A Recipe for Password Storage: Add Salt to Taste

Presented at CHCon '20 (2020), Oct. 31, 2020, noon (Unknown duration).

Every time a website gets breached you hope to hear "your password was salted and hashed: instead of "your passwords were stored in plain text" - but what does that actually mean, and why is it a good thing?

Wash your hands, don your apron, and join me for as we follow the recipe for storing passwords safely. We'll learn a bit about cryptography and one-way functions (that's the hash!), how to source good ingredients (bcrypt, scrypt, argon, oh my!), why adding a pinch of salt helps, how many times must we stir the mix, and what happens if we miss a step? In the face of an attacker, will our delicious password loaf rise to the occasion, or will it fall flat in disappointment and despair?!

Presenters:

• Nick Malcolm
  Nick specialises in Application Security and works as a consultant at Aura Information Security in Wellington. He runs secure developer training and gets embedded in development teams to offer security advice. He regularly presents at meetups and conferences, including OWASP Day 2020 and 2017, CyberCon AU 2018, and AppSec AU 2017.

Links:

• https://2020.chcon.nz/talks/nick

Similar Presentations:

• BSidesLV 2017 / Sex, Secret and God: A Brief History of Bad Passwords
• HOPE 2020 Virtual Rescheduled / Password Superpowers: How to Crack Hashes and Stump Hackers
• CackalackyCon 2 (2023) / Password Attacks 101: Exploiting Human Weaknesses