Podívejte se raději na online verzi přednášky, slajdy mohly být aktualizovány nebo doplněny.
Why is proper password hashing essential in protecting your users? And what is proper hashing, anyway?
I was talking at the Passwords13 Las Vegas, USA, a conference focused only on passwords & PIN codes, about various ways of storing users' passwords in a database. I was the first web developer ever to speak at this conference.
I also presented one real world example by using a dumped dataset with several hundred hashed passwords from a small local (Czech) online shop for a major clothing brand. I demonstrated that it's possible to take over user's mailbox (including a gmail.com mailbox with additional protection) by cracking passwords from this dataset simply by using an online cracking tool. That is few dozens of active mailboxes in several minutes with just a browser. I presented some stats gathered while working with this dataset – how many passwords were successfully cracked by this online tool and how many were additionally cracked using a tool called hashcat on a regular laptop. I recommended better hashing algos than just a plain SHA-1, like scrypt and bcrypt. As a bonus I added few tips like don't send passwords by email.
Datum a akce
Vyvíjím webové aplikace, zajímá mě jejich bezpečnost. Nebojím se o tom mluvit veřejně, hledám hranice tak, že je posouvám. Chci naučit webové vývojáře stavět bezpečnější a výkonnější weby a aplikace.