dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added explanations for creating and storing passwords.

Browse Source
This commit is contained in:
Benedikt - Desktop 2018-12-03 11:25:55 +01:00 committed by Nanne Baars
parent 72e13889d0
commit 94b936036a
6 changed files with 78 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
View File

@ -14,4 +14,12 @@
<div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div> <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
</div> </div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
</div>
<div class="lesson-page-wrapper">
<div class="adoc-content" th:replace="doc:SecurePasswords_4.adoc"></div>
</div>
</html> </html>

13
webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
View File

@ -2,6 +2,7 @@
The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems. The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
=== Password rules
Here are some of the most important recommendations made by the most recent NIST standard: Here are some of the most important recommendations made by the most recent NIST standard:
- *no composition rules* + - *no composition rules* +
@ -27,3 +28,15 @@ Here are some of the most important recommendations made by the most recent NIST
* dictionary words * dictionary words
* repetitive or sequential characters (e.g. aaaaaa, 1234abcd) * repetitive or sequential characters (e.g. aaaaaa, 1234abcd)
* context-specific words, such as the name of the service, the username, and derivatives thereof * context-specific words, such as the name of the service, the username, and derivatives thereof
=== Usability
Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
- *allow pasting into the password input* +
Users should be able to use the "paste" functionality when entering a password.
Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
- *allow to display the password* +
Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
- *offer a strength meter* +
Add a strength meter on the password creation page to help the user to choose a strong and secure password.

19
webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc Normal file
View File

@ -0,0 +1,19 @@
== Are your passwords secure?
What about you? Are your passwords secure?
There are websites that allow to test if one of your accounts got breached in a past data breach. +
Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached.
If so, better change your passwords *right now*!
=== What can you do to improve security of your account?
- *use different passwords for different accounts* +
It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one.
* *use passphrases* +
Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
Passphrases are passwords made out of a number of words instead of randomly generated character sequences.
This makes them way easier to remember for us human beings. And by the way: The longer the better!
* *use a password manager* +
If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords.
- *use two factor authentication* +
If possible, use two factor authentication methods to add an extra layer of security to your accounts.

33
webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc Normal file
View File

@ -0,0 +1,33 @@
== Storing passwords
After a strong and secure password was created, it also has to be stored in a secure way.
The NIST gives recommendations on how applications should handle passwords and how to store them securely.
=== How should a password be stored?
- first of all: *use encryption and a protected channel for requesting passwords* +
The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets
in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks.
- *resistant to offline attacks* +
Passwords should be stored in a form that is resistant to offline attacks.
- *use salts* +
Passwords should be salted before storing them.
The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
- *use hashing* +
Before storing a password it should be hashed with a one way key derivation function.
The function takes the password, the salt and a cost factor as inputs and then generates a password hash. +
Examples of suitable key derivation functions:
* Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
* https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
* The key derivation function shall use an approved one-way function such as:
** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
** Keccak Message Authentication Code (KMAC)
** Customizable SHAKE (cSHAKE)
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
- *memory hard key derivation function* +
Use memory hard key derivation functions to further increase the needed cost to perform attacks.
- *high cost factor* +
The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations)

7
webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
View File

@ -1,9 +1,8 @@
== Secure Passwords == Secure Passwords
In this lesson the user will learn about how to create secure passwords. In this lesson the user will learn about how to create strong passwords and how to store them in a secure way.
We will take a look at most important recommendations made by the NIST password standard. We will take a look at most important recommendations made by the NIST password standard.
Goals: Goals:
- The user knows how a secure password should look like and what specifications it should fulfill - The user knows how a strong password should look like and what specifications it should fulfill
- The user has a basic understanding of how to implement a secure password system - The user has a basic overview of what to pay attention to when developing an application that stores passwords