Podívejte se raději na online verzi přednášky, slajdy mohly být aktualizovány nebo doplněny.



Detail přednášky

Why is proper password hashing essential in protecting your users? And what is proper hashing, anyway?

I was talking at the Passwords13 Las Vegas, USA, a conference focused only on passwords & PIN codes, about various ways of storing users' passwords in a database. I was the first web developer ever to speak at this conference.

I also presented one real world example by using a dumped dataset with several hundred hashed passwords from a small local (Czech) online shop for a major clothing brand. I demonstrated that it's possible to take over user's mailbox (including a gmail.com mailbox with additional protection) by cracking passwords from this dataset simply by using an online cracking tool. That is few dozens of active mailboxes in several minutes with just a browser. I presented some stats gathered while working with this dataset – how many passwords were successfully cracked by this online tool and how many were additionally cracked using a tool called hashcat on a regular laptop. I recommended better hashing algos than just a plain SHA-1, like scrypt and bcrypt. As a bonus I added few tips like don't send passwords by email.

Interested in password storage and web security in general? Come to my web application security training (červen 2019 Praha) or e-mail me.

Datum a akce

30. července 2013, Passwords13 Las Vegas (video)