Kevin Dyer will be presenting:

Over the last few years, password database breaches reported in mainstream press have increased in frequency and magnitude. There is a typical pattern and service providers, such as Adobe or Yahoo or Snapchat, fail on at least two fronts: first, network perimeters and databases are breached and then, improperly secured user data and passwords are exfiltrated and shared in cleartext. Even if the former can't be prevented, there are security best practices to mitigate the impact of the latter, which are (seemingly) ignored.

In this talk, we'll discuss specific case studies and review the essential security best practices for storing sensitive user information. The goal is to show that in every case free, off-the-shelf tools are available, that would have mitigated the scope of the breach and (possibly) the onslaught of negative publicity. As one example, we'll build intuition for why using Scrypt (a memory-hard function) is superior to traditional cryptographic hash functions for storing passwords.

Kevin P. Dyer is a PhD student at Portland State University. His research focuses on network security and building protocols resistant to traffic-analysis attacks and censorship. Previously, Kevin worked as a software engineer in telecommunications security, web security and network security. He holds an MSc in the Mathematics of Cryptography and Communications from Royal Holloway, University of London, and a BS in Computer Science with Mathematics from Santa Clara University.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list:

 https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.

Joseph Arpaia, MD will be presenting: Hiding in Plain Sight: A Mnemonic Method For Creating Secure Passwords

The human brain is not suited to recalling secure passwords composed of random sequences of characters especially if they are not used regularly. Humans are excellent at recalling sentences, even years after learning them, e.g. nursery rhymes, song lyrics. This ability can be used to create a mnemonic method for generating a large number of passwords from one remembered passphrase, even if the passphrase and the associated characters are not kept secret.

Joseph Arpaia received his BS in Chemistry from CalTech and his MD from UC Irvine where he also did research in electrophysiology and applications of chaos theory to psychiatry. He is a psychiatrist in private practice in Eugene, OR and applies heart rate variability analysis in his work with patients. He also teaches applications of mindfulness meditation to psychotherapy at the University of Oregon and is the co-author of Real Meditation in Minutes a Day. He has a long-standing interest in passwords and security which dates back to his experience at age 8 when he came up with a Vernam cipher in response to a challenge by his father to encrypt a text message.

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. To sign up for future meeting notes and to discuss security topics with local gurus, sign up on the OWASP Portland mailing list: https://lists.owasp.org/mailman/listinfo/owasp-portland

Meetings are free and open to the public.