|
2 | 2 |
|
3 | 3 | NOTE: This repo is meant for a demonstration. It does not illustrate good security. |
4 | 4 |
|
5 | | -To start your Phoenix server: |
| 5 | +## Demo Instructions |
6 | 6 |
|
| 7 | +1. Go to `/admin` and change the hashing type to `plaintext` |
| 8 | + - Have people make a new account. Warn them that everyone will be able to see their name and password. |
| 9 | + - Have people go to `/hack` so they can pretend to be a hacker and view the passwords database |
| 10 | + - Explain why it's bad that the attacker can see everyone's passwords |
| 11 | +2. Explain what a hashing algorithm is (use an online SHA-1 calculator as an example). In `/admin`, delete the existing users, then change the hashing type to `sha1`. |
| 12 | + - Have people reload the page so they're logged out, then create a new account. Make sure there are 2 people who use the same password, and make sure someone uses a really common password. |
| 13 | + - This is an improvement, since the hacker can't see the passwords right away, but they can just go through a list of common passwords, hash them all, and see which of them are in the database. For common passwords, they can even just Google the hash and they'll get the original password. |
| 14 | +3. Explain what a salt is. In `/admin`, delete the existing users, then change the hashing type to `sha1_with_salt`. |
| 15 | + - Have people reload the page so they're logged out, then create a new account. Make sure there are 2 people who use the same password, and make sure someone uses a really common password. |
| 16 | + - This is an improvement, since 2 people with the same password won't have the same hash, and you can't just Google the SHA-1 hash. It's more work for the attacker, since they need to try hashing common passwords for each person individually, rather than finding all the common passwords in the database in one pass. |
| 17 | + - Ask about the length of time that it took to hash their passwords (people can see this on their home page when they log in). Is it a good thing or a bad thing that the password hashing algorithm is super fast? Bad because it makes it easy to crack. |
| 18 | +4. In `/admin`, delete the existing users, then change the hashing type to `argon2id`. |
| 19 | + - Have people reload the page so they're logged out, then create a new account. Make sure there are 2 people who use the same password, and make sure someone uses a really common password. |
| 20 | + - `argon2id` seems to be considered the best password hashing algorithm right now (`bcrypt` is good, but apparently not as good). |
| 21 | + |
| 22 | +## To start your the Phoenix server: |
| 23 | + |
| 24 | +- Install the Elixir programming language |
7 | 25 | - Install dependencies with `mix deps.get` |
8 | 26 | - Create and migrate your database with `mix ecto.setup` |
9 | 27 | - Install Node.js dependencies with `npm install` inside the `assets` directory |
|
0 commit comments