SlideShare a Scribd company logo

Secure Password Storage & Management

Sastry Tumuluri, profile picture
Sastry Tumuluri

This document provides recommendations for password security best practices including: 1) Using cryptographically strong hashing and salts to securely store passwords and make them difficult to crack or recover. It recommends algorithms like PBKDF2, SCRYPT, and HMAC. 2) Implementing multi-factor authentication (MFA) to provide an additional layer of security beyond just a password. Factors could include email, SMS, mobile apps, or dedicated hardware tokens. 3) Designing "forgot password" and account recovery flows that rely on out-of-band verification like identity questions, randomly generated tokens, and enforcing lockout policies to securely reset passwords without compromising accounts.

Software
Related topics:
Information SecurityInsights on Software DevelopmentApplication Security
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
1 Many thanks (content & inspiration) to: Jim Manico
OWASP Top 10 - 2013
Disable Browser Autocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough) [2][2]Password Defenses
1) Do not limit the type of characters or length* of user password •) Limiting passwords to protect against injection is doomed to failure •) Use proper encoder and other defenses described instead Password Storage
Simple Most Common→ ● Plaintext passwords – Vulnerable to: DB Dumps Admins
Simple Most Common→ ● Encoding != Hashing – Many (mis)guides out there
Simple Most Common→ ● Encryption is not good enough – Reversible – Many “beginner's guides” use such examples – Avoiding giving the links here (out of context references!)
2) Use a Cryptographically strong credential-specific salt •) Protect ([salt] + [password]); •) Use a 32 char / 64 char salt (may depend on protection function) •) Do not depend on hiding / splitting / otherwise obscuring the salt Password Storage
3) Impose difficult verification on attacker ONLY •) HMAC-SHA256 ([private key], [salt] + [password]) •) Protect the key as any private key •) Store key outside the credential store (HSM?) •) Improvement over (solely) salted schemes; relies on proper key creation & management Password Storage
4) Impose difficult verification on both (impacts attacker more than defender) •) pbkdf2([salt] + [password], c=10,000,000); •) PBKDF2 when FIPS certification or enterprise support on many platforms required •) Scrypt when resisting hardware accelerated attacks is more important Password Storage
Single Sign On Considerations ● Enterprise integration scenarios – Highly recommended (secure it once) ● General principles – Login screen must be served directly by the IdM system – IdM system authenticates and issues “a token” (to client) – IdM system maintains strong password policy – Relying Parties (applications) receive token from client – RPs verify token validity with IdM before starting a session – RPs check authorization separately
Basic MFA Considerations 12 • Where do you send the token? – Email (worst – yet, better than none!) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords
Basic MFA Considerations 13 • How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call-in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios?
“Forgot Password” design Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions  https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques tions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or hardware / software token generator Verify code in same web session Enforce lockout policy Change password Enforce password policy
Thank you!

More Related Content

PPTX
Victory Text Message Platform
VictorySolutions2014
 
PDF
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
PDF
Hickman threat modeling
jonecx
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
PDF
ATP Technology Pillars
Priyanka Aash
 
PDF
Web application security (RIT 2014, rus)
Maksim Kochkin
 
PDF
OWASP Top 10 Overview
PiTechnologies
 
PPTX
Owasp web security
Pankaj Kumar Sharma
 
Victory Text Message Platform
VictorySolutions2014
 
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
Hickman threat modeling
jonecx
 
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
ATP Technology Pillars
Priyanka Aash
 
Web application security (RIT 2014, rus)
Maksim Kochkin
 
OWASP Top 10 Overview
PiTechnologies
 
Owasp web security
Pankaj Kumar Sharma
 

Viewers also liked (20)

PPTX
Web application Security
Lee C
 
PDF
Application Security around OWASP Top 10
Sastry Tumuluri
 
PDF
End to end web security
George Boobyer
 
PDF
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
PPTX
[Wroclaw #1] Android Security Workshop
OWASP
 
PPT
Owasp Top 10
Shivam Porwal
 
PPTX
Improving web application security, part ii
Kangkan Goswami
 
PDF
Application Threat Modeling
Priyanka Aash
 
PPTX
Threat Modeling And Analysis
Lalit Kale
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
PDF
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PDF
Android Security & Penetration Testing
Subho Halder
 
PDF
Deep Dive Into Android Security
Marakana Inc.
 
PDF
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
PDF
Brief Tour about Android Security
National Cheng Kung University
 
PDF
Android Security Development
hackstuff
 
Web application Security
Lee C
 
Application Security around OWASP Top 10
Sastry Tumuluri
 
End to end web security
George Boobyer
 
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
[Wroclaw #1] Android Security Workshop
OWASP
 
Owasp Top 10
Shivam Porwal
 
Improving web application security, part ii
Kangkan Goswami
 
Application Threat Modeling
Priyanka Aash
 
Threat Modeling And Analysis
Lalit Kale
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Android Security Development - Part 2: Malicious Android App Dynamic Analyzi...
Cheng-Yi Yu
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Android Security & Penetration Testing
Subho Halder
 
Deep Dive Into Android Security
Marakana Inc.
 
Testing Android Security Codemotion Amsterdam edition
Jose Manuel Ortega Candel
 
Brief Tour about Android Security
National Cheng Kung University
 
Android Security Development
hackstuff
 
Ad

Similar to Secure Password Storage & Management (20)

PPT
Top Ten Web Application Defenses v12
Jim Manico
 
PDF
Securing our digital life, presentation for Samoa IT Association (SITA) Tech ...
APNIC
 
PPTX
Defending web applications v.1.0
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
2013 OWASP Top 10
bilcorry
 
PPT
Defcon9 Presentation2001
Miguel Ibarra
 
PPT
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
PDF
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPTX
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
PDF
Attacking SSO (SAML) - Breaking into the front door of Authentication
Amit Kumar
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
PDF
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
PDF
New Security Issues related to Embedded Web Servers
Eric Vétillard
 
PDF
Web Security 101
Brent Shaffer
 
PPT
Xss talk, attack and defense
Prakashchand Suthar
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PPTX
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
PPTX
Flaws of password-based authentication
sluge
 
PPTX
Browser Security 101
Stormpath
 
PPTX
HTTP Services & REST API Security
Taiseer Joudeh
 
Top Ten Web Application Defenses v12
Jim Manico
 
Securing our digital life, presentation for Samoa IT Association (SITA) Tech ...
APNIC
 
Defending web applications v.1.0
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
2013 OWASP Top 10
bilcorry
 
Defcon9 Presentation2001
Miguel Ibarra
 
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
Attacking SSO (SAML) - Breaking into the front door of Authentication
Amit Kumar
 
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
New Security Issues related to Embedded Web Servers
Eric Vétillard
 
Web Security 101
Brent Shaffer
 
Xss talk, attack and defense
Prakashchand Suthar
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Flaws of password-based authentication
sluge
 
Browser Security 101
Stormpath
 
HTTP Services & REST API Security
Taiseer Joudeh
 
Ad

Recently uploaded (20)

PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Transform Your Business with a Software ERP System
Canada Software Company
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
assetexplorer- product-overview - presentation
nonameist3434
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 

Secure Password Storage & Management

  • 1. 1 Many thanks (content & inspiration) to: Jim Manico
  • 2. OWASP Top 10 - 2013
  • 3. Disable Browser Autocomplete <form AUTOCOMPLETE="off"> <input AUTOCOMPLETE="off"> Only send passwords over HTTPS POST Do not display passwords in browser Input type=password Store password based on need Use a salt (de-duplication) SCRYPT/PBKDF2 (slow, performance hit, easy) HMAC (requires good key storage, tough) [2][2]Password Defenses
  • 4. 1) Do not limit the type of characters or length* of user password •) Limiting passwords to protect against injection is doomed to failure •) Use proper encoder and other defenses described instead Password Storage
  • 5. Simple Most Common→ ● Plaintext passwords – Vulnerable to: DB Dumps Admins
  • 6. Simple Most Common→ ● Encoding != Hashing – Many (mis)guides out there
  • 7. Simple Most Common→ ● Encryption is not good enough – Reversible – Many “beginner's guides” use such examples – Avoiding giving the links here (out of context references!)
  • 8. 2) Use a Cryptographically strong credential-specific salt •) Protect ([salt] + [password]); •) Use a 32 char / 64 char salt (may depend on protection function) •) Do not depend on hiding / splitting / otherwise obscuring the salt Password Storage
  • 9. 3) Impose difficult verification on attacker ONLY •) HMAC-SHA256 ([private key], [salt] + [password]) •) Protect the key as any private key •) Store key outside the credential store (HSM?) •) Improvement over (solely) salted schemes; relies on proper key creation & management Password Storage
  • 10. 4) Impose difficult verification on both (impacts attacker more than defender) •) pbkdf2([salt] + [password], c=10,000,000); •) PBKDF2 when FIPS certification or enterprise support on many platforms required •) Scrypt when resisting hardware accelerated attacks is more important Password Storage
  • 11. Single Sign On Considerations ● Enterprise integration scenarios – Highly recommended (secure it once) ● General principles – Login screen must be served directly by the IdM system – IdM system authenticates and issues “a token” (to client) – IdM system maintains strong password policy – Relying Parties (applications) receive token from client – RPs verify token validity with IdM before starting a session – RPs check authorization separately
  • 12. Basic MFA Considerations 12 • Where do you send the token? – Email (worst – yet, better than none!) – SMS (ok) – Mobile native app (good) – Dedicated token (great) – Printed Tokens (interesting) • How do you handle thick clients? – Email services, for example – Dedicated and strong per-app passwords
  • 13. Basic MFA Considerations 13 • How do you handle unavailable MFA devices? – Printed back-up codes – Fallback mechanism (like email) – Call-in center • How do you handle mobile apps? – When is MFA not useful in mobile app scenarios?
  • 14. “Forgot Password” design Require identity questions Last name, account number, email, DOB Enforce lockout policy Ask one or more good security questions  https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques tions_Cheat_Sheet Send the user a randomly generated token via out-of-band email, SMS or hardware / software token generator Verify code in same web session Enforce lockout policy Change password Enforce password policy