Passwords: do you keep them safe?

By Piotr Przybył

Elevator Pitch

Passwords are booooring. Nobody cares about them. Until it’s too late, then they make you really jumpy! How to minimise data breach impact? How to sleep safer? How to educate your users and admins? Check for these answers during this talk.

Description

Some say that keeping passwords in a [web] application is a boring and trivial task: some hashing, maybe some salt, et voilà! However, storing passwords and other sensitive data might not be as simple as it seems. You’ll see a bunch of examples of what to do and what not to do based on a freelance’s experience. Come and see if you’re not sitting on a bomb.

Notes

Dear Reviewers

This presentation is My Private Mission™. The primary goal is to convince fellow developers that security isn’t something that happens in firewall, antivirus, etc., but in their code and people’s minds. And that it’s ongoing process which never stops. Why passwords? I’ve seen quite a few places when they’re not stored or treated with required care. Also, recently I saw a short presentation at one of the “we’ll make ya a developer” bootcamps telling people to use bcrypt. Period. Without even a shortest WHY. (This why mindless usage of bcrypt will become “the new md5” one day.)

So I’m trying to give this talk wherever I can. And not to be too shy I need to say, that every time I give it, it gets better and better notes. Like 4.8/4.9 (out of 5) during KarieraIT or InfoMEET (both in Wroclaw). Last year I gave it during BoilingFrogs (video, talk in PL, slides in EN: https://www.youtube.com/watch?v=HREf-wiqzLA) and jLabs meetup in Krakow. Previously I also gave it at 4developers (with different title), in extended form at WroclawJUG (https://www.meetup.com/WroclawJUG/events/237070754/?eventId=237070754), also two short ones during DevoxxPL and Chamberconf.

So why I keep giving it? After each talk people ask me questions, I also get e-mails. With more questions and warm “thank you”. And there are still more and more data breaches and passwords stolen. Because security isn’t a single event, it’s a never-ending process.

Thank you.

Best regards Piotr