Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
fluffmuffin, peppercorn, gilligan — those are just a few of our users' plaintext passwords. I have 80,000 more, and it only took me 87 seconds to gather them from our customer database in a white-hat attack. In Act I, we'll cover the history of secure password storage, examine the hack, and mitigate the threat. Act II will address the difficulties of working on libraries with complicated external dependencies (like bcrypt-ruby, of which I'm now a maintainer). In Act III, we'll celebrate the power of global collaboration via OSS. [Scene.] Help us caption & translate this video! http://amara.org/v/F0oq/
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the video "80,000 Plaintext Passwords," T.J. Schuck discusses the critical importance of secure password storage in a digital environment. The presentation unfolds in three acts, focusing on historical context, security practices, and open source collaboration. The speaker illustrates common vulnerabilities using a narrative about users who use simplistic passwords, including humorous anecdotes about pets like "Peppercorn." ### Key Points: - **Introduction to Password Security**: - Schuck emphasizes the necessity for developers to understand security, highlighting that ignorance is not a defense against breaches. - **Different Security Layers**: - Discusses the importance of multi-layered security measures and how a single failure can lead to compromises. - **Password Storage Techniques**: - Explains the difference between plaintext storage and better methods like hashing. - Highlights the inadequacies of reversible encryption, using ROT13 as an example to show how it remains vulnerable. - Proposes hashing as a more secure alternative but warns of its own risks, such as the existence of rainbow tables and precomputed hash tables for attackers to exploit. - **Real Case of Password Extraction**: - Shares a personal anecdote where he extracted 80,000 passwords from a database in just 87 seconds, demonstrating the ease of password breaches if users follow poor password practices. - **Mitigating Password Vulnerabilities**: - Proposes using bcrypt for hashing, which incorporates salts and is designed to be computationally intensive, making it difficult for attackers to utilize brute force methods effectively. - Discusses the adaptive cost feature of bcrypt that can be adjusted as computational power increases over time. - **Transitioning Existing Passwords to Better Security**: - Describes how to convert existing SHA-1 hashed passwords to bcrypt safely over time without user disruption. - **Challenges in Open Source Contribution**: - Shares personal experiences working on the bcrypt-ruby library, highlighting challenges such as dependency management and maintaining code for multiple platforms. - **Encouraging Collaboration**: - Concludes by recognizing the value of collaborative open-source work and encourages viewers to engage and support maintainers within the community. ### Conclusion: - Schuck emphasizes the critical importance of employing secure practices when handling passwords and urges developers to adopt bcrypt, contributing to a culture of security awareness and collaboration in software development.
Suggest modifications
Cancel
