Title: Analyzing and Fixing Password Protection Schemes


In this talk jOHN takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session.

Ultimately, this session presents the solution and code donated as part of the on-going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers.


John Steven, Internal Chief Technology Officer, Cigital Inc.
I spend incalculable time striving to make the perfect macchiato. Passionate about running and reading. I'm alarmed at the lack of innovation within application security over the past five years and anxious to get back to designing and implementing large-scale systems. | | Others have said: John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultan…

Date: Thursday October 25, 2012 4:00pm - 4:45pm
Location: AppSecUSA, Austin, TX. Hyatt Regency Hotel. Adobe Room

Loading more stuff…

Hmm…it looks like things are taking a while to load. Try again?

Loading videos…