Best Practices for Secure Password Storage - OWASP Foundation Guidelines

Slide Note
Embed
Share

Learn about secure password storage techniques recommended by OWASP Foundation, including adding salt, slowing down hashing functions, using HMAC isolation, and imposing difficult verification processes on attackers. Remember to use proper encoding, avoid limiting password types or lengths unreasonably, and implement strong credential-specific salts. Stay cautious of unlimited password sizes, and consider techniques like HMAC-SHA-256, PBKDF2, and SCRYPT for robust protection against various attacks.

jmull
jmull Follow

Uploaded on Sep 26, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. The OWASP Foundation http://www.owasp.org Secure Password Storage Verify Only Add Salt Slow Down (or) HMAC/Isolation

  2. The OWASP Foundation http://www.owasp.org

  3. The OWASP Foundation http://www.owasp.org http://www.md5decrypter.co.uk md5("password123!") = b7e283a09511d95d6eac86e39e7942c0 md5("86e39e7942c0password123!") = f3acf5189414860a9041a5e9ec1079ab

  4. The OWASP Foundation http://www.owasp.org 1) Do not limit the type of characters or length of user password within reason Limiting passwords to protect against injection is doomed to failure Use proper encoder and other defenses described instead Be wary of systems that allow unlimited password sizes (Django DOS Sept 2013)

  5. The OWASP Foundation http://www.owasp.org 2) Use a cryptographically strong credential-specific salt protect( [salt + password] ); Use a 32char or 64char salt (actual size dependent on protection function); Do not depend on hiding, splitting, or otherwise obscuring the salt

  6. The OWASP Foundation http://www.owasp.org 3a) Impose difficult verification on [only] the attacker HMAC-SHA-256 ( private key, [salt + password] ) Protect this key as any private key using best practices Store the key outside the credential store Build the password-to-HMAC conversion as a separate web-service (cryptographic isolation).

  7. The OWASP Foundation http://www.owasp.org 3b) Impose difficult verification on the attacker and defender (weak/slow) PBKDF2( [salt + password], c=10,000,000 ); Use PBKDF2 when FIPS certification or enterprise support on many platforms is required SCRYPT([salt + password], work factor 10, .5 GB ram) Use SCRYPT where resisting any/all hardware accelerated attacks is necessary but enterprise support and scale is not

  8. The OWASP Foundation http://www.owasp.org Password1!

  9. The OWASP Foundation http://www.owasp.org Google, Facebook, PayPal, Apple, AWS, Dropbox, Twitter Blizzard's, Valve's Steam, Yahoo, Chase, RBS Bank

  10. Forgot Password Secure Design The OWASP Foundation http://www.owasp.org Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions https://www.owasp.org/index.php/Choosing_and_Using_Secur ity_Questions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or token Verify code in same web session Enforce lockout policy Change password Enforce password policy

Related


Exploring OWASP: A Comprehensive Look at Application Security and Tools

Exploring OWASP: A Comprehensive Look at Application Security and Tools

kaiya
OWASP Bricks - Web Application Security Learning Platform

OWASP Bricks - Web Application Security Learning Platform

aleia
Understanding the Importance of OWASP Dependency-Check Project

Understanding the Importance of OWASP Dependency-Check Project

gwilk
Cybersecurity Best Practices for Password Protection and Incident Response

Cybersecurity Best Practices for Password Protection and Incident Response

aarav
Modern Threat Modeling & Cloud Systems in OWASP Sacramento

Modern Threat Modeling & Cloud Systems in OWASP Sacramento

maven
Understanding Fine-Grained Password Policies in Active Directory

Understanding Fine-Grained Password Policies in Active Directory

jasmarie
Data Protection Best Practices for Secure Storage and File Encryption

Data Protection Best Practices for Secure Storage and File Encryption

dessi
Various Structures for Seed Storage and Improved Rural Storage Methods

Various Structures for Seed Storage and Improved Rural Storage Methods

theodora
Understanding Tape Storage: LTO and LTFS Overview

Understanding Tape Storage: LTO and LTFS Overview

felicia
PELICAN: A Building Block for Exascale Cold Data Storage

PELICAN: A Building Block for Exascale Cold Data Storage

bielecki_b
Nicor Gas Supply and Storage Overview

Nicor Gas Supply and Storage Overview

shouryad
Evolution of Ceph's Storage Backends: Lessons Learned

Evolution of Ceph's Storage Backends: Lessons Learned

jessa
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords

quer_sna
Best Practices for Securing Linux Systems

Best Practices for Securing Linux Systems

kaelonca
Strengthen Your Digital Literacy with Strong Password Strategies

Strengthen Your Digital Literacy with Strong Password Strategies

eleonora
Safely Logging Password-Derived Measurements for Web Login Systems

Safely Logging Password-Derived Measurements for Web Login Systems

mar_ech
Interactive Password Security Activity for Children

Interactive Password Security Activity for Children

rdoll
Challenges and Opportunities in Scientific Storage of Grains

Challenges and Opportunities in Scientific Storage of Grains

sak_h
HPE Nimble Storage Solutions: Starter Kits Promotion

HPE Nimble Storage Solutions: Starter Kits Promotion

avarose
IGU Gas Storage Committee 2022-23 Meeting Highlights

IGU Gas Storage Committee 2022-23 Meeting Highlights

soul
Overview of EGI Online Storage Service Architecture and Interfaces

Overview of EGI Online Storage Service Architecture and Interfaces

lepe_a
Gas Storage Investment Workshop Insights

Gas Storage Investment Workshop Insights

gdena
International Workshop on Offshore CO2 Storage: Goals, Expectations, Logistics

International Workshop on Offshore CO2 Storage: Goals, Expectations, Logistics

tova
Advancing Innovation and Technologies in Gas Storage Operations

Advancing Innovation and Technologies in Gas Storage Operations

xerxes

More Related Content

New Storage Requirements for Lithium Batteries in International Fire Code
New Storage Requirements for Lithium Batteries in International Fire Code
Enhancing Security with Windows Hello for Business
Enhancing Security with Windows Hello for Business
Understanding Device Settings and Strong Passwords for Digital Citizenship
Understanding Device Settings and Strong Passwords for Digital Citizenship
Promote Feature Adoption with Self-Service Password Reset Posters
Promote Feature Adoption with Self-Service Password Reset Posters
Guide to Logging in and Setting Up Core-CT for the First Time
Guide to Logging in and Setting Up Core-CT for the First Time
Techniques and Tools for Offline Password Cracking
Techniques and Tools for Offline Password Cracking
Data Storage, Backup, and Security Essentials
Data Storage, Backup, and Security Essentials
Research Data Classification and Secure Storage Options
Research Data Classification and Secure Storage Options
Foodservice Facility Management Guidelines
Foodservice Facility Management Guidelines
Food Storage Guidelines and Labeling Requirements
Food Storage Guidelines and Labeling Requirements
Overview of Mass Storage Systems in Computer Engineering
Overview of Mass Storage Systems in Computer Engineering
Effective Storing Techniques for Agricultural Produce
Effective Storing Techniques for Agricultural Produce
Storage Benchmark Proposal for NFVI Performance Measurement
Storage Benchmark Proposal for NFVI Performance Measurement
Exploring Pumped Hydro Energy Storage Technologies
Exploring Pumped Hydro Energy Storage Technologies
Managing Spent Nuclear Fuel Storage at Commercial Power Plants
Managing Spent Nuclear Fuel Storage at Commercial Power Plants
Improving Southern Warehouse: Cold Storage Project Proposal
Improving Southern Warehouse: Cold Storage Project Proposal
Challenges and Solutions in Crop Storage in Tropical Regions
Challenges and Solutions in Crop Storage in Tropical Regions
Efficient Rekeying for Encrypted Deduplication Storage
Efficient Rekeying for Encrypted Deduplication Storage
Navigating Foundation Funding Opportunities with Penn State's Office of Foundation Relations
Navigating Foundation Funding Opportunities with Penn State's Office of Foundation Relations
The Rockefeller Foundation: Philanthropic Legacy and Impact in India
The Rockefeller Foundation: Philanthropic Legacy and Impact in India
Essential Guide to Data Storage and Backup
Essential Guide to Data Storage and Backup
Step-by-Step Guide to Creating a Wikipedia Account
Step-by-Step Guide to Creating a Wikipedia Account
Password Cracking Techniques and Remote Desktop Access Setup
Password Cracking Techniques and Remote Desktop Access Setup
Conroe ISD Child Nutrition Curbside Food Safety Guidelines and Meal Storage Instructions
Conroe ISD Child Nutrition Curbside Food Safety Guidelines and Meal Storage Instructions