
After hunting for security bugs I've realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API key...
We're a place where coders share, stay up-to-date and grow their careers.
Mostly wise, but I have a couple of concerns.
Security researchers no longer recommend this with passwords. It doesn't work. Use a unique, complex password for each login that requires one...but understand that complex does not imply esoteric. Long phrases are currently considered the best strategy. If you have no reason to suspect a breach or significant possibility of a breach on an account, rotating the password does not decrease the chances of one. In fact, password rotation usually only leads to bad password strategies.
I could argue the same for keys, especially as they're even harder to crack than passwords, and far more likely to result in an unrecoverable account if you lose them.
That said, rotation policies may make more sense from a computer-to-computer perspective, if (and only if) there's any risk of exposure.
While I mostly agree with MFA, it is also not a guarantee of security — see sim card attacks — and it has its own hazards. If the service provides MFA, e.g. a code sent to a specific device, but no secure account recovery method, you may want to think twice. If you lose or destroy your phone (not that anyone has ever done that!) or it gets stolen, you're permanently locked out of any account that lacks recovery means. (PayPal is a prime example. No, they will not help. They'll go out of their way to FRUSTRATE helping, in fact.)
(One more note on that topic: there have been multiple security researchers who have warned that most consumer biometrics are less secure than passwords. Many fingerprint readers and facial recognition only check for partial match, and can be fooled. Consumer-focused biometrics should only be paired with a more secure authentication method, e.g. a key or password. Yes, I just said password.)
Be secure. But also be certain you aren't locking yourself out of Fort Knox permanently. It sucks at least as much as a breach.
I actually agree with 100% of your points and it makes me think whether I should sharpen my message;
I'm discussing mostly software teams and companies (obviously not only but that's the target audience). With that in mind, I address both personal user passwords and authentication keys.
To answer your points directly:
Password complexity - completely right, when I talk about complexity it's important to stress the importance of length rather than complexity. I would argue however, that everyone are far better off with a personal password manager like 1Password instead of managing their own passwords. That's another key point when talking about rotation.
MFA - again, correct, this is brought in the context of web login profiles for the 3rd party services team use daily. This is most certainly not a replacement for a password but an extra layer of security. And again - the context is a password leaking out. MFA in that context makes it usually useless.
Summing up, yes, of course, everything should be done with reason. In my experience, 99% of the teams need the push towards better security strategy rather than limiting the layers of protection they put on their processes. That being said, it's a great and important discussion which I must agree with. TBH just thinking about it raises some cases I've dealt with before, mainly in large organizations where the authentication processes and policies were so extremely hard that it actually did hurt productivity and progress.
Thank you for taking the time to read and respond!
Thanks for your response! I agree with you as well.
I'd add one thing to the topic of password managers: while you should definitely use one, it's best to still use phrase-based passwords that can be entered reasonably by a human. There are still times that situation occurs in the real world, as much as we like to pretend our password manager will always work perfectly. This is particularly true of central accounts like GitHub and email.
Besides that, you really should keep a copy of your most important passwords and keys on paper in a fire safe, in case of electronic catastrophe, or your own untimely demise.
In other words, the one time you need to enter your password by hand is the one time you're going to regret an esoteric password.
false-overspend-foe-float-stack
is going to be a better password for human use than3FaqtgSr2T9pgVJRwGxauzDmn
, as just as secure. (Bonus, you have a realistic chance to spot when the former is wrong or outdated.)If websites are still demanding their numbers and special characters, you can incorporate a consistent pattern unique to you. Numbers and symbols don't actually reduce the probability of cracking as once thought, so merely adding them to the phrase you would have used is perfectly fine; it's the phrase that's the secret, ultimately.
Again - 100% :)
I remember a really good post explaining what you just mentioned scientifically, in terms of computation complexity and comparing short complex passwords to long sensible strings.
I'd try to find it and maybe add it here.
Thanks again!
I'd be happy to quote some of your responses and incorporate in the post. I think they're extremely valuable to the readers!
With credit of course. Would that be okay with you?
Go for it! Thanks.
A good option is to use Yubikeys because in case of Google Authenticator if you lost phone then you're doomed but Yubikey stores codes on hardware what's really great. Moreover, you can have several backup keys, so if you even lose one you can insert another key into any machine, phone with type C and be happy.
Good password protection can be built on top of pass & xkcdpass utils.
True!
I personally use 1Password as my 2FA store which makes it a bit more secure through the gate of the single passphrase or a fingerprint. The downside is having both the password and the 2FA code accessible father successfully authenticating a single system.
I do agree that physical hardware takes it a step further, but would you say it's a feasible request from every team our there - even the smaller ones?
I store passwords in an encrypted format on my own Git server that only accessible through a specific IP address what's my own VPN + DNS that really don't store logs but SSH port still open, so I can push/pull updates from any machine but web interface only through VPN and again, ssh key stored on Yubikey, so an attacker needs physically to have access to my key and know the PIN. Remote vector of attack I cannot imagine due to my limited knowledge of security/crypto field but should be secure (I guess).
I talk here more about personal security and it's not so attractive for teams, indeed, but it's really secure security versus imposter security :) 1Password/LastPass should be good options for teams.
Got it.
Well about secret storage for teams I usually suggest Hashicorp's Vault. My experience with it is excellent. It's open-source, secure, and really thought through in terms of features.
For personal use - good thinking.. I'll consider it myself :)
Althrough someone a few comment above you mentioned they as a team where getting personal Yubikey's for everyone with a Vault specific namespace which was rotated everytime an employee left...
Sounds really great. I heard of Hashicorp's Vault many times but didn't have a chance to learn it more. Will add this to my todo list, thank you.
P.S. Great article.
Thanks mate!
Yeah, Vault is awesome especially when you deal with Terraform. I've just tried this practice on Digitalocean and it's pretty straightforward. digitalocean.com/community/tutoria... "You’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform. In the end, you’ll have an automated system for deploying Vault in place, allowing you to focus on working with Vault itself, and not on the underlying installation and provisioning process."
consider adding check style hooks to github actions to scan for metasploits and common passwords included into your source code. last thing you want is soe derp adding some sql into the end of all your users passwords.. do'h
Hey,
Yes, you’re getting here into the realm of static code analysis.
I did mention ways of simple code scan to identify leaked strings, but I consider STA to be a field of its own that requires commercial solutions.
I wasn’t aware of the style check on GitHub and would look it up.
Thanks!
the new github actions are fantastic for that.
In my line of work, we've had sim-swapping attacks happen to a few employees. To mitigate this everyone is issued a hardware based MFA. Everyone gets 2 YubiKeys so just in case they lose one they can restore access to their accounts.
Additionally we have 1Password and separate vaults for each team. When an employee leaves the company the support team goes and rotates all the passwords in each vault the person had access to.
Personally I've made the cursed mistake of pushing up AWS secrets to Github. It's recommended everyone add git-secrets to their pre-commit workflow to prevent pushing up anything resembling a secret.
This is fantastic.
Both the security processes you guys use and the pre-commit tools by AWS I did not know.
Thanks for sharing!
Great article. Didn't know that using these ways a hacker can pass through security.
Thank you Sarsa!
Certainly. lots of times I hear about "hacks" and sophisticated methods where the truth lies somewhat between; scans can be sophisticated and thought through, but eventually it's a way to figure out someone's password and use it to log in.
I guess the percentage of real sophistication, research and bypassing complex mechanisms is extremely low. And so when it comes to security we actually do have a lot to do to prevent the vast majority of vectores and leave very little attack surface.
Fantastic article, mate! Thanks for sharing :)
Thank you 💪😁
This is a unique kind of post. I really like these. Well done!
Thanks mate! Much appreciated
Comprehensive and very informative article!
Thanks
Good time people!
How me protect shape on the site?
From bots and xss..
I am frontend dev. Backend dev i don't know..
Hey!
For XSS I suggest looking in OWASP's overview and their cheat sheet. XSS has lots and lots of techniques and I'd say it's a kind of its own skill. Make sure you use the suggested headers and avoid the usual pitfalls. The risky type is usually stored XSS in cases where the stored script is visible to other users. I'd make sure I know the basics and think how my application works and whether the risk it presents is worth diving in.
E.g. if my application is a message board, and posting a message is visible to lots of my users, a stored XSS may have a more serious effect then, let's say a self reflected XSS.
If users are at risk - put your efforts there. I hope this helps
Thank you! Another question..
How install (AntiXSS) on my website?
Can you write how to do it step by step?
Not sure what you’re referring to but if that’s a library that helps you set different XSS features it sounds like a good idea. Regardless, I still think it’s important to learn the actual basics so you can know how and when to use it correctly. It’s also good to understand the basic important concepts to know where a layer of protection is coming short.
Yes these library (github.com/voku/anti-xss)
I don't know, how work an her..
This is hard for me
Hey,
Basically, this is a library that offers it's own functionality to escape special character and HTML edge cases to prevent different kinds of XSS. In regards to usage, they have pretty straightforward instructions.
Don't know whether this is the best tool for the job but I can't recommend anything else since I'm not aware of any.
It's good that you care, understand the risk, and try to prevent the damage from happening.
Good luck
Hi )
I connected everything to protection.
How can I validate the form?
I want to check whether my protection is working or not.
If I paste this into the alert (document.cookie) form it will be sent to my mail. I will not see any JavaScrip code displayed.
I need a method to test my XSS protection.
In other words, what I need to do is to make an XSS attack on my form so that I can see if my defense has worked or not.
I hope I have explained it clearly.
I am sorry my English is bad.
Hi,
Like I mentioned earlier, you probably want to learn the basics on your own and then validate your protection by "attacking" your own page. Here's a great video with explanations on different techniques. The guy has also a practice area where you can practice what you've learned: youtube.com/watch?v=EoaDgUgS6QA
When you protect something, be aware of what it is you are protecting from. "XSS" is a wide range of techniques that can abuse pages. If you protect from a certain technique - e.g. HTML tags, try exploiting your own form with something like
<img src/onerror=alert(1)>
.Here's another cheatsheet by Portswigger where you can see an endless list of methods: portswigger.net/web-security/cross...