The All Things Auth Podcast

Michal Špaček shares the story of how the Password Storage project has convinced hundreds of companies to publicly disclose their password storage practices and assigned each a grade based on how well they follow best practices.

We discuss hashing algorithms and the technology behind storing passwords securely. Learn why a company who follows the technical best practices might still not earn an A grade if they do not have a public disclosure, or if they rely on an Invisible Disclosure.

We compare the Password Storage project to other fantastic security tools, including SSL Labs and Mozilla Observatory.

Michal outlines how the grading criteria will change in the short term, highlights the desire to get more companies included in the data set, and contemplates how the project will continue to grow over time.

This episode was initially published in August 2019, the 5 year anniversary of Michal’s talk at BSides Las Vegas 2014, which planted the seeds that eventually grew into the Password Storage project. Happy birthday, Password Storage!

Social media & website

• Twitter: @PasswordStorage, @spazef0rze
• Website: Password Storage disclosures, michalspacek.com

Resources mentioned in episode

• Michal launched Password Storage at BSides Las Vegas in 2016. You can see the slides from his talk here.
• Bruce K. Marshall is a researcher and consultant dedicated to improving the application of authentication technologies, products, and good practices. He founded PasswordResearch.com to better share the password information he was collecting.
  • You can find Bruce on Twitter @PwdRsch.
• Michal’s wrote an article titled “Upgrading existing password hashes” that explains how to gracefully migrate passwords hashed with a legacy algorithm to a secure and modern algorithm.
• To get your website listed in the Password Storage project, check out the FAQ.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/005-michal-spacek-of-password-storage

Conor explains what security keys are and why they provide a stronger level of security than other methods of 2FA. He shares the story about how he created and sold his first open-source security key on Amazon while he was an undergraduate studying Computer Engineering and how that project evolved into a wildly successful Kickstarter project that launched SoloKeys the company.

Towards the end of the conversation, Conor shares his thoughts on the recent trend of using phones as security keys and highlights Somu, the next exciting product that he and his team are working on right now.

Social media & website

• SoloKey’s Twitter: @SoloKeysSec
• SoloKeys website
• Conor Patrick’s Twitter: @_conorpp

Resources mentioned in episode

• Phishing resistance two factor authentication (2FA) comes from implementing the FIDO2: WebAuthn & CTAP specifications.
• U2F Zero security key
  • In his blog post, Designing and Producing 2FA tokens to Sell on Amazon, Conor explains how he created and sold an open source security key named U2F Zero while an undergrad in university.
  • You can access the hardware designs and software in the GitHub repo conorpp/u2f-zero.
  • You can build your own U2F Zero by following the instructions in the Build a U2F Token wiki page.
• SoloKey security key
  • SoloKeys, the company, launched after raising $125,000 in a hugely successful Kickstarter project.
  • In his blog post, Designing Solo, a new U2F/FIDO2 Token, Conor explains
  • The hardware and software for SoloKey’s open source hardware security key, Solo, is available in the GitHub repo solokeys/solo.
• Google Security Blog: Now generally available: Android phone’s built-in security key
• NitroKey security key
  • NitroKey, a commercial provider of security keys, based their open source U2F security key on Conor’s U2F Zero project. You can access the Nitrokey firmware and hardware in the GitHub repo Nitrokey/nitrokey-fido-u2f-firmware.
  • NitroKey is also building security keys based on SoloKey’s current design as well.
• Somu: A tiny FIDO2 security key for two-factor authentication and passwordless login

Canonical URL: https://allthingsauth.com/podcast/001-conor-patrick-of-solokeys

Social media & website

• Twitter: @1password
• Website: 1password.com

Resources mentioned in episode

• Conor and Pilar frequently reference 1Password’s White Paper, which explains the security architecture and overall security philosophy of the company.
• Pilar mentioned the well known XKCD comic on password strength that popularized the comical phrase “correct horse battery staple”.
• 1Password’s Watchtower has many useful features related to monitoring the security of your account passwords and your use of two factor authentication (2FA).
• You can learn more about Troy Hunt’s Pwned Passwords API here and here. Also, check out Junade Ali’s post on the Cloudflare blog about why and how he proposed the Pwned Passwords API should use k-anonymity.
• Conor mentions the NIST special publication 800-63B, which contains password best practices.
• 1Password has a $100k bug bounty hosted on BugCrowd.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/008-pilar-garcia-of-1password.

1. Yixin Zou
   1. Social: @yixinzou1124
   2. University: School of Information at University of Michigan
   3. Paper: An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites
2. Karoline Busse
   1. Social: @kb_usec
   2. University: Institute of Computer Science 4 Security and Networked Systems at University of Bonn
   3. Paper: Replication: No One Can Hack My Mind Revisiting a Study on Expert and Non-Expert Security Practices and Advice
3. Anthony Vance
   1. Social: @anthonyvance, anthonyvance.com
   2. University: Center for Cybersecurity of the Fox School of Business at Temple University in collaboration with Neuro Security Lab at Brigham Young University
   3. Paper: The Fog of Warnings: How Non-essential Notifications Blur with Security Warnings
4. Sarah Pearman and Shikun Aerin Zhang
   1. Social: in/sarahpearman, sarahpearman.com
   2. University: CyLab at Carnegie Mellon University
   3. Paper: Why people (don’t) use password managers effectively
5. Kyle Crichton
   1. Social: in/kyle-crichton-81b72359
   2. University: CyLab Usable Privacy and Security (CUPS) Laboratory at Carnegie Mellon University
   3. Paper: Incentives for Enabling Two-Factor Authentication in Online Gaming

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/007-soups-2019-part-2

Alex shares the story of how Krypton first started as a secure messaging app, then evolved to help developers manage SSH keys, and today aims to make phishing resistant two factor authentication a realistic option for average internet users.

We get Alex’s thoughts on Google’s recent focus on allowing Android phones to be used as security keys, what happens if you lose your phone, and different approaches to account recovery.

Social media & website

• Kryptco: krypt.co, @kryptco, [email protected]
• Alex Grinman: www.alexgr.in, @alexgrinman

Resources mentioned in episode

• Phishing resistant two factor authentication (2FA) comes from implementing the FIDO2: WebAuthn & CTAP specifications.
• Krypton’s blog post, Our Zero-Trust Infrastructure, explains how the Krypton app pairs your phone to your browser to guarantee secure communication.
• You can find all of Kryptco’s open source software on GitHub.
• Google Security Blog - Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

You can find Conor, the host, on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/002-alex-grinman-of-kryptco