1. Passw3rdNeil Matatall neil@matatall.com - @nilematotleOWASP LANovember 30, 2011

2. Remember 3. What is it? Cross-platform, cross-language password management forapplications A tool that keeps passwords out of code and configurationfiles, but keeps them in encrypted files Keys for development/test environments can be checked in toversion control, production keys must be protected 4. Nerd stuff Uses openssl to generate an AES-256 key and IV (configurable) The keys are stored in a location protected by OS accesscontrols The password files are generated which store an encryptedversion of the password Encryption is done using the CBC and CFB modes of operation 5. Gotchas EACH WEB APPLICATION MUST RUN AS A SEPARATE USER But you already knew that Why? Because one application can read any password file ownedby the same user/group/etc. Cant protect from in memory access Anyone can put a logger in and see the password 6. Give me the run down Generate keys:passw3rd g generated keys in /Users/neil(creates .passw3rd-encryptionIV and .passw3rd-encryptionKey) Create a password file $ passw3rd e file_name Enter the password: Wrote password to /Users/neil/file_name Verify the password can be retrieved $ passw3rd d file_name The password is: asdfAt the moment, there is only a ruby command line client. And Iintend to keep it that way. Its just a pain to maintain. 7. Business model 8. Phase 1: Find Passwordsdevelopment: adapter: mysql database: rails_development username: app_user password: my super secret password 9. Phase 1: Collect Passwordsdevelopment: adapter: mysql database: rails_development username: app_user password: 10. Phase 1: Ensure Safety While you collect passwords, take note of accounts that donot have separate dev/prod accounts. Passw3rd is useless if all of your passwords are the same ineach environment. 11. Phase 2CHANGE ALL PASSWORDS!!!! 12. Phase 3: Profit Need a password rotation? Fine, just create a new password file for the affected accounts Need a new server? Just make the keys part of your build script Need to rotate your key? Trivial, decrypt with the old, encrypt with the new Use the key rotation scriptWait, hold on a second you cant changeoh yeah that sounds like a good idea 13. Performance$ time ruby -e "require passw3rd; X.times{Passw3rd::PasswordService.get_password(asdf)} X = 100: 0.281s X = 1,000: 0.359s X = 10,000: 1.081s X = 100,000: 8.372s X = 1,000,000: 1m21.007sThis is without optimization, the file is opened and read during each iteration 14. Passw3rd Current Support The ruby library supports URIs, java not so much 15. Passw3rd Future Support Python .NET PHP Passw3rd is an official OWASP project, so there is an entirecommunity behind ithttps://www.owasp.org/index.php/OWASP_Passw3rd_Project#tab=Project_About 16. Roadmap Key rotation script Cipher changing script URI support Client cert support coming Audit logging Clone password sets Multi-key support??? Portable passw3rd profiles (one file perapp)??? Load encrypted password files in memory forrapid sequential decryption???Be my guesthttps://github.com/oreoshake/passw3rd/issues 17. Go collect some underwear!http://www.itd.umich.edu/posters/ 18. neil@matatall.com - @nilematotleQuestions?https://github.com/oreoshake/passw3rdhttps://github.com/oreoshake/passw3rd_java