Did a talk about implementing password security right last night at Five Minutes of Fame.

If you don’t want to go through the slides, here’s the TL;DR version:

TL;DR User Security

• Use a password manager like LastPass or 1Password (with Dropbox) and use their password generation.
• If no manager available (routers, OS logins, etc), use pass phrases with non-English words or acronyms (see xkcd)
• Assume sites get compromised all the time and you never hear about it. NEVER reuse a password.
• If you’re at a coffee shop or hackerspace, use a public VPN service.
• OAuth / Twitter / Facebook based authentication is putting your auth credentials in their hands.

TL;DR Encryption Security

• Use bcrypt. Bounce up the factor every few years.
• Do not limit password field length. (bcrypt takes up to 55 bytes of input.)
• Run a JS password tester to reject weak passwords.
• Run a password cracker regularly to test your security.
• Suggest to your users that they use passphrases with acronyms, punctuation or LOLspeak.
• Generate random passwords for your users.
• Consider removing password masking.

TL;DR Operational Security

• Use HTTPS for both rendering and submitting login page.
• Show Cain and Abel video to everyone you work with.
• Use HSTS headers with HTTPS.
• Use Synchronizer Token to prevent CSRF attacks (or use a decent web framework).
• Use a captcha / throttle on password attempts.
• Use double validation for registering accounts (register sends email, clicking email link heads back to site).
• Use one time use password reset links.
• Send email notifications on password change attempts.

Extra Credit

• Add Honeypot Logins.
• Use login token IDs with hidden check bits and math invariants that indicate tampering.
• Implement a secret in the session management system to keep state on the client and verify it on server interaction for better session authentication.

OWASP also has cheat sheets which look useful if you’re putting a site together. It still disturbs me how freaking MANUAL so much of this is, but I suppose web frameworks can’t do everything for you. There are some options if you’re on Rails.

It was a surprisingly tough talk to give. At first I was like, ”lol, look at all the companies with crappy security”, but it’s a murky field in general. For example, the XKCD cartoon about passphrases is missing the problem that most people type passphrases in standard English, and only use about two thousand words in general conversation. It may look like there’s more entropy generated, but if your attackers know that your customers use passphrases, you may have just made their jobs much easier.

Also, brute force cracking is surprisingly effective. MD5 and the SHA-* algorithms are inappropriate because GPUs chew through them very quickly, but the newer FPGA chips can do a reasonable implementation of bcrypt in hardware. It’s an issue that computers are fast, but a bigger problem is that they just keep getting faster.

The biggest thing has to be to not let your users pick crappy passwords. Even if you have bcrypt with all the factors, if your users are entering “12345” as the password, it’s not going to make a difference.

The blog’s been moved over to Octopress and most of the comments have been imported. I had to do some tweaks to get the lists to inline properly but other than that it’s good.

Exporting from Typo to Disqus turned out to be a much bigger deal than I anticipated: the initial Typo -> Disqus export didn’t work because the Disqus gem would drop comments on the floor, and the various WXP export scripts I found on the web either used XML::Builder (which didn’t format / escape things correctly) or just plain had bugs in them.

On top of that, WXR is actually not valid XML itself (there’s no default namespace defined) so even if you do it correctly, it won’t validate. You just have to check it matches the import format exactly. So here’s my version.

Five Minutes of Fame talk about dating heuristics. This went much better than expected because the pictures and subject matter helped balance out the math.

Although there were a number of people afterwards who were like “too unrealistic” and I was like “yeah, this works better for interviews and college placement but whatchagonnado.”

New 5MOF presentation, wherein I talk about why web applications are complicated. In five minutes.

I really need to write this up as an essay, as I think presentation objects vs domain objects are a much bigger detail than we realize.

Five Minutes of Fame presentation on how we make decisions. This one was a lot more dry and technical, but it was a nice change of pace after bronies melted my brain.

Part of what makes this so fascinating to me is that you can actually see the algorithm that tells us “hey, we should do more of this.” That’s a huge step in knowing our blind spots.