Password and Credential Management in 2018 🔒

State of the art security for the most valuable secrets

Introduction

Chapters

Password Handling in 2018

Multiple layers of protection for passwords ✔️

The password flow

Password flow through the software system, with ever increasing security 🔒

Normalization

Client-side password permutation and normalization

KDF (Password hashing functions)

Usage of KDF

Server-side salting with a strong KDF. On the left the conservative way with bcrypt. On the right the futuristic version with Argon2d

Symmetric Encryption

“These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.”, Bruce Schneier

Symmetric encryption before persisting the hash into a database. On the left the conservative way with AES256-GCM. On the right the futuristic version with ChaCha20-Poly1305

The final result

All layers of protection previously explained combined in one picture

Please let me know your thoughts about this way of handling user passwords in the comments. How do you handle it at the moment? Is something new to you or should be explained in more detail? Let me know!

Other Credentials (Token, Secrets, …)

If a database leak happens, we don’t want the attacker …

Real world example

Twitter “Get backup code” ❌ (Screenshot captured: 2018–08–12)
Google “Show Backup Codes” ❌ (Screenshot captured: 2018–08–12)

Implementation

usru kbvj nmvg xly5 4qh3 jnk6 jd2n iadm
Information that is persisted into the database

The End. Thanks for reading, Florian

Credits

Need help?

I always have an open ear — florian@harwoeck.at — just contact me!

License

References

Student for computer science from Austria. (Software&Security) Engineer 🤓 Gopher 🐹❤️

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store