2nd time seeing this talk and enjoyed this format much better than the recordings from conferences. And yes, very scary, this should be required viewing for every junior developer joining a company.
2nd time seeing this talk and enjoyed this format much better than the recordings from conferences. And yes, very scary, this should be required viewing for every junior developer joining a company.
Fantastic talk! As always, very informative and scary at the same time.
Well done!
Great talk, good overview of topics, but a little hard to follow due to non contrasting fonts and small text.
Excellent! The best guy to give talks on password security is the guy who analyses scrypt for fun. :)
worth the fee of the conference, and left me with code on my hands!, perfect!
Very informative talk. Generated a lot of discussion here.
Thank you all for the great feedback, very much appreciated. I try not to address comments specifically, but in this case wanted to touch on the one regarding obfuscation:
"Never heard someone suggest using obfuscation to improve security with a straight face."
Obfuscation is a fairly common practice when it comes to security. While it can have a bad rap, this is due to it being relied on as the only layer of security or utilized as a lazy method of security. In essence, it provides an added layer of difficulty and security to an application, but should not be utilized as the only layer. Perhaps one the most common example of obfuscation in the "real world" is ReCaptcha, which can be implemented to help prevent brute force attacks on logins, or the ambiguous error page that simply states something went wrong without providing any source code details to the end user.
More often than not, it's the little things you do that add up and make your application more secure. Granted, some methods provide more security than others, but I don't think you can have an application that is "too secure," especially when entrusted with personal data that in the wrong hands could be detrimental to the real-world life of your end user.