Title: Analyzing and Fixing Password Protection Schemes


In this talk jOHN takes apart password protection scheme analyzing the attack resistance of hashes, hmacs, adaptive hashes (such as script), and encryption schemes. First, we present a threat model for password storage. Then audience members will learn the construction, performance, and protective properties of these primitives. Discussion of the primitives will be from a critical perspective modeled as an iterative secure design session.

Ultimately, this session presents the solution and code donated as part of the on-going OWASP PSM (password storage module) project. Discussion of this solution will include key techniques for hardening PSM learned through years of delivering production JavaEE code to customers.


John Steven, Internal Chief Technology Officer, Cigital Inc.
I spend incalculable time striving to make the perfect macchiato. Passionate about running and reading. I'm alarmed at the lack of innovation within application security over the past five years and anxious to get back to designing and implementing large-scale systems. | | Others have said: John’s expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultan…

Date: Thursday October 25, 2012 4:00pm - 4:45pm
Location: AppSecUSA, Austin, TX. Hyatt Regency Hotel. Adobe Room

# vimeo.com/54130351 Uploaded 316 Plays 0 Comments

OWASP AppSec USA 2012 Conference


OWASP AppSec USA 2012 Conference

These videos are from the 2012 AppSec USA conference from the Open Web Application Security Project in Austin, TX.

Browse This Channel

Shout Box

Heads up: the shoutbox will be retiring soon. It’s tired of working, and can’t wait to relax. You can still send a message to the channel owner, though!

Channels are a simple, beautiful way to showcase and watch videos. Browse more Channels.