Talks
Fantastic Passwords and Where to Find Them

Summarized using AI

Fantastic Passwords and Where to Find Them

Phil Nash • August 21, 2020 • online

The video titled Fantastic Passwords and Where to Find Them, presented by Phil Nash at the #NoRuKo conference, addresses the fundamental issues surrounding password security in our digital age. Phil, a developer evangelist for Twilio and an expert in web development, discusses the shortcomings of current password practices while suggesting improvements to enhance user security.

Key Points Discussed:

  • Inadequate Password Practices: Phil shares his personal experiences with weak passwords, illustrating how common guidelines can lead users to create easily guessable passwords like 'password1' or 'Logitech1'.
  • Common Password Patterns: He highlights a report from the Western Australian government, which showed a significant number of users still choosing weak passwords, emphasizing patterns like time-related phrases and common word combinations, demonstrating that these can be easily exploited by attackers.
  • The Need for Stronger Guidelines: Phil criticizes outdated password regulations that enforce complex combinations of letters, numbers, and symbols. He argues that these rules actually lead to predictable password choices and highlights the NIST's updated recommendations for longer passphrases of 13 characters or more, including the use of spaces and emojis.
  • Password Managers and Security Measures: While acknowledging the usefulness of password managers, he notes that many users remain unaware of them and continue to reuse passwords across sites. He advises developers to incorporate these tools into their applications.
  • Implementation Strategies: Phil suggests developers enforce better password practices in their systems by increasing minimum character requirements and employing libraries like ‘no-password’ and ‘zxcvbn’ to validate password strength proactively.
  • Utilization of APIs like 'Have I Been Pwned': He promotes the importance of utilizing the 'pwned passwords' API, which can check if passwords have been compromised without exposing them, allowing users to remain secure by preventing the use of known weak passwords.
  • The Importance of Continuous Security Practices: Phil stresses that protecting user passwords requires ongoing commitment and adaptation of security measures, along with encouraging multi-factor authentication and proactive password monitoring.

Conclusion:

Phil Nash concludes with a call to action for developers to advocate for better password habits among users, emphasizing the collective responsibility to improve password security. He suggests utilizing available tools to maintain strong security practices. By adapting to newer guidelines and promoting password managers, developers can greatly enhance online security measures.

Overall, the conversation underscores the urgent need for a re-evaluation of how passwords are handled and the necessity of equipping users with effective resources to safeguard their digital identities.

Fantastic Passwords and Where to Find Them
Phil Nash • August 21, 2020 • online

The humble password is broken. The internet is littered with poor security practices and password breaches, but the world is not ready to go password free yet. So what can we do to protect our users? Let's take a look at how we currently protect passwords, at what we can throw away from those processes and what we can bring in to help strengthen our users' passwords. We'll investigate the tools, practices and APIs that can help us in this endeavour. Together we can move the world from *password1* to *correct horse battery staple* and beyond!

Phil is a developer evangelist for Twilio and a Google Developer Expert. He's been in the web industry for 10 years building with JavaScript and Ruby. He can be found hanging out at meetups and conferences, playing with new technologies and APIs or writing open source code online. Sometimes he makes his own beer, but he's more likely to be found discovering new ones around the world.

Welcome to the #NoRuKo conference. A virtual unconference organized by Stichting Ruby NL.

#NoRuKo playlist with all talks and panels: https://www.youtube.com/playlist?list=PL9_A7olkztLlmJIAc567KQgKcMi7-qnjg

Recorded 21th of August, 2020.
NoRuKo website: https://noruko.org/
Stichting Ruby NL website: https://rubynl.org/

NoRuKo 2020

00:00:00.240 As far as I know, we have Phil in our stream set up. Phil is a developer and an evangelist for Twilio, as well as a Google Developer Expert. He has been a web development professional for about 10 years, building with both JavaScript and Ruby. He frequently attends meetups and conferences, experiments with new technologies and APIs, and writes open source code online. Sometimes he brews his own beer, but he's more likely to be found discovering new ones across the globe.
00:00:11.679 Welcome to the #NoRuKo conference, a virtual unconference organized by Stichting Ruby NL. You can find the #NoRuKo playlist with all talks and panels on YouTube. This event was recorded on August 21, 2020. For more information, you can visit the NoRuKo website or Stichting Ruby NL website.
00:00:58.879 Phil, hello! Oh wow, we're on! Thank you for the introduction and for organizing this event. It is an absolute delight to be here today and talk to you about passwords. As mentioned, my name is Phil Nash, and I'm a developer evangelist for Twilio. I am coming to you live from Melbourne, Australia, where it has just turned over midnight. Saturday is looking quite nice from where I am, though I'm currently not allowed outside due to a strict lockdown. Nevertheless, it's great to connect with all of you.
00:01:58.240 You can find me online at various platforms, where I'm basically Phil Nash everywhere except for Twitch, where I'm Phil underscore Nash. Come find me there and hang out if you want to. Now, let's talk about passwords. I want to share my first password with you, which is kind of embarrassing. It was my first password for a computer login system at my school. I was young and foolish and didn't know much about security.
00:02:35.760 My first password was four characters long, all in lowercase, and it was my last name. Honestly, this should have been a warning that it was not safe. However, my friends eventually hacked into my account. They didn't do much with it because we were young and there wasn't much on the internet at the time. Suffice it to say, this should have taught me a lesson, but it really didn't. My next password was still just four characters long, still all lowercase, but I thought ‘atom’ was a cool password. Clearly, not a wise choice.
00:03:33.200 The truth is, I got hacked, and this happens to so many people these days because passwords are fundamentally flawed. It wasn't really my fault; I was a kid just making poor decisions about security. I think we can all agree that passwords are terrible. If you disagree, let me outline why. First, the guidelines we have are mostly wrong, largely difficult, and often incorrect.
00:04:12.840 These guidelines tell us that passwords must contain at least eight characters, a capital letter, a number, and a special character. In theory, if you penned a puzzle following those guidelines, it might be secure. However, the reality is we often create passwords like ‘password1’ thinking they are safe, when in fact they are incredibly guessable. The need to change passwords regularly leads us down the same paths, resulting in variations like ‘password123’ or ‘password1!’ which are still very insecure.
00:05:40.640 What we're effectively doing is creating patterns with our passwords. An attacker can exploit these patterns. Passwords we think are secure, like ‘Password123!’, are based on recognizable schemas, rendering them vulnerable to guessing attacks.
00:06:11.520 It's been demonstrated that other people will use patterns to attempt to guess passwords. It’s not just a matter of law; developers have to protect users from themselves. We’re responsible for ensuring that users are creating passwords that won’t get them hacked.
00:06:37.680 Let me present an example. A couple of years ago, the Western Australian government conducted a security audit of passwords used in their systems. They assessed 234,000 passwords, finding that a quarter of them were deemed weak. Over 1,400 of them were simply ‘password123’. This shows that many people's passwords are easily guessable.
00:07:00.240 Interestingly, there were clear patterns among users. There were examples of time-related passwords like ‘October2017’ or ‘Welcome1’. My favorite was ‘Logitech1’, where users evidently looked at their desks for inspiration. This is horrifying. It highlights just how easily guessable certain passwords are, based on the common tendencies people have.
00:07:49.840 Eventually, I moved on from creating those terrible passwords and thought I had generated a really good one. It was a mix of numbers and letters, eight characters long, and I felt quite clever about it. However, I used that password across multiple accounts, believing it was safe due to its length and complexity.
00:08:34.720 This practice cost me when I lost access to accounts like Spotify and Skype due to a hack. Although I had two-factor authentication enabled for my Dropbox account, it still indicated that there was unauthorized access. In the case of my Skype account, the hacker even used it to propose marriage to several people in French!
00:09:14.880 I was so confident in my supposed 'secure' password that I reused it across numerous accounts. The reality is that while I believed my password to be safe, other sites like Adobe and LinkedIn were leaking user data and allowing plain-text passwords to be compromised. Even though I might have felt secure, the ecosystem around me was not likewise safe.
00:09:56.160 Breaches happen every day, and it's crucial to be aware of them. You should regularly check sites like 'Have I Been Pwned' to see if your passwords appear in any breaches. This resource allows you to input your email address to receive notifications when any of your user accounts appear in data breaches.
00:10:43.920 So beyond password managers, we need solutions that make the process safer for all. A password manager can be incredibly useful, yet a significant portion of users have never even heard of them and continue using the same passwords across multiple sites. If those sites experience a data breach, it endangers users everywhere.
00:11:28.160 Let’s get to the most crucial part: how do developers protect users? First, stop using the outdated guidelines that require an uppercase letter, lowercase letter, number, and special character. Acknowledging that these rules were fundamentally flawed is critical.
00:12:12.080 The National Institute of Standards and Technology (NIST) has revised its stance on password guidelines. We're encouraged to allow users to create passwords of at least 13 characters long and to accept all characters, including spaces and emojis. This flexibility allows for the use of passphrases, which can enhance security.
00:13:00.560 You should also avoid allowing dictionary words as standalone passwords, overlapping characters, or context-specific words. This includes using the same word for usernames and passwords, or utilizing passwords that have already been exposed in breaches.
00:13:51.440 Ruby's current authentication frameworks, like Devise, don’t offer sufficient enforceable guidelines for password security. They might validate for a minimum of characters, but do not implement the enhanced standards that we should strive for.
00:14:58.160 So I’ve got some suggestions. If you're in a Rails app, ensure that passwords are at least 14 characters. Add information in the UI about what makes a strong passphrase and suggest using a password manager. Implementing libraries that validate passwords against these guidelines, like ‘no-password’ and ‘zxcvbn’, can be a significant help.
00:15:56.560 The ‘zxcvbn’ library is great as it not only assesses passwords for strength but also gives the reason why a password is deemed weak. It scores passwords and provides suggestions for improvement, allowing seamless integration both on the front end and back end.
00:16:47.840 We’ve explored various examples of how these libraries can work and help validate user-created passwords in real-time. I’d encourage everyone to explore these libraries and incorporate them into their authentication systems.
00:17:42.960 How to address known insecurities with passwords? Thankfully, ‘Have I Been Pwned’ has developed the 'pwned passwords' API. The service maintains a database of over 572 million passwords exposed in breaches. This API allows you to check if a password has been compromised using the hash of the password rather than sending the entire password itself.
00:18:34.640 By taking just the initial five characters of the sha1 hash, we can request to check the password without ever exposing it. Implementing this API will feel seamless to users and ensures they’re not using vulnerable passwords while keeping their information secure.
00:19:31.760 In closing, the approach to safeguarding users’ passwords must be holistic. From continuously updating our security practices to implementing two-factor authentication, we can significantly improve how secure our platforms are.
00:20:16.160 Before I end, I want to reiterate that passwords, as we know, are fundamentally flawed. As developers, we must squash outdated guidelines and adopt newer practices. We can help our users by making their passwords longer, secure against breaches, and contagiously using authentication practices.
00:21:05.040 The future might hold a passwordless utopia, but for now, if anyone interacts with password managers, they'll likely find that using unique passwords per site is pivotal. But remember, even with great security measures, the power still lies with you to ensure the safety of users. Thank you for your attention!
00:22:09.440 If you have any questions, I'm here to discuss further. I appreciate the opportunity and hope to see progress in the way everyone manages passwords.
00:22:22.480 Developers must prioritize creating better password habits and security measures. The path towards safe accounts is long, but every suggestion and guideline we implement helps.
00:23:14.080 Ultimately, everyone must consider multi-factor authentication ways to make it even safer. As we consider possibilities for passwordless access, let's also remind users to monitor and change their passwords regularly.
00:24:23.680 Thank you for your dedication to improving security online. I hope your experiences motivate you to share your thoughts and experiences with everyone you can. We are all in this together, striving for secure practices.
00:25:47.200 Well, before I go, I want to remind you to have your passwords checked by reputable services. Programs like ‘Have I Been Pwned’ give you incredible tools for tracking your security status. It’s always worth the time to be proactive.
00:26:37.680 Certainly, the tools we have in place today, regardless of their limitations, come together to create an infrastructure that protects both users and developers. Thank you, everyone, and I look forward to discussing this further!
00:27:43.760 If you're ever feeling uncertain about password strength or security measures that seem outdated, take the initiative to revise them or look into more robust libraries. Your platform’s message is as important as the technology behind it.
00:29:00.560 Let’s make sure we do our part to keep these conversations alive as password security continues to develop. Innovations like biometric security systems are also rising, and they might be part of our future!
00:30:10.760 Thank you for your time today, and feel free to reach out with any further questions. Together we can create a more secure and adaptable approach to login experiences!
Explore all talks recorded at NoRuKo 2020
+10