17. Thanks! michael@shapesecurity.com http://michael-coates.blogspot.com @_mwc

More Related