Announcing PassProtect – Proactive Web Security

Uncategorized

If you’re reading this article you probably care about web security. You probably use a password manager to manage your passwords, you’ve probably got multi-factor authentication setup for all of your services, and you’re probably already subscribed to Have I Been Pwned? so you’re alerted when one of your logins have been involved in a data breach.

But you’re not most people.

Most web users are completely disconnected from the incredible advancements that have been made in the web security world over the last handful of years. Most web users aren’t notified when their credentials are leaked in a data breach, and to make matters worse, most users whose credentials are breached never reset their passwords.

Wouldn’t it be great if the websites that users visited every day could automatically notify users when the credentials they’re using are unsafe? This would give them the opportunity to change their unsafe passwords before attackers can take advantage of them. It would give them the knowledge they need to take the security of their personal information into their own hands.

This is what our new developer library, PassProtect, enables.

Instead of being the victim during a breach, PassProtect transforms even the most casual internet users into data security experts on par with you and I.

The way PassProtect works is simple, by including a single JavaScript tag in your web pages, your users will instantly start getting notifications if the credentials they’ve entered on your site are unsafe.

<html>
  <head>
    <!-- ... -->
  </head>
  <body>
    <!-- ... -->
    <script src="https://cdn.passprotect.io/passprotect.min.js"></script>
  </body>
</html>

What do users see? An informative notification that gives them the information they need to make a good choice:

PassProtect is built with casual users in mind, and provides simple but informative notifications. To avoid being annoying, PassProtect uses smart caching to ensure notifications are never repeated in a single session in any way that would hurt user experience.

Furthermore, PassProtect piggybacks off the fabulous Have I Been Pwned? service, the largest database of breached credentials on the internet (created by our friend, Troy Hunt).

And because the data PassProtect works with is so sensitive (user passwords), we ensure that PassProtect never stores, collects, or send any password data over the network. Instead, PassProtect relies on k-anonymity (created by our friends at Cloudflare), which just so happens to be the best way to verify that a password exists in a remote database without ever sending that password (or the full hash of that password) over a network. =)

This all sounds great, right!? The only problem is that our goal of dramatically improving the security of casual web users will only be realized if every developer embeds PassProtect in their websites. This is why I also went ahead and built a Chrome Extension for PassProtect as well. Firefox support will be coming soon.

This way, web users who want to go ahead and take advantage of PassProtect directly can do so—this way every website they visit will instantly inherit PassProtect’s functionality automatically!

Nothing is truly secure. At some point or another, all systems will be subject to a vulnerability of some sort. Security will always be a cat-and-mouse game between attackers and defenders, and to win you need to hope for the best but prepare for the worst.

We sincerely hope that PassProtect will help make the negatives (data breaches) a lot more positive by empowering individual users to reset their credentials when necessary and take charge of their personal data security.

If you’d like to get PassProtect for your website, please check out our GitHub repo (which contains far more information). If you’d like to use PassProtect in your browser, please check out our Chrome Extension.

PS: If you’ve had a chance to play around with PassProtect please let me know what you think! Leave a comment down below or shoot me an email.

Announcing PassProtect: Proactive Web Security

Uncategorized

Announcing PassProtect: Proactive Web Security

DZone’s Guide to

Announcing PassProtect: Proactive Web Security

Your website can let users know if they are using unsafe credentials. Read on to get a dev’s view of this open source solution.

by ·

· Security Zone ·

Free Resource

Join the DZone community and get the full member experience.

Join For Free

“I love writing authentication and authorization code.” ~ No Developer Ever. Try Okta instead

If you’re reading this article you probably care about web security. You probably use a password manager to manage your passwords, you’ve probably got multi-factor authentication setup for all of your services, and you’re probably already subscribed to Have I Been Pwned? so you’re alerted when one of your logins have been involved in a data breach.

But you’re not most people.

Most web users are completely disconnected from the incredible advancements that have been made in the web security world over the last handful of years. Most web users aren’t notified when their credentials are leaked in a data breach, and, to make matters worse, most users whose credentials are breached never reset their passwords.

Wouldn’t it be great if the websites that users visited every day could automatically notify users when the credentials they’re using are unsafe? This would give them the opportunity to change their unsafe passwords before attackers can take advantage of them. It would give them the knowledge they need to take the security of their personal information into their own hands.

This is what our new developer library, PassProtect, enables.

Instead of being the victim of a breach, PassProtect transforms even the most casual internet users into data security experts on par with you and me.

The way PassProtect works is simple, by including a single JavaScript tag in your web pages, your users will instantly start getting notifications if the credentials they’ve entered on your site are unsafe.

<html>
  <head>
    <!-- ... -->
  </head>
  <body>
    <!-- ... -->
    <script src="https://cdn.passprotect.io/passprotect.min.js"></script>
  </body>
</html>

What do users see? An informative notification that gives them the information they need to make a good choice:

PassProtect is built with casual users in mind and provides simple but informative notifications. To avoid being annoying, PassProtect uses smart caching to ensure notifications are never repeated in a single session in any way that would hurt user experience.

Furthermore, PassProtect piggybacks off the fabulous Have I Been Pwned? service, the largest database of breached credentials on the internet (created by our friend, Troy Hunt).

And because the data PassProtect works with is so sensitive (user passwords), we ensure that PassProtect never stores, collects, or sends any password data over the network. Instead, PassProtect relies on k-anonymity (created by our friends at Cloudflare), which just so happens to be the best way to verify that a password exists in a remote database without ever sending that password (or the full hash of that password) over a network.

This all sounds great, right!? The only problem is that our goal of dramatically improving the security of casual web users will only be realized if every developer embeds PassProtect in their websites. This is why I also went ahead and built a Chrome Extension for PassProtect as well. Firefox support will be coming soon.

This way, web users who want to go ahead and take advantage of PassProtect directly can do so—this way every website they visit will instantly inherit PassProtect’s functionality automatically!

Nothing is truly secure. At some point or another, all systems will be subject to a vulnerability of some sort. Security will always be a cat-and-mouse game between attackers and defenders, and to win you need to hope for the best but prepare for the worst.

We sincerely hope that PassProtect will help make the negatives (data breaches) a lot more positive by empowering individual users to reset their credentials when necessary and take charge of their personal data security.

If you’d like to get PassProtect for your website, please check out our GitHub repo (which contains far more information). If you’d like to use PassProtect in your browser, please check out our Chrome Extension.

PS: If you’ve had a chance to play around with PassProtect, please let me know what you think! Leave a comment down below. 

“I love writing authentication and authorization code.” ~ No Developer Ever. Try Okta instead

security ,web security ,authentication ,password security

Opinions expressed by DZone contributors are their own.

ToDo: The Web Security Congress

Uncategorized

The Web Security Congress

April 10th

Courtyard by Marriot Warsaw Airport

Zwirki i Wigury 1

Warsaw, Poland

Register

Throughout 2017, the topic of cybersecurity kept resurfacing as the world observed multiple high-profile cyber attacks paralyze major corporations around the world. From the attack on Equifax and Uber, through WannaCry ransomware, and Deloitte being targeted, it’s been proven that no one’s truly safe these days. There are, however, precautions we can take to get our businesses ready for the modern times. If you need a primer on the topic, The Web Security Congress right around the corner!

The newest edition of the one-day conference will take place in Warsaw on April 10th in Courtyard by Marriot Warsaw Airport. Aimed at cybersecurity enthusiasts and IT experts alike, The Web Security Congress’ will be a place to share experiences related to maintaining our online presence without putting ourselves at risk.

With an expert-filled attendance list, the organizers promise discussions about cybercrime, challenges faced by IT security specialists, methods of cyber attack prevention and information leakage, the legal aspects of cyber security, as well as various methods to keep businesses secure. Participants of the conference will get a chance to attend talks conducted by leading experts in the field of cybersecurity, such as Paweł Wałuszko of AdRem Software, Artur Żebrowski – the head of IT at Amazon, Maciej Kaczmarek of Netgear, Piotr Kubiak of A plus C Systems, Izabela Lewandowska-Wiśniewska, and Rafał Gołębiowski of BGŻ BNP Paribas.

Here are just some of the talks you’ll find on the agenda:

  • Cybersecurity – a complex approach to management
  • New Trends in IT Infrastructure Management
  • How to prevent data leakage? 7 examples of proactive network monitoring.
  • Information gathering – a few words about the importance of reconnaissance
  • When a problem turns into an accident, and an accident into a catastrophe – how to think about survival in a global context

It truly sounds like an event you can’t miss! Best of all, attendance is free, and participants who register beforehand will receive access to post-conference materials as well. For more information about the conference, including a specific agenda and an insight on the announced speakers, head to The Web Security Congress’ page on GigaCon, or to their Facebook Event.

Artykuł ToDo: The Web Security Congress pochodzi z serwisu ImpactCEE.

Blog: Principles of Web Security

Uncategorized

Principles of Web Security

on

September 25, 2013

We’ve been doing a lot of work recently building a best practice guide on security and wanted to be able to send our clients a simple list of principles that are written in plain language. 

  1. There is Safety in the Herd: Leverage large, well maintained open source libraries (packages) with a critical mass of users and developers. Use compiled packages and check data integrity of downloaded code. Start with OpenBSD, Debian/Ubuntu or RedHat/CentOS WITHOUT cPanel.
  2. Order Matters: Don’t open up services to the Internet before your server is properly secured.
  3. Limit Exposure: Only install and maintain what is necessary. Reduce the amount of code installed. Review server configuration regularly to see if it can be streamlined.
  4. Deny Access by Default: Only allow access where it is needed, and make all access policies deny by default.
  5. Use Well Known Security Tools: There are several well supported libraries that limit exposure, and check for intrusion. Use them on your webserver.
  6. Avoid Writing Custom Code: Even large government departments don’t invest properly in regular, ongoing code reviews.  Minimize the use of any custom code.
  7. Contribute Back: No software is ever perfect. There is always room for improvement. Make the code you use better and then give your changes back to the community. An added bonus is that if you do it properly you will get free peer review and maintenance support.
  8. Limit Access: There need to be clear, documented roles of who has access to what. Only use root access when required. Isolate distinct roles where possible. Everyone with access needs their own account, shared accounts are insecure.
  9. Make Your Application Happy: When running smoothly your server should not be generating errors. Monitor your server then investigate and resolve errors.
  10. Document Everything: Make sure you have an overview of any customizations which may have been done or any additional software that may have been added.
  11. Limit Use of Passwords: Have sane organizational policies on password requirements and use passwordless approaches which are less susceptible to brute force attacks.
  12. Don’t Trust Your Backup: Define, review procedures and do test that you can restore your site regularly.
  13. Obscurity isn’t Security: With Drupal we recommend actually leaving the CHANGELOG.txt file visible so that it’s obvious that you are up-to-date. For any software you use, know how to watch for security updates so you can apply them in a timely manner.
  14. Security is Big: It is a mistake to assume that one person can do it well in isolation.  Having access to a team (even outside of the organization) will help.
  15. Remember, You’re Still Not Safe: Have an audit trail.  If your site is compromised, take the time to find out how. Use proper version control for all code and configuration.
  16. Not Just for Techs: Upper management needs to take the time to understand these general principles of IT security as they have profound implications to the work of the whole organization.

Thanks Colan for your additions. I’m looking for other suggestions to improve this document, so please feel free to reach out on Twitter to @mgifford.

About The Author

Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.