SlideShare a Scribd company logo
1 of 52
Download to read offline
Confraria InfoSec
        Living With Passwords:
Personal Password Management
                      23/02/2011
Summary

  Summary:                    •	
  Mo;va;on

                              •	
  Today’s	
  scenario

                              •	
  Alterna;ves
                                 -­‐	
  Non-­‐electronic
                                 -­‐	
  Limited
                                 -­‐	
  Password	
  Managers

                              •	
  Two-­‐Factor	
  Authen;ca;on
                                 -­‐	
  SoHware	
  Tokens
                                 -­‐	
  Hardware	
  Tokens

                              •	
  Trends
SAPO	
  Websecurity	
  Team                                       2
Motivation > Lots of accounts compromised




SAPO	
  Websecurity	
  Team                 3
Motivation > People Reuse Passwords

   •	
  	
  Password	
  Sharing:	
  73%	
  of	
  users	
  share	
  passwords	
  that	
  are	
  used	
  for	
  online	
  banking	
  
   with	
  at	
  least	
  one	
  non-­‐financial	
  website.
   •	
  	
  Username	
  /	
  Password	
  Sharing:	
  42%	
  of	
  users	
  share	
  both	
  their	
  username	
  and	
  
   password	
  with	
  at	
  least	
  one	
  non-­‐financial	
  website
 Study	
  on	
  4M	
  PCs                  in	
  Reusing	
  Login	
  Creden.als,	
  Security	
  Advisor,	
  	
  February	
  2010,	
  Trusteer	
  Inc.




SAPO	
  Websecurity	
  Team                                                                                                                             4
Today



 Typical	
  choice	
  of	
  passwords	
  on	
  the	
  Web:

    • Weak	
  password	
  and	
  reused	
  in	
  different	
  sites
    • Strong	
  password	
  but	
  reused	
  in	
  different	
  sites
    • Weak	
  password	
  but	
  different	
  from	
  other	
  sites
    • Strong	
  password	
  for	
  criFcal	
  sites,	
  Weak	
  password	
  for	
  other	
  sites
    • Strong	
  or	
  weak	
  password	
  and	
  basic	
  derivaFons	
  on	
  other	
  sites


SAPO	
  Websecurity	
  Team                                                                         5
Today


                Can	
  we	
  memorize	
  hundreds	
  
                   of	
  strong	
  passwords?




SAPO	
  Websecurity	
  Team   Confraria	
  InfoSec      6
Today



                              No	
  way!




SAPO	
  Websecurity	
  Team    Confraria	
  InfoSec   7
Today




                              So	
  what	
  can	
  we	
  do?




SAPO	
  Websecurity	
  Team             Confraria	
  InfoSec   8
Alternatives to memorizing multiple passwords?

      • Non-­‐electronic
           -­‐ Post-­‐it
           -­‐ Password	
  Cards

      • Limited	
  adopFon
           -­‐ OpenID	
  /	
  OAuth	
  (Facebook,	
  TwiQer,	
  Google,	
  SAPO)
           -­‐ Smart	
  card

      • Password	
  Managers:
                -­‐ Local	
  (examples):
                              ‣ PGP	
  File	
  on	
  Disk
                              ‣ Mac	
  Keychain
                              ‣ Password	
  Safe
                -­‐ Stateless	
  (examples):
                              ‣ SuperGenPass
                -­‐ Remote	
  (examples):
                              ‣ LastPass
                              ‣ 1Password	
  +	
  Dropbox

SAPO	
  Websecurity	
  Team                                                        9
Alternatives > Post-it

    Post-­‐it
         User	
  can	
  write	
  passwords	
  on	
  a	
  piece	
  of	
  paper,	
  prefixed	
  and	
  sufixed	
  with	
  random	
  chars,	
  
         and	
  keep	
  it	
  in	
  his/her	
  wallet


    Pros:
       • More	
  secure	
  than	
  memorizing	
  weak	
  passwords
                                                                                                                   12345
                                                                                                                                6

    Cons:
       • Not	
  prac;cal	
  at	
  all
       • Difficult	
  to	
  check	
  and	
  type	
  passwords	
  when	
  
            there’re	
  people	
  around


     “Simply, people can no longer remember passwords good enough to reliably defend against dictionary
     attacks, and are much more secure if they choose a password too complicated to remember and then
     write it down. We're all good at securing small pieces of paper. I recommend that people write their
     passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper:
     in their wallet.”
                                                                              in	
  Schneier	
  on	
  Security,	
  Bruce	
  Schneier,	
  Jun	
  2005

SAPO	
  Websecurity	
  Team                                                                                                                            10
Alternatives > Password Cards

    Password	
  Cards
          User	
  keeps	
  the	
  password	
  card	
  in	
  his/her	
  wallet	
  and	
  all	
  he/she	
  does	
  it	
  remember	
  a	
  
          combina;on	
  of	
  a	
  symbol	
  and	
  a	
  color	
  per	
  site...	
  and	
  direc;on	
  and	
  length!




    Pros:
        • More	
  secure	
  than	
  post-­‐it	
  if	
  
            stolen


    Cons:
        • Not	
  prac;cal
        • Might	
  be	
  difficult	
  to	
  use	
  because	
  of	
  
            password	
  policies
        •   User	
  s;ll	
  needs	
  to	
  memorize	
  some	
  
            informa;on	
  for	
  each	
  site



SAPO	
  Websecurity	
  Team                                                                                                                11
Alternatives > OpenID

    OpenID
           Open	
  standard	
  that	
  describes	
  how	
  users	
  can	
  be	
  authen;cated	
  in	
  a	
  decentralized	
  manner,	
  
           allowing	
  users	
  to	
  consolidate	
  their	
  digital	
  iden;;es


    Pros:
       • Users	
  don’t	
  need	
  to	
  remember	
  
            mul;ple	
  passwords
       •    Sites	
  don’t	
  know	
  users’	
  passwords
       •    Users	
  can	
  change	
  provider	
  and	
  s;ll	
  
            maintain	
  digital	
  iden;ty
       •    Allows	
  mul;ple	
  authen;ca;on	
  
            mechanisms

    Cons:
       • Limited	
  to	
  the	
  subset	
  of	
  sites	
  that	
  
            support	
  OpenID
       •    If	
  the	
  provider	
  is	
  down	
  you	
  can’t	
  
            authen;cate*
SAPO	
  Websecurity	
  Team                                                                                                           12
Alternatives > OAuth based

    OAuth	
  based
         Use	
  popular	
  sites	
  (Facebook,	
  TwiQer,	
  SAPO)	
  as	
  authen;cators	
  to	
  other	
  sites,	
  just	
  like	
  
         OpenID.




          Similar	
  Pros&Cons	
  of	
  OpenID




SAPO	
  Websecurity	
  Team                                                                                                              13
Alternatives > Smart Cards

    Smart	
  Cards
          Some	
  sites	
  allow	
  you	
  to	
  use	
  SSL	
  Client	
  cer;ficates	
  as	
  a	
  mean	
  
          of	
  authen;ca;on.	
  Cer;ficates	
  can	
  be	
  stored	
  in	
  a	
  Smart	
  
          Card.


    Pros:
        • Good	
  security	
  offered
        • Even	
  beQer	
  when	
  used	
  as	
  
            3-­‐factor	
  authen;ca;on

    Cons:
        • Not	
  very	
  prac;cal
        • Only	
  a	
  very	
  limited	
  number	
  of	
  sites	
  
            support	
  SSL	
  Client	
  cer;ficates
        •   May	
  provide	
  a	
  false	
  sense	
  of	
  security




SAPO	
  Websecurity	
  Team                                                                                  14
Alternatives > Password Managers

    Password	
  Managers
          Use	
  a	
  password	
  manager	
  to	
  manage	
  all	
  your	
  passwords	
  instead	
  of	
  trying	
  to	
  memorize	
  
          them	
  all


    Types	
  (we	
  will	
  provide	
  examples	
  of	
  each):
       •	
  Local
       •	
  Stateless
       •	
  Remote
    Pros:
        • easy	
  to	
  use
        • prac;cal
        • enable	
  you	
  to	
  use	
  strong	
  and	
  
             different	
  passwords	
  across	
  sites

    Cons:
        • If	
  a	
  hacker	
  breaks	
  your	
  password	
  
             manager,	
  ALL	
  your	
  passwords	
  are	
  
             compromised!
SAPO	
  Websecurity	
  Team                                                                                                              15
Alternatives > Password Managers > Local > PGP File

    PGP	
  Encrypted	
  File	
  on	
  Disk
          Not	
  really	
  a	
  password	
  manager,	
  but	
  the	
  user	
  can	
  keep	
  all	
  his/hers	
  passwords	
  in	
  one	
  file	
  
          that	
  is	
  encrypted	
  with	
  PGP.




    Pros:
        • It	
  seems	
  preQy	
  secure


    Cons:
        • Not	
  for	
  everyone
        • Hard	
  to	
  maintain
        • If	
  you	
  need	
  a	
  password	
  and	
  you	
  
            don’t	
  have	
  your	
  computer	
  with	
  you..




SAPO	
  Websecurity	
  Team                                                                                                                         16
Alternatives > Password Managers > Local > MacOSX Keychain

    MacOSX	
  Keychain
         OS-­‐wise	
  password	
  manager.	
  Can	
  sync	
  keychain’s	
  data	
  with	
  other	
  computers.




    Pros:
        • Integrated	
  with	
  the	
  opera;ng	
  system,	
  
            thus	
  easy	
  and	
  prac;cal	
  to	
  use
        •   Secure
        •   You	
  can	
  unlock	
  your	
  keychain	
  with	
  a	
  
            smart	
  card

    Cons:
        • If	
  you	
  need	
  a	
  password	
  and	
  you	
  
            don’t	
  have	
  your	
  computer	
  with	
  you..
        •   Only	
  MacOSX	
  is	
  supported



SAPO	
  Websecurity	
  Team                                                                                      17
Alternatives > Password Managers > Local > Password Safe

    Password	
  Safe
          Similar	
  to	
  PGP	
  Encrypted	
  File	
  in	
  terms	
  of	
  func;onality	
  but	
  has	
  a	
  GUI.




    Pros:
        • Secure
        • GUI	
  to	
  manage	
  passwords

    Cons:
        • If	
  you	
  need	
  a	
  password	
  and	
  you	
  
            don’t	
  have	
  your	
  computer	
  with	
  you..
        •   Only	
  MS-­‐Windows	
  is	
  supported




SAPO	
  Websecurity	
  Team                                                                                           18
Alternatives > Password Managers > Stateless > SuperGenPass

    SuperGenPass
        SuperGenPass	
  is	
  a	
  simple	
  bookmarklet	
  that	
  computes	
  your	
  site’s	
  password.
        No	
  one	
  knows	
  your	
  passwords.	
  Site’s	
  password	
  =10x	
  MD5(yourMasterSecret:domainURL).




    Pros:
        • Simple	
  Idea,	
  simple	
  to	
  use
        • Very	
  Prac;cal,	
  easy	
  to	
  use	
  when	
  you	
  don’t	
  
            have	
  access	
  to	
  your	
  computer

    Cons:
        • Prone	
  to	
  XSS	
  aQacks!




SAPO	
  Websecurity	
  Team                                                                                      19
Alternatives > Password Managers > Remote

    Remote	
  Password	
  Managers




SAPO	
  Websecurity	
  Team                   20
Alternatives > Password Managers > Remote > LastPass

 LastPass	
  Features:

   • Server	
  is	
  not	
  aware	
  of	
  your	
  encryp;on	
  key

   • Data	
  is	
  stored	
  on	
  server	
  in	
  encrypted	
  form	
  and	
  encrypted/decrypted	
  
     locally	
  (using	
  JS	
  or	
  browser	
  extension)

   • Device	
  synchroniza;on

   • Mul;plahorm	
  support

   • Import	
  and	
  export	
  func;onality

   • Mul;-­‐factor	
  authen;ca;on	
  (OTPs,	
  Yubikey,	
  Grid,	
  among	
  others)

   • Phishing	
  mi;ga;on


SAPO	
  Websecurity	
  Team                                                                              21
Alternatives > Password Managers > Remote > LastPass > Usage
Login




SAPO	
  Websecurity	
  Team                                      22
Alternatives > Password Managers > Remote > LastPass > Usage
Saving	
  a	
  site




SAPO	
  Websecurity	
  Team                                      23
Alternatives > Password Managers > Remote > LastPass > Usage
Saving	
  a	
  site




SAPO	
  Websecurity	
  Team                                      24
Alternatives > Password Managers > Remote > LastPass > Usage
Site	
  login




SAPO	
  Websecurity	
  Team                                      25
Alternatives > Password Managers > Remote > LastPass

   Looking	
  deeper:

            • The	
  login	
  process;
            • Adding	
  a	
  site;
            • Risks	
  related	
  to	
  implementaFon;
            • Major	
  threats;
            • Advantages.



SAPO	
  Websecurity	
  Team                              26
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  The	
  login	
  process




SAPO	
  Websecurity	
  Team                                        27
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  The	
  login	
  process

     Parameter                     Value                                     Opera[on


     username                      hypnotoad@sapo.pt                         user


                                   0f4ca0edff9ac0436c9c161565c7bff0654aa67
     hash                          e412578e5294a245d971d91cb                 SHA256(master_key + password)


     encrypted_username,	
         Le74Bkbjqv8Hfj5HPayoqCD402FtjIBn7XhSN
                                                                             B64(AES256_ECB(master_key,	
  PKCS7(user)))
                                   miTNzk=
     requesthash

                                   dafb156eb7e0c3aa23a47c90a70350b54ce64
     lostpwotphash                 9c9a9e6ee6670f64110dc783778               SHA256(user	
  +	
  recovery_key)


                                   e548f6d1a533d298102519aed86ef186b3d3b
     u                             9f4b0d3c7c1c20cc8072771ce3d               	
  SHA256(user)


 •   user	
  =	
  “hypnotoad@sapo.pt”
 •   password	
  =	
  “pwd123456”
 •   master_key	
  =	
  SHA256(user	
  +	
  password)
 •   rand_n	
  =	
  RAND(128b)
 •   recovery_key	
  =	
  SHA256(user	
  +	
  rand_n)
 •   encrypted_master_key	
  =	
  AES256_ECB(recovery_key,	
  master_key)

SAPO	
  Websecurity	
  Team                                                                                                28
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  Adding	
  a	
  site




SAPO	
  Websecurity	
  Team                                        29
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  Adding	
  a	
  site

   Parameter              Value                                      Opera[on


   url                    68747470733a2f2f747769747465722e636f6d2f   HEX(“hfps://twifer.com/”)


   name                   iiFFsmFqWzhZEzz4WdqFsQ==                   B64(AES256_ECB(master_key,	
  PKCS7
                                                                     (“twifer.com”)))

   username               VXu4hWF75MFuA1XiaAUp/g==                   B64(AES256_ECB(master_key,	
  PKCS7
                                                                     (“someaccount”)))

                          8ISq2uZ6HHHkgaPNPzTDDs2sqi+erKc65snJce/    B64(AES256_ECB(master_key,	
  PKCS7
   password               0V2s=
                                                                     (“NS3ptHQcvwEkCX6NK9uJeKOstLWbN4Mf”)))

                          Le74Bkbjqv8Hfj5HPayoqCD402FtjIBn7XhSNmiT
   requesthash            Nzk=                                       B64(AES256_ECB(master_key,	
  PKCS7(user)))


  • user	
  =	
  “hypnotoad@sapo.pt”
  • password	
  =	
  “pwd123456”
  • master_key	
  =	
  SHA256(user	
  +	
  password)



SAPO	
  Websecurity	
  Team                                                                                        30
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  Risks	
  related	
  to	
  implementa[on

      • The	
  URL	
  is	
  stored	
  in	
  plaintext;

      • Form	
  field	
  names	
  are	
  stored	
  in	
  plaintext;

      • AES	
  is	
  being	
  used	
  in	
  ECB	
  mode.	
  The	
  same	
  input	
  always	
  generates	
  the	
  
        same	
  output...	
  

      • Key	
  derivaFon	
  should	
  be	
  improved	
  (e.g.	
  using	
  PBKDF2)
      “That means that it only takes three days to break a seven-letter mixed-case password -- ouch. It takes a little more time if
      there are numbers and special characters in the password or the password is longer and much less time if the password is
      all one case, subject to a dictionary attack, or is partially known.”


      • Beware	
  of	
  the	
  “create	
  an	
  OTP	
  for	
  recovery	
  opFon”;

      • Third-­‐party	
  security	
  assessment	
  sFll	
  pending.



SAPO	
  Websecurity	
  Team                                                                                                           31
Alternatives > Password Managers > Remote > LastPass > Details
Looking	
  deeper	
  -­‐	
  Major	
  threats

   •    Master	
  password	
  thea;
   •    Trojan	
  installed	
  in	
  host	
  may	
  compromise	
  all	
  passwords	
  at	
  once.




SAPO	
  Websecurity	
  Team                                                                         32
Alternatives > Password Managers > Remote > LastPass

  Pros:
    Prac[cal
       • One	
  password	
  to	
  remember;
           •     Integrated	
  with	
  the	
  browser;
           •     Synchronizes	
  credenFals	
  across	
  devices.

    Open
      • Client-­‐side	
  source	
  code	
  is	
  available.


    Secure
      • Very	
  effecFve	
  in	
  Gawker-­‐style	
  aeacks	
  (password	
  containment);
       •       Can	
  be	
  paired	
  with	
  addiFonal	
  authenFcaFon	
  factors;
       •       Passwords	
  are	
  stored	
  in	
  encrypted	
  form,	
  both	
  locally	
  and	
  remotely.



SAPO	
  Websecurity	
  Team                                                                                    33
Two-Factor Authentication




                  Two-­‐Factor	
  Authen[ca[on




SAPO	
  Websecurity	
  Team   Confraria	
  InfoSec   34
Two-Factor Auth > Examples

    Some	
  Examples
       •	
  Smart	
  cards
       •	
  SoHware	
  OTP	
  Tokens:
             -­‐	
  Google	
  Authen;cator
             -­‐	
  Verisign	
  VIP
       •	
  Hardware	
  OTP	
  Tokens:
            -­‐	
  Yubikey
            -­‐	
  CryptoCard
            -­‐	
  RSA	
  SecureID


    Pros:
         • More	
  secure	
  than	
  single-­‐
             factor:)
   Cons:
     • Not	
  very	
  prac;cal
     • May	
  provide	
  a	
  false	
  sense	
  of	
  security
     • Typically	
  a	
  closed	
  market	
  (vendors	
  
       rip	
  you	
  off!)


SAPO	
  Websecurity	
  Team                                      35
Two-Factor Auth > Google Authenticator

    Google	
  Authen[cator
          Supports	
  HOTP	
  (event-­‐based)	
  and	
  TOTP	
  (;me-­‐based)	
  codes.	
  Key	
  provisioning	
  via	
  
          scanning	
  a	
  QR	
  code.


    Pros:
        • Free!	
  :)
        • No	
  need	
  to	
  carry	
  extra	
  devices
        • You	
  can	
  use	
  it	
  in	
  your	
  own	
  systems	
  (using	
  a	
  PAM	
  
            Module	
  or	
  integra;ng	
  it	
  with	
  RADIUS)


    Cons:

       • Concerns	
  related	
  to	
  security	
  of	
  the	
  device
       • Your	
  baQery	
  may	
  die	
  when	
  you	
  most	
  need	
  an	
  OTP
       • You	
  lose	
  some	
  ;me	
  to	
  generate	
  an	
  OTP



SAPO	
  Websecurity	
  Team                                                                                                 36
Two-Factor Auth > Yubikey > What is it?
What	
  is	
  it?
       •    The	
  Yubikey	
  is	
  a	
  small	
  USB	
  token	
  which	
  acts	
  as	
  a	
  regular	
  keyboard.	
  It	
  can	
  
            generate	
  StaFc	
  Passwords	
  and	
  One	
  Time	
  Passwords.	
  




SAPO	
  Websecurity	
  Team                                                                                                           37
Two-Factor Auth > Yubikey > How does it work?
 Sta[c	
  Passwords
    • The	
  Yubikey	
  can	
  be	
  provisioned	
  with	
  a	
  staFc	
  password	
  with	
  up	
  to	
  64	
  
           chars.	
  This	
  password	
  can	
  be	
  used	
  with	
  applicaFons/services	
  that	
  do	
  not	
  
           support	
  OTPs.	
  You	
  should	
  use	
  an	
  addiFonal	
  password!
 One	
  Time	
  Passwords
       •    Two	
  different	
  One	
  Time	
  Password	
  standards	
  are	
  supported:	
  event-­‐based	
  
            HOTP	
  and	
  Yubikey-­‐style	
  OTPs.
       •    HOTP	
  is	
  a	
  beeer	
  known	
  standard,	
  but	
  it	
  is	
  more	
  limited	
  due	
  to	
  usability	
  
            concerns	
  (smaller	
  OTP,	
  sync	
  issues,	
  etc.).
       •    The	
  Yubikey	
  OTP	
  standard	
  leverages	
  the	
  fact	
  that	
  the	
  Yubikey	
  inputs	
  the	
  
            OTPs	
  for	
  you.
 Two	
  slots
   • Short-­‐press	
  for	
  slot	
  1;	
  Long-­‐press	
  for	
  slot	
  2	
  (3	
  secs);
 Drivers
     • Any	
  OS	
  with	
  USB-­‐keyboard	
  support.	
  It	
  even	
  works	
  during	
  boot	
  (useful	
  for,	
  
        e.g.,	
  whole-­‐disk	
  encrypFon	
  soluFons	
  such	
  as	
  PGP-­‐WDE	
  and	
  TrueCrypt).

SAPO	
  Websecurity	
  Team                                                                                                      38
Two-Factor Auth > Yubikey > Where does it work?
Yubico	
  OpenID	
  (hfp://openid.yubico.com)




SAPO	
  Websecurity	
  Team                       39
Two-Factor Auth > Yubikey > Where does it work?
Lastpass	
  (hfp://www.lastpass.com)




SAPO	
  Websecurity	
  Team                       40
Two-Factor Auth > Yubikey > Where does it work?
Laptop	
  	
  (hfp://127.0.0.1)




                  One	
  Time	
  Password   Sta;c	
  Password



SAPO	
  Websecurity	
  Team                                     41
Two-Factor Auth > Yubikey > Details
Inner	
  workings




SAPO	
  Websecurity	
  Team           42
Two-Factor Auth > Yubikey > Security Threats
Protocol	
  afacks
   • Generated	
  OTPs	
  consist	
  of	
  unique	
  128	
  bit	
  blocks	
  encrypted	
  with	
  a	
  shared	
  
      AES	
  key	
  between	
  Token	
  and	
  Server.	
  Protocol	
  security	
  depends	
  on	
  the	
  
      security	
  strength	
  of	
  the	
  AES	
  algorithm.




SAPO	
  Websecurity	
  Team                                                                                         43
Two-Factor Auth > Yubikey > Security Threats

 Server	
  afacks
       •    An	
  authenFcaFon	
  server	
  stores	
  symmetric	
  keys	
  for	
  all	
  Token	
  and	
  is	
  a	
  single	
  point	
  
            of	
  failure.	
  This	
  can	
  be	
  miFgated	
  with	
  tamper-­‐proof	
  HSMs	
  and	
  user	
  passwords;
       •    A	
  DoS	
  aeack	
  on	
  the	
  server	
  will	
  result	
  in	
  users	
  not	
  being	
  able	
  to	
  log	
  in.




SAPO	
  Websecurity	
  Team                                                                                                               44
Two-Factor Auth > Yubikey > Security Threats

 User	
  afacks
    • Social	
  engineering;
       •    Phishing;
       •    “Borrowing”	
  the	
  Token.




SAPO	
  Websecurity	
  Team                    45
Two-Factor Auth > Yubikey > Security Threats

 Host	
  afacks
     • Soaware	
  key	
  extracFon	
  (very	
  hard	
  to	
  exploit);
        •    Man-­‐in-­‐the-­‐browser.




SAPO	
  Websecurity	
  Team                                              46
Two-Factor Auth > Yubikey > Security Threats

  Hardware	
  afacks
     • Hardware	
  key	
  extracFon	
  and	
  Token	
  duplicaFon.




SAPO	
  Websecurity	
  Team                                          47
Two-Factor Auth > Yubikey > Advantages
Prac[cal
   • No	
  drivers	
  necessary
         •     Types	
  the	
  key	
  for	
  you

Open
  • Open	
  standard	
  and	
  infrastructure
     •       Soaware	
  released	
  under	
  permissive	
  license
     •       Extensible	
  (PIN	
  opFon)
     •       No	
  license	
  required	
  per	
  token
Affordable
  • Around	
  10€	
  if	
  purchased	
  in	
  larger	
  quanFFes

Secure
  • Provides	
  an	
  addiFonal	
  authenFcaFon	
  factor
    •        OTP	
  generaFon	
  requires	
  manual	
  intervenFon



SAPO	
  Websecurity	
  Team                                          48
Future




                              Trends




SAPO	
  Websecurity	
  Team    Confraria	
  InfoSec   49
Trends

 Two-­‐factor	
  Authen[ca[on	
  is	
  geong	
  Popular:




SAPO	
  Websecurity	
  Team                                50
Trends

 NFC	
  starts	
  to	
  be	
  a	
  hype:
      In	
  “How	
  Apple	
  and	
  Google	
  will	
  kill	
  the	
  password”,	
  Computerworld,	
  Jan	
  2011:




SAPO	
  Websecurity	
  Team                                                                                         51
The End

                                         Ques[ons?




 Nuno	
  Loureiro	
  <nuno@co.sapo.pt>                           João	
  Poupino	
  <joao.poupino@co.sapo.pt>


SAPO	
  Websecurity	
  Team               Confraria	
  InfoSec                                             52

More Related Content

Similar to Living With Passwords: Personal Password Management

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...nooralmousa
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeAVG Technologies AU
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkMartin Vigo
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)securityiphonepentest
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Personal Data Security
Personal Data SecurityPersonal Data Security
Personal Data SecurityNPowerCR
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windowsarpit06055
 
Swisscom: Smart Homes & Security Risks
Swisscom: Smart Homes & Security RisksSwisscom: Smart Homes & Security Risks
Swisscom: Smart Homes & Security RisksLea-María Louzada
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginNovell
 
Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsTechzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsAnthony Somerset
 

Similar to Living With Passwords: Personal Password Management (20)

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...“Secure Password Managers” and   “Military-Grade Encryption” on  Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
 
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...Mr. Andrey Belenko - secure password managers and military-grade encryption o...
Mr. Andrey Belenko - secure password managers and military-grade encryption o...
 
eSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers SafeeSecurity! Keeping your Business and Customers Safe
eSecurity! Keeping your Business and Customers Safe
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
iOS application (in)security
iOS application (in)securityiOS application (in)security
iOS application (in)security
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Personal Data Security
Personal Data SecurityPersonal Data Security
Personal Data Security
 
RSA Secur id for windows
RSA Secur id for windowsRSA Secur id for windows
RSA Secur id for windows
 
Swisscom: Smart Homes & Security Risks
Swisscom: Smart Homes & Security RisksSwisscom: Smart Homes & Security Risks
Swisscom: Smart Homes & Security Risks
 
Using Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLoginUsing Hard Disk Encryption and Novell SecureLogin
Using Hard Disk Encryption and Novell SecureLogin
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsTechzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
 

More from Nuno Loureiro

The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationNuno Loureiro
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionNuno Loureiro
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryNuno Loureiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Performance (Web&PHP)
Performance (Web&PHP)Performance (Web&PHP)
Performance (Web&PHP)Nuno Loureiro
 

More from Nuno Loureiro (9)

C days2015
C days2015C days2015
C days2015
 
The Yin-Yang of Web Authentication
The Yin-Yang of Web AuthenticationThe Yin-Yang of Web Authentication
The Yin-Yang of Web Authentication
 
It's no Secret
It's no SecretIt's no Secret
It's no Secret
 
DumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage SolutionDumpFS - A Distributed Storage Solution
DumpFS - A Distributed Storage Solution
 
Vanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key RepositoryVanishing Point - Resilient DNSSEC Key Repository
Vanishing Point - Resilient DNSSEC Key Repository
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks
 
IPv6
IPv6IPv6
IPv6
 
Security & PHP
Security & PHPSecurity & PHP
Security & PHP
 
Performance (Web&PHP)
Performance (Web&PHP)Performance (Web&PHP)
Performance (Web&PHP)
 

Recently uploaded

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 

Recently uploaded (20)

IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 

Living With Passwords: Personal Password Management

  • 1. Confraria InfoSec Living With Passwords: Personal Password Management 23/02/2011
  • 2. Summary Summary: •  Mo;va;on •  Today’s  scenario •  Alterna;ves -­‐  Non-­‐electronic -­‐  Limited -­‐  Password  Managers •  Two-­‐Factor  Authen;ca;on -­‐  SoHware  Tokens -­‐  Hardware  Tokens •  Trends SAPO  Websecurity  Team 2
  • 3. Motivation > Lots of accounts compromised SAPO  Websecurity  Team 3
  • 4. Motivation > People Reuse Passwords •    Password  Sharing:  73%  of  users  share  passwords  that  are  used  for  online  banking   with  at  least  one  non-­‐financial  website. •    Username  /  Password  Sharing:  42%  of  users  share  both  their  username  and   password  with  at  least  one  non-­‐financial  website Study  on  4M  PCs in  Reusing  Login  Creden.als,  Security  Advisor,    February  2010,  Trusteer  Inc. SAPO  Websecurity  Team 4
  • 5. Today Typical  choice  of  passwords  on  the  Web: • Weak  password  and  reused  in  different  sites • Strong  password  but  reused  in  different  sites • Weak  password  but  different  from  other  sites • Strong  password  for  criFcal  sites,  Weak  password  for  other  sites • Strong  or  weak  password  and  basic  derivaFons  on  other  sites SAPO  Websecurity  Team 5
  • 6. Today Can  we  memorize  hundreds   of  strong  passwords? SAPO  Websecurity  Team Confraria  InfoSec 6
  • 7. Today No  way! SAPO  Websecurity  Team Confraria  InfoSec 7
  • 8. Today So  what  can  we  do? SAPO  Websecurity  Team Confraria  InfoSec 8
  • 9. Alternatives to memorizing multiple passwords? • Non-­‐electronic -­‐ Post-­‐it -­‐ Password  Cards • Limited  adopFon -­‐ OpenID  /  OAuth  (Facebook,  TwiQer,  Google,  SAPO) -­‐ Smart  card • Password  Managers: -­‐ Local  (examples): ‣ PGP  File  on  Disk ‣ Mac  Keychain ‣ Password  Safe -­‐ Stateless  (examples): ‣ SuperGenPass -­‐ Remote  (examples): ‣ LastPass ‣ 1Password  +  Dropbox SAPO  Websecurity  Team 9
  • 10. Alternatives > Post-it Post-­‐it User  can  write  passwords  on  a  piece  of  paper,  prefixed  and  sufixed  with  random  chars,   and  keep  it  in  his/her  wallet Pros: • More  secure  than  memorizing  weak  passwords 12345 6 Cons: • Not  prac;cal  at  all • Difficult  to  check  and  type  passwords  when   there’re  people  around “Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.” in  Schneier  on  Security,  Bruce  Schneier,  Jun  2005 SAPO  Websecurity  Team 10
  • 11. Alternatives > Password Cards Password  Cards User  keeps  the  password  card  in  his/her  wallet  and  all  he/she  does  it  remember  a   combina;on  of  a  symbol  and  a  color  per  site...  and  direc;on  and  length! Pros: • More  secure  than  post-­‐it  if   stolen Cons: • Not  prac;cal • Might  be  difficult  to  use  because  of   password  policies • User  s;ll  needs  to  memorize  some   informa;on  for  each  site SAPO  Websecurity  Team 11
  • 12. Alternatives > OpenID OpenID Open  standard  that  describes  how  users  can  be  authen;cated  in  a  decentralized  manner,   allowing  users  to  consolidate  their  digital  iden;;es Pros: • Users  don’t  need  to  remember   mul;ple  passwords • Sites  don’t  know  users’  passwords • Users  can  change  provider  and  s;ll   maintain  digital  iden;ty • Allows  mul;ple  authen;ca;on   mechanisms Cons: • Limited  to  the  subset  of  sites  that   support  OpenID • If  the  provider  is  down  you  can’t   authen;cate* SAPO  Websecurity  Team 12
  • 13. Alternatives > OAuth based OAuth  based Use  popular  sites  (Facebook,  TwiQer,  SAPO)  as  authen;cators  to  other  sites,  just  like   OpenID. Similar  Pros&Cons  of  OpenID SAPO  Websecurity  Team 13
  • 14. Alternatives > Smart Cards Smart  Cards Some  sites  allow  you  to  use  SSL  Client  cer;ficates  as  a  mean   of  authen;ca;on.  Cer;ficates  can  be  stored  in  a  Smart   Card. Pros: • Good  security  offered • Even  beQer  when  used  as   3-­‐factor  authen;ca;on Cons: • Not  very  prac;cal • Only  a  very  limited  number  of  sites   support  SSL  Client  cer;ficates • May  provide  a  false  sense  of  security SAPO  Websecurity  Team 14
  • 15. Alternatives > Password Managers Password  Managers Use  a  password  manager  to  manage  all  your  passwords  instead  of  trying  to  memorize   them  all Types  (we  will  provide  examples  of  each): •  Local •  Stateless •  Remote Pros: • easy  to  use • prac;cal • enable  you  to  use  strong  and   different  passwords  across  sites Cons: • If  a  hacker  breaks  your  password   manager,  ALL  your  passwords  are   compromised! SAPO  Websecurity  Team 15
  • 16. Alternatives > Password Managers > Local > PGP File PGP  Encrypted  File  on  Disk Not  really  a  password  manager,  but  the  user  can  keep  all  his/hers  passwords  in  one  file   that  is  encrypted  with  PGP. Pros: • It  seems  preQy  secure Cons: • Not  for  everyone • Hard  to  maintain • If  you  need  a  password  and  you   don’t  have  your  computer  with  you.. SAPO  Websecurity  Team 16
  • 17. Alternatives > Password Managers > Local > MacOSX Keychain MacOSX  Keychain OS-­‐wise  password  manager.  Can  sync  keychain’s  data  with  other  computers. Pros: • Integrated  with  the  opera;ng  system,   thus  easy  and  prac;cal  to  use • Secure • You  can  unlock  your  keychain  with  a   smart  card Cons: • If  you  need  a  password  and  you   don’t  have  your  computer  with  you.. • Only  MacOSX  is  supported SAPO  Websecurity  Team 17
  • 18. Alternatives > Password Managers > Local > Password Safe Password  Safe Similar  to  PGP  Encrypted  File  in  terms  of  func;onality  but  has  a  GUI. Pros: • Secure • GUI  to  manage  passwords Cons: • If  you  need  a  password  and  you   don’t  have  your  computer  with  you.. • Only  MS-­‐Windows  is  supported SAPO  Websecurity  Team 18
  • 19. Alternatives > Password Managers > Stateless > SuperGenPass SuperGenPass SuperGenPass  is  a  simple  bookmarklet  that  computes  your  site’s  password. No  one  knows  your  passwords.  Site’s  password  =10x  MD5(yourMasterSecret:domainURL). Pros: • Simple  Idea,  simple  to  use • Very  Prac;cal,  easy  to  use  when  you  don’t   have  access  to  your  computer Cons: • Prone  to  XSS  aQacks! SAPO  Websecurity  Team 19
  • 20. Alternatives > Password Managers > Remote Remote  Password  Managers SAPO  Websecurity  Team 20
  • 21. Alternatives > Password Managers > Remote > LastPass LastPass  Features: • Server  is  not  aware  of  your  encryp;on  key • Data  is  stored  on  server  in  encrypted  form  and  encrypted/decrypted   locally  (using  JS  or  browser  extension) • Device  synchroniza;on • Mul;plahorm  support • Import  and  export  func;onality • Mul;-­‐factor  authen;ca;on  (OTPs,  Yubikey,  Grid,  among  others) • Phishing  mi;ga;on SAPO  Websecurity  Team 21
  • 22. Alternatives > Password Managers > Remote > LastPass > Usage Login SAPO  Websecurity  Team 22
  • 23. Alternatives > Password Managers > Remote > LastPass > Usage Saving  a  site SAPO  Websecurity  Team 23
  • 24. Alternatives > Password Managers > Remote > LastPass > Usage Saving  a  site SAPO  Websecurity  Team 24
  • 25. Alternatives > Password Managers > Remote > LastPass > Usage Site  login SAPO  Websecurity  Team 25
  • 26. Alternatives > Password Managers > Remote > LastPass Looking  deeper: • The  login  process; • Adding  a  site; • Risks  related  to  implementaFon; • Major  threats; • Advantages. SAPO  Websecurity  Team 26
  • 27. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  The  login  process SAPO  Websecurity  Team 27
  • 28. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  The  login  process Parameter Value Opera[on username hypnotoad@sapo.pt user 0f4ca0edff9ac0436c9c161565c7bff0654aa67 hash e412578e5294a245d971d91cb SHA256(master_key + password) encrypted_username,   Le74Bkbjqv8Hfj5HPayoqCD402FtjIBn7XhSN B64(AES256_ECB(master_key,  PKCS7(user))) miTNzk= requesthash dafb156eb7e0c3aa23a47c90a70350b54ce64 lostpwotphash 9c9a9e6ee6670f64110dc783778 SHA256(user  +  recovery_key) e548f6d1a533d298102519aed86ef186b3d3b u 9f4b0d3c7c1c20cc8072771ce3d  SHA256(user) • user  =  “hypnotoad@sapo.pt” • password  =  “pwd123456” • master_key  =  SHA256(user  +  password) • rand_n  =  RAND(128b) • recovery_key  =  SHA256(user  +  rand_n) • encrypted_master_key  =  AES256_ECB(recovery_key,  master_key) SAPO  Websecurity  Team 28
  • 29. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  Adding  a  site SAPO  Websecurity  Team 29
  • 30. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  Adding  a  site Parameter Value Opera[on url 68747470733a2f2f747769747465722e636f6d2f HEX(“hfps://twifer.com/”) name iiFFsmFqWzhZEzz4WdqFsQ== B64(AES256_ECB(master_key,  PKCS7 (“twifer.com”))) username VXu4hWF75MFuA1XiaAUp/g== B64(AES256_ECB(master_key,  PKCS7 (“someaccount”))) 8ISq2uZ6HHHkgaPNPzTDDs2sqi+erKc65snJce/ B64(AES256_ECB(master_key,  PKCS7 password 0V2s= (“NS3ptHQcvwEkCX6NK9uJeKOstLWbN4Mf”))) Le74Bkbjqv8Hfj5HPayoqCD402FtjIBn7XhSNmiT requesthash Nzk= B64(AES256_ECB(master_key,  PKCS7(user))) • user  =  “hypnotoad@sapo.pt” • password  =  “pwd123456” • master_key  =  SHA256(user  +  password) SAPO  Websecurity  Team 30
  • 31. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  Risks  related  to  implementa[on • The  URL  is  stored  in  plaintext; • Form  field  names  are  stored  in  plaintext; • AES  is  being  used  in  ECB  mode.  The  same  input  always  generates  the   same  output...   • Key  derivaFon  should  be  improved  (e.g.  using  PBKDF2) “That means that it only takes three days to break a seven-letter mixed-case password -- ouch. It takes a little more time if there are numbers and special characters in the password or the password is longer and much less time if the password is all one case, subject to a dictionary attack, or is partially known.” • Beware  of  the  “create  an  OTP  for  recovery  opFon”; • Third-­‐party  security  assessment  sFll  pending. SAPO  Websecurity  Team 31
  • 32. Alternatives > Password Managers > Remote > LastPass > Details Looking  deeper  -­‐  Major  threats • Master  password  thea; • Trojan  installed  in  host  may  compromise  all  passwords  at  once. SAPO  Websecurity  Team 32
  • 33. Alternatives > Password Managers > Remote > LastPass Pros: Prac[cal • One  password  to  remember; • Integrated  with  the  browser; • Synchronizes  credenFals  across  devices. Open • Client-­‐side  source  code  is  available. Secure • Very  effecFve  in  Gawker-­‐style  aeacks  (password  containment); • Can  be  paired  with  addiFonal  authenFcaFon  factors; • Passwords  are  stored  in  encrypted  form,  both  locally  and  remotely. SAPO  Websecurity  Team 33
  • 34. Two-Factor Authentication Two-­‐Factor  Authen[ca[on SAPO  Websecurity  Team Confraria  InfoSec 34
  • 35. Two-Factor Auth > Examples Some  Examples •  Smart  cards •  SoHware  OTP  Tokens: -­‐  Google  Authen;cator -­‐  Verisign  VIP •  Hardware  OTP  Tokens: -­‐  Yubikey -­‐  CryptoCard -­‐  RSA  SecureID Pros: • More  secure  than  single-­‐ factor:) Cons: • Not  very  prac;cal • May  provide  a  false  sense  of  security • Typically  a  closed  market  (vendors   rip  you  off!) SAPO  Websecurity  Team 35
  • 36. Two-Factor Auth > Google Authenticator Google  Authen[cator Supports  HOTP  (event-­‐based)  and  TOTP  (;me-­‐based)  codes.  Key  provisioning  via   scanning  a  QR  code. Pros: • Free!  :) • No  need  to  carry  extra  devices • You  can  use  it  in  your  own  systems  (using  a  PAM   Module  or  integra;ng  it  with  RADIUS) Cons: • Concerns  related  to  security  of  the  device • Your  baQery  may  die  when  you  most  need  an  OTP • You  lose  some  ;me  to  generate  an  OTP SAPO  Websecurity  Team 36
  • 37. Two-Factor Auth > Yubikey > What is it? What  is  it? • The  Yubikey  is  a  small  USB  token  which  acts  as  a  regular  keyboard.  It  can   generate  StaFc  Passwords  and  One  Time  Passwords.   SAPO  Websecurity  Team 37
  • 38. Two-Factor Auth > Yubikey > How does it work? Sta[c  Passwords • The  Yubikey  can  be  provisioned  with  a  staFc  password  with  up  to  64   chars.  This  password  can  be  used  with  applicaFons/services  that  do  not   support  OTPs.  You  should  use  an  addiFonal  password! One  Time  Passwords • Two  different  One  Time  Password  standards  are  supported:  event-­‐based   HOTP  and  Yubikey-­‐style  OTPs. • HOTP  is  a  beeer  known  standard,  but  it  is  more  limited  due  to  usability   concerns  (smaller  OTP,  sync  issues,  etc.). • The  Yubikey  OTP  standard  leverages  the  fact  that  the  Yubikey  inputs  the   OTPs  for  you. Two  slots • Short-­‐press  for  slot  1;  Long-­‐press  for  slot  2  (3  secs); Drivers • Any  OS  with  USB-­‐keyboard  support.  It  even  works  during  boot  (useful  for,   e.g.,  whole-­‐disk  encrypFon  soluFons  such  as  PGP-­‐WDE  and  TrueCrypt). SAPO  Websecurity  Team 38
  • 39. Two-Factor Auth > Yubikey > Where does it work? Yubico  OpenID  (hfp://openid.yubico.com) SAPO  Websecurity  Team 39
  • 40. Two-Factor Auth > Yubikey > Where does it work? Lastpass  (hfp://www.lastpass.com) SAPO  Websecurity  Team 40
  • 41. Two-Factor Auth > Yubikey > Where does it work? Laptop    (hfp://127.0.0.1) One  Time  Password Sta;c  Password SAPO  Websecurity  Team 41
  • 42. Two-Factor Auth > Yubikey > Details Inner  workings SAPO  Websecurity  Team 42
  • 43. Two-Factor Auth > Yubikey > Security Threats Protocol  afacks • Generated  OTPs  consist  of  unique  128  bit  blocks  encrypted  with  a  shared   AES  key  between  Token  and  Server.  Protocol  security  depends  on  the   security  strength  of  the  AES  algorithm. SAPO  Websecurity  Team 43
  • 44. Two-Factor Auth > Yubikey > Security Threats Server  afacks • An  authenFcaFon  server  stores  symmetric  keys  for  all  Token  and  is  a  single  point   of  failure.  This  can  be  miFgated  with  tamper-­‐proof  HSMs  and  user  passwords; • A  DoS  aeack  on  the  server  will  result  in  users  not  being  able  to  log  in. SAPO  Websecurity  Team 44
  • 45. Two-Factor Auth > Yubikey > Security Threats User  afacks • Social  engineering; • Phishing; • “Borrowing”  the  Token. SAPO  Websecurity  Team 45
  • 46. Two-Factor Auth > Yubikey > Security Threats Host  afacks • Soaware  key  extracFon  (very  hard  to  exploit); • Man-­‐in-­‐the-­‐browser. SAPO  Websecurity  Team 46
  • 47. Two-Factor Auth > Yubikey > Security Threats Hardware  afacks • Hardware  key  extracFon  and  Token  duplicaFon. SAPO  Websecurity  Team 47
  • 48. Two-Factor Auth > Yubikey > Advantages Prac[cal • No  drivers  necessary • Types  the  key  for  you Open • Open  standard  and  infrastructure • Soaware  released  under  permissive  license • Extensible  (PIN  opFon) • No  license  required  per  token Affordable • Around  10€  if  purchased  in  larger  quanFFes Secure • Provides  an  addiFonal  authenFcaFon  factor • OTP  generaFon  requires  manual  intervenFon SAPO  Websecurity  Team 48
  • 49. Future Trends SAPO  Websecurity  Team Confraria  InfoSec 49
  • 50. Trends Two-­‐factor  Authen[ca[on  is  geong  Popular: SAPO  Websecurity  Team 50
  • 51. Trends NFC  starts  to  be  a  hype: In  “How  Apple  and  Google  will  kill  the  password”,  Computerworld,  Jan  2011: SAPO  Websecurity  Team 51
  • 52. The End Ques[ons? Nuno  Loureiro  <nuno@co.sapo.pt> João  Poupino  <joao.poupino@co.sapo.pt> SAPO  Websecurity  Team Confraria  InfoSec 52

Editor's Notes

  1. \n
  2. - All examples in PHP and MySQL\n
  3. - Passwords can be compromised\n- If compromised passwords are hashed, bad passwords can be broken\n
  4. - Passwords can be compromised\n- If compromised passwords are hashed, bad passwords can be broken\n
  5. - Passwords can be compromised\n- If compromised passwords are hashed, bad passwords can be broken\n
  6. - Passwords can be compromised\n- If compromised passwords are hashed, bad passwords can be broken\n
  7. - Passwords can be compromised\n- If compromised passwords are hashed, bad passwords can be broken\n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. - Passwords are remotely stored\n- Web-based\n- Multi-platform\n- Sync between devices\n\n\n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. hash parameter ~ HMAC\n
  43. hash parameter ~ HMAC\n
  44. hash parameter ~ HMAC\n
  45. hash parameter ~ HMAC\n
  46. hash parameter ~ HMAC\n
  47. hash parameter ~ HMAC\n
  48. hash parameter ~ HMAC\n
  49. hash parameter ~ HMAC\n
  50. hash parameter ~ HMAC\n
  51. hash parameter ~ HMAC\n
  52. hash parameter ~ HMAC\n
  53. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  54. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  55. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  56. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  57. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  58. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  59. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  60. \n
  61. \n
  62. \n
  63. - Waterproof\n- \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. Anti-phishing\nAnti-gawker\n\n
  74. - PAM\n- SSH\n
  75. - The ModHex encoding is used instead of standard hex or base64 encoding to make the device independent of language settings in the operating system.\n- sessionCtr : It is incremented every time the device is powered on and an OTP is used\n- timestamp : Is set to a random value every time the device is connected.\n- sessionUse: counts the number of authentication tokens generated during the particular session.\n- random: LFSR register seeded by the touch button sensor USB activity\n- crc: data corruption (not integrity!)\n- \n
  76. - Token duplication/steal issues may be hindered by counter desynchronization and the usage of a simple PIN\n- If the authentication token is stolen or lost, one must assume it is compromised already\n\n
  77. - Token duplication/steal issues may be hindered by counter desynchronization and the usage of a simple PIN\n- If the authentication token is stolen or lost, one must assume it is compromised already\n\n
  78. - Token duplication/steal issues may be hindered by counter desynchronization and the usage of a simple PIN\n- If the authentication token is stolen or lost, one must assume it is compromised already\n\n
  79. - Token duplication/steal issues may be hindered by counter desynchronization and the usage of a simple PIN\n- If the authentication token is stolen or lost, one must assume it is compromised already\n\n
  80. - Token duplication/steal issues may be hindered by counter desynchronization and the usage of a simple PIN\n- If the authentication token is stolen or lost, one must assume it is compromised already\n\n
  81. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  82. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  83. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  84. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  85. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  86. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  87. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  88. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  89. \n
  90. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  91. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  92. - Token duplication may be hindered by counter desynchronization and the usage of a simple PIN\n- \n
  93. \n