Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 3 Jun 2016 19:55:59 +0200
From: Per Thorsheim <>
Subject: BSidesLV / #passwords16 keynote + 3 talks

I am very happy to announce Lorrie Faith Cranor as the opening keynote
of BSidesLV. You can learn more about Lorrie here:

I am also very happy to announce these "early bird" selected talks for
our ‪#‎passwords16‬ track. More to come in the next few days.

Arnold Reinhold

Arnold Reinhold has been involved with password and passphrase security
since the mid-1990s. He is the developer of Diceware, CipherSaber and
HEKS, the first password hash designed to consume memory resources as
well as CPU time.

"Rock Salt: A Method for Securely Storing and Utilizing Password
Validation Data"

Rock Salt™ is a method for storing and accessing password verification
data on multi-user computer systems that resists remote attacks. Along
with commonly-employed measures that limit the number of unsuccessful
attempts to login or otherwise verify a password, it allows users to
choose relatively simple passwords with full security. The secret
component cannot be easily leaked or exfiltrated by malware, does not
require periodic backup and is isolated in a way that allows it to be
protected by conventional security measures, such as safes, alarm
systems and video surveillance, from attackers who somehow gain access
to the computing facility.

Nick Sullivan

Nick is the head of crypto at CloudFlare.

PAL is your pal: Bootstrapping secrets in Docker

Many services that run in Docker containers need to have highly
sensitive secrets installed on them. Examples of this include SSL
certificates and API keys. Services like Vault and Keywhiz were
developed to manage secrets to central authority, however, most of these
secret management services require a secret to be present. This presents
a bootstrapping problem. To solve this, CloudFlare created PAL: a new
tool for bootstrapping secrets in Docker containers.

PAL (Permissive Action Link, named after a tool used to prevent
unauthorized detonation of nuclear devices) works by binding identity
secrets to Docker containers and decrypting them at launch time through
a service running on the host. Permissions require M of N authorization
and are handled through a service called Red October. This allows you to
simply and transparently bootstrap service-specific secrets.

In this talk I’ll describe the design and implementation of this service
and how we use it at CloudFlare to protect secrets for our billing
platform and private key infrastructure. We’ll also briefly discuss our
plans to use PAL for password hashing and service authorization.

Jim Fenton

(No bio provided. Personally I think Jim is *awesome*)

Toward better password requirements

While we often discuss examples of poor password requirements, it’s also
useful to consider a sample set of good requirements and practices. NIST
Special Publication 800-63, which defines authentication requirements
for Federal Government agencies, is currently being revised and seeks to
establish requirements that are aligned with current understanding of
threats and user behavior. This talk will discuss the rationale for
these changes and opportunities for comment.

As authentication threats have evolved and we have learned more about
user behavior, what were considered best practices several years ago are
no longer current. For this reason, guidance on user authentication
needs periodic revision. NIST Special Publication 800-63, which sets
technical requirements for authentication and identity proofing by the
Federal Government, is currently in the process of such a revision.

SP 800-63B, subtitled “Authentication and Lifecycle Management”, is a
new document dealing specifically with user authentication. It changes
the requirements for memorized secrets (passwords) in several ways:
- Emphasis on long, memorable passwords
- No use of composition rules
- No hints and prompts (name of first pet, etc.)
- Use of dictionary of compromised passwords to disallow poor choices
- No arbitrary (e.g., periodic) password changes

Beyond the realm of passwords per se, SP 800-63B also clarifies and
strengthens the requirements for two-factor authentication and account
recovery. The use of SMS (text messaging) as an out-of-band
authentication mechanism has been deprecated due to security issues that
have been seen with this technique. Requirements for account recovery
have also been strengthened, in an effort to avoid having account
recovery act as an authentication back door, particular for two-factor

Best regards,
Per Thorsheim
Founder of
CEO of
Phone: +47 90 99 92 59
Twitter: @thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.