Piotr Przybył
piotr@przybyl.org
4Developers 2016
Na wypadek kradzieży lub sprzedaży danych:
Column | Type | Modifiers
---------+--------+-----------
password | int | not null
class UserDao
void insertUser(String login, String password)
session.createQuery(...);
password.hashCode();
Dlaczego?
hashCode, bo hasła muszą być "zahaszowane"
/**
* Returns a hash code value for the object. This method is
* supported for the benefit of hash tables such as those provided by
* {@link java.util.HashMap}.
...
*/
public native int hashCode();
public int hashCode() {
int h = hash;
if (h == 0 && value.length > 0) {
char val[] = value;
for (int i = 0; i < value.length; i++) {
h = 31 * h + val[i];
}
hash = h;
}
return h;
}
AbCdEf, BBcEFG, AbCcdf, AbDDdf, BBbcdf, BCCdEf,
BCDDeG, BCDEEf, BCDEFG, AbCdFG, AbDEFG, BCCceG
UPDATE `admin_user` SET `password` = MD5('anyword')
WHERE `admin_user`.`user_id`= 1;
Wersja CE
public function hash($data) {return md5($data);}
Wersja EE
public function hash($data, $version = self::HASH_VERSION_LATEST) {
if (self::HASH_VERSION_MD5 === $version) {
return md5($data);
}
return hash('sha256', $data);
}
Rainbow tables
MD5 | ~4,7 mld/s |
SHA1 | ~2,2 mld/s |
hasło 6 znaków BF (~57 mld kombinacji) | < 60s |
Eksperyment: 45 min. | 25k/40k (~63%) |
~9,25 hasła na sekundę
Thanks Troy!
ADD COLUMN passwd_new_hash
ADD COLUMN only_crypt default false
SET passwd_new_hash = crypt(passwd_hash)
SET passwd_new_hash = crypt(plain_passwd)
SET only_crypt = true
RENAME COLUMN passwd_hash TO stale_old_passwd_hash
DROP COLUMN stale_old_passwd_hash
DROP COLUMN only_crypt
Nie zawsze. I rób to mądrze.
Problem in chair, not in computer.
Implementacja możliwa bez:
http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html
https://adambard.com/blog/3-wrong-ways-to-store-a-password/
https://password-hashing.net/
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514
http://krzysztofjelonek.net/hasla-maskowane-bledy-implementacyjne-polskiego-banku/
http://www.smartarchitects.co.uk/news/9/15/Partial-Passwords---How.html
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
http://www.theregister.co.uk/2016/02/08/alibaba_taobao_security_process_failure/
http://www.pcworld.com/article/226128/Sony_Makes_it_Official_PlayStation_Network_Hacked.html
http://arstechnica.com/security/2015/08/ashley-madison-hack-is-not-only-real-its-worse-than-we-thought/
http://www.kongsli.net/2010/04/14/atlassian-products-hacked/
http://www.omgubuntu.co.uk/2013/07/ubuntu-forum-hacked-users-advised-to-change-passwords
http://www.zdnet.com/article/6-46-million-linkedin-passwords-leaked-online/
http://allegro.pl/asus-hd-7970-3gb-ddr5-gwar-fv-i4937839839.html
https://www.cyberguerrilla.org/a/2013/?p=13523
https://twitter.com/paweljonca/status/715895678950572032
Piotr Przybył
piotr@przybyl.org
4Developers 2016
przybyl.org/pres/4Developers2016