• Like
Killing Passwords with JavaScript
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Killing Passwords with JavaScript

  • 343 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
343
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. François Marier – @fmarier Killing Passwords with JavaScript
  • 2. problem #1: passwords are hard to secure
  • 3. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  • 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  • 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  • 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  • 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  • 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  • 9. passwords are hard to secure they are a liability
  • 10. ALTER TABLE user DROP COLUMN password;
  • 11. problem #2: passwords are hard to remember
  • 12. pick an easy password
  • 13. pick an easy password use it everywhere
  • 14. passwords are hard to remember they need to be reset
  • 15. control email account control all accounts =
  • 16. “People want a little dating before marriage.” Eric Vishria – Rockmelt
  • 17. decentralised
  • 18. myid.com/u/francois
  • 19. privacy®
  • 20. existing login systems are not good enough
  • 21. ideal web-wide identity system
  • 22. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  • 23. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  • 24. ● decentralised ● simple cross-browser ideal web-wide identity system
  • 25. what if it were a standard part of the web browser?
  • 26. how does it work?
  • 27. fmarier@gmail.com
  • 28. fmarier@gmail.com
  • 29. demo #1: http://www.voo.st/ http://www.debuggex.com fmariertest@eyedee.me
  • 30. Persona is already a decentralised system
  • 31. SMS with PIN codes
  • 32. SMS with PIN codes Jabber / XMPP
  • 33. SMS with PIN codes Jabber / XMPP Yubikeys
  • 34. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
  • 35. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
  • 36. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
  • 37. decentralisation is the answer, but it's not a product adoption strategy
  • 38. we can't wait for all browsers to adopt Persona
  • 39. navigator.id.*
  • 40. we can't wait for all browsers to adopt Persona solution: a temporary javascript shim
  • 41. L I F D
  • 42. Locally Isolated Feature Domain
  • 43. goal: trusted code running in the browser
  • 44. login.persona.org
  • 45. localStorage localStorage.setItem("key", serializedKey); var serializedKey = localStorage.getItem("key");
  • 46. storage tied to login.persona.org
  • 47. window.postMessage()
  • 48. https://login.persona.org localStorage postMessage
  • 49. Persona supports all modern browsers >= 8
  • 50. we can't wait for all domains to adopt Persona
  • 51. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  • 52. demo #2: http://sloblog.io/ fmariertest@aol.com
  • 53. Persona already works with all email domains
  • 54. identity bridging
  • 55. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  • 56. Persona works everywhere
  • 57. lessons learned
  • 58. #1user testing is critical
  • 59. #2nobody wants to be first
  • 60. “how many users does Persona have?”
  • 61. 700,000,000
  • 62. #3if a problem has been around for a while, it's probably a hard one
  • 63. see if you can solve part of the problem
  • 64. $ ssh francois@myserver.com francois@myserver.com's password:
  • 65. Persona is a simple solution for signing into the web
  • 66. how simple is it for developers?
  • 67. how simple is it for developers? 4 easy steps https://developer.mozilla.org/docs/Persona/Quick_Setup
  • 68. 1. load javascript library <script src=”https://login.persona.org/include.js”>
  • 69. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
  • 70. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
  • 71. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons navigator.id.request(); navigator.id.logout();
  • 72. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  • 73. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
  • 74. one small request
  • 75. building a new site: default to Persona
  • 76. working on an existing site: add support for Persona
  • 77. before
  • 78. after
  • 79. after navigator.id.request()
  • 80. ALTER TABLE user DROP COLUMN password;
  • 81. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  • 82. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  • 83. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  • 84. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  • 85. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  • 86. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  • 87. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  • 88. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  • 89. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  • 90. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  • 91. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Yubikey: https://secure.flickr.com/photos/knk/3379897261/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: