PW - I forgot My Password - Michal Špaček

[Music]

now yeah cool thank you for so hi everyone my name is Michelle um you can also call me Michael I made this joke like two years ago but please don't call me Michelle I hate that debate for a reason I'm from prac czech republic so that's East Coast and beyond that's pretty far east coast from here and I'd like to talk a bit about boss or is it features on the website and slightly was a little bit about users and best practices and about near future we can already get a bit as well so let's talk about users you know users forget stuff right there also forget that passwords because they are just told to remember

them and that's really hard oh did you guys who don't forget your password just raise your hands who ever forgot your password oh well yeah just like almost everybody so obviously the apps they need to have the password reset features for some reason so even if you are using password manager which I guess that most of you do then probably the app needs to have the possibility choose so now the password reset mechanism can also be good for security of the accounts I have one case from czech republic is the company called jedem and they are they do jabber servers they actually provide the jebel service to the users and they don't have automated password reset

mechanism for some reason you just cannot go to the website and reset the password for you which might be a good thing well unless something bad happens in this number last year they had a bridge they suffered to bring each and the attacker was able to access 125 k or passwords stored in plain text Wow fortunately the data was not made public yet so that's why Rohan doesn't have it yet and have I been pwned but maybe one day get across the likud they try to sell it on some underground forums but probably nobody was really interested in the data so they jebem had their reasons for for passwords stored in plain text like performance and legacy client support

and they also made some bad decisions like they didn't properly separate the data but it's just just know it's just move on so they didn't have automated password resets they could just yeah they didn't have the automated buses Wizards just because they don't require the users to enter their email address for some reason because of the privacy and I don't know what so they say that if they don't require the email address they don't have the address to send the password reset link to that's obvious but their password reason mechanism is manual you need to write an email and say hey I forgot my password and blah blah blah and they will reset the password for you manually but that

doesn't scale well if you get like 100 thousands of users sending you email that you and all that they want to visit the emails for you well that just doesn't scale well so what could they do and what they did they could just reset their passwords for all the users and send them the recent links but this is what they did instead this was there you know incident response and that was it they just issued a blog post and they said hey we have been hacked you should change your password now and that's it so some of my friends have actually lost the access to their accounts because you know when you are sleeping here on the rig blog post most

of the time and so these friends of mine they just didn't have they just weren't quick enough to change their passwords so somebody else did it for them already and now they don't have like any way to recover the account and they actually said that they don't care because of the size having really bad really poor security practices that they will just leave it so geben was losing customers because it's actually a paid service so they were losing customers just because of security so they should just make the email at least optional so if you make the email optional state the reason why you are actually you know why you want the email for the users from the users

just say whatever just you know make the email optional and stated hey we need the email just because of this and this so clearly state the benefits of adding one or two email addresses so what should be the benefits well obviously we are talking about password resets so well it should be a possible treason so that the company or jebem could send the password reset link to the users and if they forget the password or if the service is Hector or if there are some security incident it can just send reset link to their email that's pretty you know quite clear benefit of adding an email address so just a quick recap how the password reset link should look like

it should be random just I mean really random not random random I mean random random random random really random it shouldn't just look like random it's for the other LMK it should be like 16 plus bytes for friend of data and should expire in several hours maximum one or two depends on the service and it should be usable only once so if the attacker actually gains the access to data to the reset link somehow they can just use it in a limited time they shouldn't just be allowed to use it or ever also the token should be hashed in the database and it's stored in the database remember this is a token this isn't the password

first it's limited in time and it already has quite high entropy so it's not user password so it doesn't need to be hashed with the slow ashes it can be hitched with slightly faster issues like short too and this kind of stuff it doesn't need to be a secret because it's just a random later ah also the email with the password reset link should contain some more additional data for example like the IP address and the city from where the password visit originated from because then the user can actually tell if it's just him if it was him and who tried to reset his password well they should remember that well or if it was just some colleague trying to bring

him or if it was some attacker from a different country the email should also contain a link to invalidate the token because you know it can get spent with a lot of emails with risa tokens then probably something is going on and you went through invalidated tokens as soon as possible sometimes some bad guys are actually abusing this password reset feature to see whether the user order the day neighbor has been using the service as well so yeah thank you i have that in the next sentence so if you are running a dating site or actually medicine side you probably don't want to disclose as much information as if you are running a facebook side most of the

times it doesn't really matter because the attacker can actually try to sign up for the side with the email address of the neighbor and they will anyway see if the address is already registered or not so most of the times it doesn't matter but if you are an inca dating site you probably should be doing something more for the privacy of the users that could also be not using the email addresses for further sign up but just the usernames or put a recent poll just the usernames not female versus so yeah one also one thing which is really important is to limit the number of attempts that can be made from a single IP address and from the end for

the one user name so that the attackers cannot actually you know try to enumerate all the users from the side everything is to be right limited just in case somebody's trying to dump all the data from the database using the password visit features here is what you should not do you should not just regenerate the password or generate the new password and send it by email to the users because if you do then if I'm in the office and I see that the guys trying that the guy in front of me is trying to look into a website I can't just go to a password reset feature and right before he clicked submit or signing I can just reset his password

and he will be like oh my god somebody reason my password so i will use this new one and then i do it again and i do it again again and again so they will be somehow the service of the side will be denied for them so it's kind of like local dose for them so they cannot be they cannot use the side and they will just go elsewhere also you should not be sending the original password by email back to the user because you have it properly hashed so you cannot do it anyway right one of the most interesting ways of presenting password i've seen was this one the token looked kinda random but it was not really random what

they did was they actually took the email address of the user and they have encrypted it and then send it as a token to the user when it was sent back to the side they decrypted a token and then they found the user by the email address which was decrypted from the token that looked kinda random well but unfortunately the side could be easily hack and it was leaking the source code as well so you can easily see the exact algorithm how it was encrypted well it was also configuration including the encryption keys so anybody could just you know generate their own token and they could freeze it the password for any user on the website so just use a random token I

mean really random random random random the bad thing about sending the tokens or the fastest recent via email is this this is from google transparency report on email and they say that slightly more than fifty percent of email coming to gmail is encrypted using the start TLS Transport Security thing that's just not enough it should be like 100 or even more probably like 110 percent just in case so even if you send the password reset link which goes to https in your website then there is a high chance that the email will traverse the internet in a in a plain text form so anybody can read the riddling or even change it for you so this is not really good so you

can use this website start TLS good info to check if your email provider users start TLS encryption or not this is sort of like SSL observer chick but for email they also got grades they don't have a plus as far as I know it's just a but even if you score a in that test in this one and it doesn't mean that the email is encrypted from end to end it means that it only encrypted when it's coming from the up to the server and between the servers but it doesn't mean that it's not encrypted and to end so even if you score a great day in this test your provider can still read email because

it's stored in there in there under service in plain text and also sending emails really depends on the DNS so we can easily say that your account is actually protected just by DNS which is also quite not really a good thing this is what facebook this is what I was talking about ready this is how they try to get around the problem with email they allow you to upload your PGP public key and then they will it's sort of hidden on the website so if you go to the contact info section then you will see the link to the PGP and you can add your pinche picky and they will encrypt all the notifications they they sent you

when somebody comments on your nice picture of you yesterday dinner then will be encrypted but they will also encrypt the password reset tokens and the email should pass orissa tokens so everything will be encrypted using 3gp so you can only only you can do keep that not anybody who actually is able to access your email is anybody if you're using it already okay not much but the question might be who is using facebook then okay two more yeah so this is how they try to work around the problem with email which is not encrypted wow there could be some other options for example is of the record messaging library this is library which is supported out of the

box in several instant messengers well except the facebook one and it does encryption authentication and perfect forward secrecy and everything and this is also supported by the libraries also supported by java and fightin and tisha I think see only and some other languages so it could be used by delivery it could be used for delivering the the resin tokens you can just you know create your contact on the server and the server then consent to the user the resin token the users need to be friends friends with your application so that they can actually receive the tokens but this is encrypted end to end it it's like PGP its encrypted end to end but might be slightly easier for the

user just because the set up only just because the set up on the on the client side is slightly easier you don't need to generate he you just confronted you know there are some shared secrets and it might be use I actually wanted to build the portal concept but I didn't have time yet I have seen the API the library I've seen vinum jsapi of the library and it looked kinda I easy so I will try to build the proof of concept and let's see how it works out so this could also be used under quite easy option for you would be to our phony up would be to actually disable the password resets completely

because if you don't remember your password because you are using password manager right then you just cannot forget your password and then you can have this feature disabled just if you would implement it into your app just be sure that you get the messaging right around this feature because if like regular is a user would just disable a password reset they will be screwed for life but it could be one way actually to also protect user accounts disable the possibilities and features completely in the ideal world it would look like this probably much better designed but the application should provide selection of deliveries selection of transports how to deliver the token to the user and

these would be able to pick one or maybe two now first it should be able to completely disable the risotto can the password is a teacher or deliver it via and check your email just for a regular user or bgp email for example of the record message or some other transport for me possible to add more transports but the common ones for example like skype it's not really possible to for the third party to you know send a message via skype i would have made in india automated way because God doesn't like it you can try to hack their web interface it's anyway set of rest api ice but they might change so you just

want to do that and also one thing the described is that they are scanning the links which are being sent over Skype network so if you will do that you definitely want your talking to be usable more than once because they are trying to scan the scandal links also for the previews and when you actually send the link via skype chat they try to make a thumbnail of it so they just fetch the the content one thing you definitely want to do is to notify the users when the password was changed because if they don't know that their password was changed they cannot do anything about it well even if the password is changed when someone else

they kind of do much but at least they know about it so definitely the applications should notify the users when the password was changed also be sure to get the messaging cried because if you tell the user oh we have just changed your password and they don't remember that they did it five minutes ago it's going to be quite bad 44 the user support my toes will be possible to you know use the login verification feature like the TFA and just a verification and this kind of stuff to actually confirm the password change you know they'll just use it for login verification but also use it for password change verification or something like that but I'm not sure how

this work how this would work out for the cases like when the device is lost so I'm not really recommending it right now but it might also be a chance especially if you are running the mobile application which unplug Twitter they have a website and a mobile application so they could use it for password change verification as well hey one last hint if you try to store failed login attempts because some some companies actually do that they thing like okay when the user is trying to log in with the wrong passwords will we will store it into the database so that we can see if its attack or not well usually users if they are typing their past

and they can just miss type it and if they do it gets stored in the database and once somebody has access to the database just because of security vulnerabilities or backups getting lost it can easily recover the password from just reading the felt attempts it's quite easy I guess that anybody would probably know the passwords which was probably supposed to be here right so just don't do that I've seen a really quite a lot of applications to do that i had the same idea ten years ago as well i decided it it's not a really good idea so please when you are emailing users with risa tokens just try to think beyond email and beyond https so that we

have more secure password reset things and pages so that's it for me thank you very much if your questions should then yeah yeah yeah yeah yeah

yeah it's similar to what Facebook is also with your trusted friends and stuff like this but and this is probably you know not everybody is a polite not everybody's facebook so it's kind of been used by everybody that can be also a it can just be used by a plant facebook i guess at the end thanks oh

yeah yeah yeah it is yeah it is that's true and probably it's more user before the users then just bgp and using the record soon yeah so yeah but we should also do it in a way that you know we support all the users but if somebody wants you know more security than they should have the option for it as well it's ramira quired like the OTR or PGP but for the users like you know all of us here it should this time should have option in to actually you know make it more secure

definitely yep well hmm the usability of that approach I don't think it's that high because ah yes sorry if the yeah if the side offers you to print out the codes even sign up which can be then be used for password for the account recovery how do I feel about security and usability was that a question for so first the usability well if I print out something and just put it to a safe place I usually forget very safe places so I put it to my password manager but i'm probably not like the regular user so the usability of that is probably not that high and also if this i would need to change the process for example they

will need to retire that then probably they have two users with printed out codes then they just kind of do it so the usability of dead new not sure and the security well it could be kinda okay if the tokens printed out are really random data so yeah it probably also depends on the threat model it probably you don't want to do this for your bank accounts and what you can do it for your gmail for for facebook and sometimes if the dancers your question slide last question from brett so to secure an OTR connection you need to have to compare thumb prints yep or have a shared password yep so do you have any ideas

for how to oh yeah i'm not yet a decide we just display the fingerprint and you can just compare it somehow over https yeah I of course sexy TPS everything on HTTPS so that the user can see the fingerprint just once or you know 45 minutes or something and they can just compare it and see that they are cheap talking to you okay so we have to finish up there and we'll be around of course for defcon as well yeah and putting up the Barbie and for the after parties are being are you know bring all the questions and anna and give them a bear and a round of applause thank you thank you and if you have ever put passwords