Death To Passwords

  • 587 views
Uploaded on

"Death To Passwords" was delivered at Mobile Tech Con 2014 in Munich. It's a talk covering the base weaknesses of passwords and which alternative technologies can help surpassing these.

"Death To Passwords" was delivered at Mobile Tech Con 2014 in Munich. It's a talk covering the base weaknesses of passwords and which alternative technologies can help surpassing these.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
587
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
3
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Mobile Tech Con, Munich ‘14
  • 2. DO YOU BELIEVE IN SECURITY?
  • 3. DO YOU BELIEVE IN SECURITY?
  • 4. A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS
  • 5. 4.7% OF USERS USE THE PASSWORD PASSWORD
  • 6. 8.5% ARE USING PASSWORD OR 123456
  • 7. 9.8% USE PASSWORD 123456 OR 12345678
  • 8. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  • 9. 2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON- PASSWORDS-OF-2013/
  • 10. 1.  123456 up 1 2.  Password down 1 3.  12345678 4.  Qwerty up 1 5.  Abc123 down 1 6.  123456789 New 7.  111111 up 2 8.  1234567 up 5 9.  Iloveyou up 2 10.  Adobe123 new 11.  123123 up 5 12.  Admin new 13.  1234567890 new 14.  Letmein down 7 15.  Photoshop new 16.  1234 new 17.  Monkey down 11 18.  Shadow 19.  Sunshine down 5 20.  12345 new
  • 11. My learnings from this trend - People HATE monkeys - People are more depressed - Adobe is very popular
  • 12. 3 Password Problems - Reused - Phished - Keylogged
  • 13. abstrusegoose.com/296  
  • 14. abstrusegoose.com/262  
  • 15. xkcd.com/936  
  • 16. Favor security too much over the experience and you’ll make the website a pain to use.
  • 17. Basic Authentication username:password
  • 18. Storing Passwords SQLCipher & KeyChain
  • 19. SO WHAT?
  • 20. People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions * * Blue Inc. 2011
  • 21. Also they hate to register   Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  • 22. SO WHAT CAN WE DO INSTEAD?
  • 23. TWO FACTOR AUTH TWOFACTORAUTH.ORG
  • 24. Authentication vs. Authorization
  • 25. OAUTH 1.0
  • 26. Request   Request  Token   Grant   Request  Token   Direct  User  to  Service   Obtain  AuthorizaDon   Direct  to  Consumer   Request   Access  Token   Grant   Access  Token   Access   Resources   Consumer Service Provider
  • 27. OAUTH 1.0A
  • 28. Android: Signpost <3   github.com/mttkay/signpost iOS: TDOAuth github.com/tweetdeck/TDOAuth
  • 29. OAUTH 2.0
  • 30. Direct  User  to  Service   Obtain  AuthorizaDon   Request   Access  Token   Grant   Access  Token   Direct  to  Consumer   Access   Resources  /  Profile   Consumer Service Provider
  • 31. URL url = new URL(”http://url.com/”);! HttpURLConnection urlConnection =! !(HttpURLConnection) url.openConnection();! ! ! setRequestProperty(”Authorization”, ”Bearer …”);! HTTP Header “url.com/oauth?access_token=…”! URI parameter
  • 32. Android Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice-- Android
  • 33. iOS AFOAuth2Client github.com/AFNetworking/AFOAuth2Client LROAuth2Client github.com/lukeredpath/LROAuth2Client
  • 34. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
  • 35. Identity Techniques - OpenID - OpenID Connect - Persona
  • 36. Identity Providers Social vs. Concrete
  • 37. Name Email Date of Birth Locale Time Zone Address Gender Language Phone Number Creation Date
  • 38. What’s Next? Bluetooth Smart and Co.
  • 39. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired
  • 40. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal