• Like
Death To Passwords
Upcoming SlideShare
Loading in...5
×

Death To Passwords

  • 327 views
Uploaded on

This presentation was being held at Droidcon DE 2014. It covers the main issues with passwords in mobile and web applications and which alternative technolgoies can help resolving them.

This presentation was being held at Droidcon DE 2014. It covers the main issues with passwords in mobile and web applications and which alternative technolgoies can help resolving them.

More in: Internet , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
327
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
2
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Droidcon Berlin ‘14
  • 2. DO YOU BELIEVE IN SECURITY?
  • 3. DO YOU BELIEVE IN SECURITY?
  • 4. A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS
  • 5. 4.7% OF USERS USE THE PASSWORD PASSWORD
  • 6. 8.5% ARE USING PASSWORD OR 123456
  • 7. 9.8% USE PASSWORD 123456 OR 12345678
  • 8. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  • 9. 2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON- PASSWORDS-OF-2013/
  • 10. 1.  123456 up 1 2.  Password down 1 3.  12345678 4.  Qwerty up 1 5.  Abc123 down 1 6.  123456789 New 7.  111111 up 2 8.  1234567 up 5 9.  Iloveyou up 2 10.  Adobe123 new 11.  123123 up 5 12.  Admin new 13.  1234567890 new 14.  Letmein down 7 15.  Photoshop new 16.  1234 new 17.  Monkey down 11 18.  Shadow 19.  Sunshine down 5 20.  12345 new
  • 11. My learnings from this trend - People HATE monkeys - People are more depressed - Adobe is very popular
  • 12. 3 Password Problems - Reused - Phished - Keylogged
  • 13. abstrusegoose.com/296  
  • 14. abstrusegoose.com/262  
  • 15. xkcd.com/936  
  • 16. Favor security too much over the experience and you’ll make the website a pain to use.
  • 17. Basic Authentication username:password
  • 18. Storing Passwords SQLCipher & KeyChain
  • 19. SO WHAT?
  • 20. People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions * * Blue Inc. 2011
  • 21. Also they hate to register   Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  • 22. heartbleed.com  
  • 23. heartbleed.agilebits.com  
  • 24. SO WHAT CAN WE DO INSTEAD?
  • 25. PASSWORDLESS AUTHENTICATION MEDIUM.COM/CYBER-SECURITY/9ED56D483EB
  • 26. TWO FACTOR AUTH TWOFACTORAUTH.ORG
  • 27. Authentication vs. Authorization
  • 28. OAUTH 1.0
  • 29. Request   Request  Token   Grant   Request  Token   Direct  User  to  Service   Obtain  AuthorizaEon   Direct  to  Consumer   Request   Access  Token   Grant   Access  Token   Access   Resources   Consumer Service Provider
  • 30. OAUTH 1.0A
  • 31. Android: Signpost <3   github.com/mttkay/signpost
  • 32. OAUTH 2.0
  • 33. Direct  User  to  Service   Obtain  AuthorizaEon   Request   Access  Token   Grant   Access  Token   Direct  to  Consumer   Access   Resources  /  Profile   Consumer Service Provider
  • 34. URL url = new URL(”http://url.com/”);! HttpURLConnection urlConnection =! !(HttpURLConnection) url.openConnection();! ! ! setRequestProperty(”Authorization”, ”Bearer …”);! HTTP Header “url.com/oauth?access_token=…”! URI parameter
  • 35. Android Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice-- Android
  • 36. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
  • 37. Identity Techniques - OpenID - OpenID Connect - Persona
  • 38. Identity Providers Social vs. Concrete
  • 39. Do we always use the same identity?
  • 40. Should we always use the same identity?
  • 41. Name Email Date of Birth Locale Time Zone Address Gender Language Phone Number Creation Date
  • 42. What’s Next? Bluetooth Smart and Co.
  • 43. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired
  • 44. BATTLEHACK ’14 BERLIN: JUNE 21ST & 22ND WARSAW: JULY 12TH & 13TH LONDON: OCTOBER 11TH & 12TH MOSCOW: OCTOBER 25TH & 26TH BATTLEHACK.ORG
  • 45. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal