9 Hack Yourself First m10 Slides
9 Hack Yourself First m10 Slides
Troy Hunt
troyhunt.com
@troyhunt
Outline
Remote
Man in the middle attack against the transport layer
Password retrieved after being sent in an email
Accounts brute-forced via HTTP posts
Admin facility compromised
SQL injection risk exploited
Local
Passwords retrieved from a backup
Admins with direct access to password storage
Brute force attacks against password cryptography
Common password storage practices
Plain text
There’s no cryptography, everything is immediately exposed if the password
storage is breached
Encrypted
Encryption (usually via a symmetric key) exists, but… there’s also decryption
Hashed
A one-way, deterministic algorithm which means that passwords can’t be
unhashed
Protecting against authentication brute force
Account lockout
Disable the account after X failed login attempts
…but then you need a mechanism to re-enable it
Restrict logon attempts by IP address
Set an allowable “rate” for the same IP to attempt to login
…but attackers may have many IPs and legitimate users may share IPs
Fingerprint the client and scale the rate
Uniquely identify the client based on request attributes then slow the rate at
which they can attempt to logon
…but the fingerprint can be manipulated by an attacker
Summary