SlideShare a Scribd company logo

Password Storage and Attacking in PHP

Anthony Ferrara
Anthony Ferrara

These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ). In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.

1 of 60
Download to read offline
Password Storage (And Attacking) In PHP Anthony Ferrara
Github URL Follow Along: github.com/ircmaxell/password-bad-web-app A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
Let's Start From The Beginning
Plain-Text Storage git checkout plaintext Stores passwords in Plain-Text What's wrong with this picture?
Plain-Text Storage What happens if we have a SQL-Injection Vulnerability? localhost/sqli Simulates: ?offset=0'+UNION+SELECT+*+FROM+users
Plain-Text Storage Problem! Any attack vector results in leakage of ALL credentials!
We Can Do Better
MD5 git checkout md5 Uses the MD5 Cryptographic Hash function. md5($password) hash('md5', $password)
Wait, What Is A Hash?
What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
MD5 What's the problem now? SQL-Injection still gives us hash But the hash is one-way, how can we attack it?
Enter: Lookup Tables
Lookup Table Google is a great example Maps hash to password directly Database Table: hash | password --------------+----------- "5f4dcc3b..." | "password" "acbd18db..." | "foo"
Lookup Table Lookups are CPU efficient. Require a LOT of storage space - (Very space inefficient) All passwords <= 7 chars (95^7, 70 Trillion) Requires 1.5 PetaBytes - In Most Optimal Storage Format
We Can Do Better
Rainbow Table Seed Hash Reduce Hash
Rainbow Table a4fef... Seed Hash Reduce Reduce New Hash Password
Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
Rainbow Table Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage Most (99.9%) passwords <= 7 chars Requires only 64 GB - Chain length of 71,000
Defense!
Salted MD5 git checkout salted-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. md5($salt . $password) hash('md5', $salt . $password)
Salts Must be unique! - Per Hash - Globally Should be random - Strong!!! - Reasonably long (at least 64 bits)
Salted MD5 What's the problem now? SQL-Injection still gives us hash - And the salt But the salt defeats rainbow tables...
Can Anyone See The Problem?
What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
Hash Functions Are Made To Be FAST
Brute Forcing Several Tools Available - John The Ripper - OCIHashCat A Lot Faster Than You May Think
Brute Forcing Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
Brute Forcing Salted MD5 2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second Mask Attack: 6 char passwords: 5 hours 7 char passwords: 22 days Entire English Language: 1.8 seconds "LEET" Permutations: 1 hour
We Can Do Better
Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: "LEET" Permutations:
Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: yeah... "LEET" Permutations: 0.7 seconds
But Wait, I Thought MD5 Was Broken?
MD5 IS Broken! But No Other Primitive Hash Is Not!!! sha1≈ md5 sha256 ≈ md5 sha512 ≈ md5 whirlpool ≈ md5 ALL raw primitive hashes are broken for password storage.
So, How Can We Combat Such Hardware?
Iterated MD5 git checkout iterated-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. And iterates a lot of times do { $h = md5($h . $salt . $password) } while($i++ < 1000);
We're Intentionally Slowing It Down
Brute Forcing Iterated MD5 25 GPU Cluster - md5: 70 million per second 6 char passwords: 17 minutes 7 char passwords: 1 day 8 char passwords: 124 days Entire English Language: 0.8 seconds
We Can Do Better
PBKDF2 git checkout pbkdf2 Uses the standard PBKDF2 algo - With SHA512 primitive Slower, and harder to use on GPU pbkdf2($pass, $salt, 10000, 40)
Brute Forcing PBKDF2 25 GPU Cluster - PBKDF2(sha512): 300,000 per second 6 char passwords: 28 days 7 char passwords: 7 years 8 char passwords: 700 years Entire English Language: 3 minutes
We Can Still Do Better
BCrypt git checkout bcrypt Uses the standard BCrypt algo - based on Blowfish cipher Same execution time, Much harder to run on GPU crypt $2a$
Brute Forcing BCrypt 25 GPU Cluster - BCrypt: 70,000 per second 6 char passwords: 120 days 7 char passwords: 31 years 8 char passwords: 3000 years Entire English Language: 14 minutes
A Note On Cost BCrypt accepts a "cost" parameter Must be tuned per server! - Target about 0.25 to 0.5 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - If you have decent hardware.
PHP 5.5 Password Hashing API git checkout password-compat A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option password_hash($pass, $algo, $opts) password_verify($pass, $hash) github.com/ircmaxell/password_compat
We Can Do Even Better!
Let's Encrypt Instead!
Encrypted BCrypt git checkout bcrypt-with-encryption Hash with BCrypt, Then encrypt result with AES-128. Requires key storage for the app. - Not trivial Use only if needed! - BCrypt alone is typically sufficient
Brute Forcing Encrypted BCrypt Attack requires low level server compromise! - SQL Injection is not enough! localhost/codeinject - Simulates code injection that reads source Any low level compromise Is No Worse than raw BCrypt - BCrypt is the baseline.
The Future
The Future scrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcrypt But it's VERY new - In cryptography terms at least - Not proven enough for use (yet)
The Future Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
The Future Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple" Brute Forcing Grammar - "I don't want no cookies" Brute Forcing Structures - URLs, Email Addresses, URLs, etc
Anthony Ferrara joind.in/7792 @ircmaxell ircmaxell@php.net blog.ircmaxell.com youtube.com/ircmaxell

Recommended

Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsChristopher Allen
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 

Recommended

Password Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaPassword Storage And Attacking In PHP - PHP Argentina
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPAnthony Ferrara
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsChristopher Allen
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Redis And python at pycon_2011
Redis And python at pycon_2011Redis And python at pycon_2011
Redis And python at pycon_2011sunilar0ra
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
 
Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codecmoai kids
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashesn|u - The Open Security Community
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
 
Scaling php applications with redis
Scaling php applications with redisScaling php applications with redis
Scaling php applications with redisjimbojsb
 
解密解密
解密解密解密解密
解密解密Tom Chen
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011CodeIgniter Conference
 
Redis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational DatabasesRedis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational DatabasesKarel Minarik
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 

More Related Content

What's hot

Redis And python at pycon_2011
Redis And python at pycon_2011Redis And python at pycon_2011
Redis And python at pycon_2011sunilar0ra
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Groupsiculars
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersFelipe Prado
 
Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codecmoai kids
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHPEnrico Zimuel
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNoSuchCon
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT - Multimediatreff
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
 
Scaling php applications with redis
Scaling php applications with redisScaling php applications with redis
Scaling php applications with redisjimbojsb
 
解密解密
解密解密解密解密
解密解密Tom Chen
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011CodeIgniter Conference
 
Redis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational DatabasesRedis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational DatabasesKarel Minarik
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 

What's hot (20)

Redis And python at pycon_2011
Redis And python at pycon_2011Redis And python at pycon_2011
Redis And python at pycon_2011
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
Riak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup GroupRiak at The NYC Cloud Computing Meetup Group
Riak at The NYC Cloud Computing Meetup Group
 
DEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackersDEFCON 23 - Eijah - crypto for hackers
DEFCON 23 - Eijah - crypto for hackers
 
Apache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:CodecApache Commons ソースリーディングの会:Codec
Apache Commons ソースリーディングの会:Codec
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
NSC #2 - Challenge Solution
NSC #2 - Challenge SolutionNSC #2 - Challenge Solution
NSC #2 - Challenge Solution
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
MMT 29: "Hab Dich!" -- Wie Angreifer ganz ohne JavaScript an Deine wertvollen...
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIs
 
Scaling php applications with redis
Scaling php applications with redisScaling php applications with redis
Scaling php applications with redis
 
解密解密
解密解密解密解密
解密解密
 
Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011Bottom to Top Stack Optimization - CICON2011
Bottom to Top Stack Optimization - CICON2011
 
Redis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational DatabasesRedis — The AK-47 of Post-relational Databases
Redis — The AK-47 of Post-relational Databases
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 

Similar to Password Storage and Attacking in PHP

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodYurii Bilyk
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
 
Redis — memcached on steroids
Redis — memcached on steroidsRedis — memcached on steroids
Redis — memcached on steroidsRobert Lehmann
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityAntiy Labs
 
Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)err
 
London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015Chris Fregly
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking systemJesse Vincent
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & ScalabilityJoseph Scott
 
A rough guide to JavaScript Performance
A rough guide to JavaScript PerformanceA rough guide to JavaScript Performance
A rough guide to JavaScript Performanceallmarkedup
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!nerdybeardo
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
 
Redis overview for Software Architecture Forum
Redis overview for Software Architecture ForumRedis overview for Software Architecture Forum
Redis overview for Software Architecture ForumChristopher Spring
 
Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcachedelliando dias
 
Streaming 101: Hello World
Streaming 101: Hello WorldStreaming 101: Hello World
Streaming 101: Hello WorldJosh Fischer
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPkatzgrau
 
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...Chris Fregly
 

Similar to Password Storage and Attacking in PHP (20)

How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the HoodHow-to crack 43kk passwords while drinking your juice/smoozie in the Hood
How-to crack 43kk passwords while drinking your juice/smoozie in the Hood
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Redis — memcached on steroids
Redis — memcached on steroidsRedis — memcached on steroids
Redis — memcached on steroids
 
Data Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network IdentityData Storage and Security Strategies of Network Identity
Data Storage and Security Strategies of Network Identity
 
Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)Kickin' Ass with Cache-Fu (with notes)
Kickin' Ass with Cache-Fu (with notes)
 
London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015London Spark Meetup Project Tungsten Oct 12 2015
London Spark Meetup Project Tungsten Oct 12 2015
 
SD, a P2P bug tracking system
SD, a P2P bug tracking systemSD, a P2P bug tracking system
SD, a P2P bug tracking system
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & Scalability
 
A rough guide to JavaScript Performance
A rough guide to JavaScript PerformanceA rough guide to JavaScript Performance
A rough guide to JavaScript Performance
 
Password Storage Sucks!
Password Storage Sucks!Password Storage Sucks!
Password Storage Sucks!
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
Redis overview for Software Architecture Forum
Redis overview for Software Architecture ForumRedis overview for Software Architecture Forum
Redis overview for Software Architecture Forum
 
Scaling Rails with memcached
Scaling Rails with memcachedScaling Rails with memcached
Scaling Rails with memcached
 
Osd ctw spark
Osd ctw sparkOsd ctw spark
Osd ctw spark
 
Streaming 101: Hello World
Streaming 101: Hello WorldStreaming 101: Hello World
Streaming 101: Hello World
 
Bottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMPBottom to Top Stack Optimization with LAMP
Bottom to Top Stack Optimization with LAMP
 
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...
Advanced Apache Spark Meetup: How Spark Beat Hadoop @ 100 TB Daytona GraySor...
 

More from Anthony Ferrara

Beyond design patterns phpnw14
Beyond design patterns phpnw14Beyond design patterns phpnw14
Beyond design patterns phpnw14Anthony Ferrara
 
Don't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionDon't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionAnthony Ferrara
 
Development By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionDevelopment By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionAnthony Ferrara
 
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueDon't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueAnthony Ferrara
 
Don't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPDon't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPAnthony Ferrara
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPCAnthony Ferrara
 
Development by the numbers
Development by the numbersDevelopment by the numbers
Development by the numbersAnthony Ferrara
 
Don't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPDon't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPAnthony Ferrara
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average DeveloperAnthony Ferrara
 

More from Anthony Ferrara (9)

Beyond design patterns phpnw14
Beyond design patterns phpnw14Beyond design patterns phpnw14
Beyond design patterns phpnw14
 
Don't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo EditionDon't Be STUPID, Grasp SOLID - ConFoo Edition
Don't Be STUPID, Grasp SOLID - ConFoo Edition
 
Development By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo EditionDevelopment By The Numbers - ConFoo Edition
Development By The Numbers - ConFoo Edition
 
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon PragueDon't Be STUPID, Grasp SOLID - DrupalCon Prague
Don't Be STUPID, Grasp SOLID - DrupalCon Prague
 
Don't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHPDon't be STUPID, Grasp SOLID - North East PHP
Don't be STUPID, Grasp SOLID - North East PHP
 
PHP, Under The Hood - DPC
PHP, Under The Hood - DPCPHP, Under The Hood - DPC
PHP, Under The Hood - DPC
 
Development by the numbers
Development by the numbersDevelopment by the numbers
Development by the numbers
 
Don't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHPDon't Be Stupid, Grasp Solid - MidWestPHP
Don't Be Stupid, Grasp Solid - MidWestPHP
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
 

Password Storage and Attacking in PHP

  • 1. Password Storage (And Attacking) In PHP Anthony Ferrara
  • 2. Github URL Follow Along: github.com/ircmaxell/password-bad-web-app A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
  • 4. Plain-Text Storage git checkout plaintext Stores passwords in Plain-Text What's wrong with this picture?
  • 5. Plain-Text Storage What happens if we have a SQL-Injection Vulnerability? localhost/sqli Simulates: ?offset=0'+UNION+SELECT+*+FROM+users
  • 6. Plain-Text Storage Problem! Any attack vector results in leakage of ALL credentials!
  • 7. We Can Do Better
  • 8. MD5 git checkout md5 Uses the MD5 Cryptographic Hash function. md5($password) hash('md5', $password)
  • 10.
  • 11. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 12. MD5 What's the problem now? SQL-Injection still gives us hash But the hash is one-way, how can we attack it?
  • 14.
  • 15. Lookup Table Google is a great example Maps hash to password directly Database Table: hash | password --------------+----------- "5f4dcc3b..." | "password" "acbd18db..." | "foo"
  • 16. Lookup Table Lookups are CPU efficient. Require a LOT of storage space - (Very space inefficient) All passwords <= 7 chars (95^7, 70 Trillion) Requires 1.5 PetaBytes - In Most Optimal Storage Format
  • 17. We Can Do Better
  • 18. Rainbow Table Seed Hash Reduce Hash
  • 19. Rainbow Table a4fef... Seed Hash Reduce Reduce New Hash Password
  • 20. Rainbow Table Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
  • 21. Rainbow Table Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage Most (99.9%) passwords <= 7 chars Requires only 64 GB - Chain length of 71,000
  • 23.
  • 24. Salted MD5 git checkout salted-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. md5($salt . $password) hash('md5', $salt . $password)
  • 25. Salts Must be unique! - Per Hash - Globally Should be random - Strong!!! - Reasonably long (at least 64 bits)
  • 26. Salted MD5 What's the problem now? SQL-Injection still gives us hash - And the salt But the salt defeats rainbow tables...
  • 27. Can Anyone See The Problem?
  • 28. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 29. What's A Cryptographic Hash? Like a fingerprint. One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
  • 31. Brute Forcing Several Tools Available - John The Ripper - OCIHashCat A Lot Faster Than You May Think
  • 32. Brute Forcing Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
  • 33. Brute Forcing Salted MD5 2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second Mask Attack: 6 char passwords: 5 hours 7 char passwords: 22 days Entire English Language: 1.8 seconds "LEET" Permutations: 1 hour
  • 34. We Can Do Better
  • 35.
  • 36. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: "LEET" Permutations:
  • 37. Brute Forcing Salted MD5 25 GPU Cluster - md5: 180 Billion per second - < $50,000 6 char passwords: 4 seconds 7 char passwords: 6 minutes 8 char passwords: 10 hours Entire English Language: yeah... "LEET" Permutations: 0.7 seconds
  • 38. But Wait, I Thought MD5 Was Broken?
  • 39. MD5 IS Broken! But No Other Primitive Hash Is Not!!! sha1≈ md5 sha256 ≈ md5 sha512 ≈ md5 whirlpool ≈ md5 ALL raw primitive hashes are broken for password storage.
  • 40. So, How Can We Combat Such Hardware?
  • 41. Iterated MD5 git checkout iterated-md5 Uses the MD5 Cryptographic Hash function. But adds a random salt UNIQUE per user. And iterates a lot of times do { $h = md5($h . $salt . $password) } while($i++ < 1000);
  • 43. Brute Forcing Iterated MD5 25 GPU Cluster - md5: 70 million per second 6 char passwords: 17 minutes 7 char passwords: 1 day 8 char passwords: 124 days Entire English Language: 0.8 seconds
  • 44. We Can Do Better
  • 45. PBKDF2 git checkout pbkdf2 Uses the standard PBKDF2 algo - With SHA512 primitive Slower, and harder to use on GPU pbkdf2($pass, $salt, 10000, 40)
  • 46. Brute Forcing PBKDF2 25 GPU Cluster - PBKDF2(sha512): 300,000 per second 6 char passwords: 28 days 7 char passwords: 7 years 8 char passwords: 700 years Entire English Language: 3 minutes
  • 47. We Can Still Do Better
  • 48. BCrypt git checkout bcrypt Uses the standard BCrypt algo - based on Blowfish cipher Same execution time, Much harder to run on GPU crypt $2a$
  • 49. Brute Forcing BCrypt 25 GPU Cluster - BCrypt: 70,000 per second 6 char passwords: 120 days 7 char passwords: 31 years 8 char passwords: 3000 years Entire English Language: 14 minutes
  • 50. A Note On Cost BCrypt accepts a "cost" parameter Must be tuned per server! - Target about 0.25 to 0.5 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - If you have decent hardware.
  • 51. PHP 5.5 Password Hashing API git checkout password-compat A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option password_hash($pass, $algo, $opts) password_verify($pass, $hash) github.com/ircmaxell/password_compat
  • 52. We Can Do Even Better!
  • 53. Let's Encrypt Instead!
  • 54. Encrypted BCrypt git checkout bcrypt-with-encryption Hash with BCrypt, Then encrypt result with AES-128. Requires key storage for the app. - Not trivial Use only if needed! - BCrypt alone is typically sufficient
  • 55. Brute Forcing Encrypted BCrypt Attack requires low level server compromise! - SQL Injection is not enough! localhost/codeinject - Simulates code injection that reads source Any low level compromise Is No Worse than raw BCrypt - BCrypt is the baseline.
  • 57. The Future scrypt - Sequential Memory Hard - Uses a LOT of memory (32mb / hash) - Harder to brute-force than bcrypt But it's VERY new - In cryptography terms at least - Not proven enough for use (yet)
  • 58. The Future Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
  • 59. The Future Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple" Brute Forcing Grammar - "I don't want no cookies" Brute Forcing Structures - URLs, Email Addresses, URLs, etc
  • 60. Anthony Ferrara joind.in/7792 @ircmaxell ircmaxell@php.net blog.ircmaxell.com youtube.com/ircmaxell