• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
The problem with passwords on the web and what to do about it
 

The problem with passwords on the web and what to do about it

on

  • 383 views

Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.

Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.

Statistics

Views

Total Views
383
Views on SlideShare
375
Embed Views
8

Actions

Likes
0
Downloads
1
Comments
0

1 Embed 8

http://lanyrd.com 8

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    The problem with passwords on the web and what to do about it The problem with passwords on the web and what to do about it Presentation Transcript

    • François Marier – @fmarierThe problem withpasswords on the weband what to do about it
    • passwords
    • problem #1:passwords are hard to secure
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
    • bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery20132013passwordpasswordguidelinesguidelines
    • passwords are hard to securethey are a liability
    • ALTER TABLE userDROP COLUMN password;
    • problem #2:passwords are hard to remember
    • pick an easy password
    • pick an easy passworduse it everywhere
    • passwords are hard to rememberthey need to be reset
    • controlemailaccountcontrolallaccounts=
    • social login
    • “People want a littledating before marriage.”Eric Vishria – Rockmelt
    • decentralized
    • myid.com/u/francois
    • privacy®
    • existing login systemsare not good enough
    • ideal web-wide identity system
    • ●decentralized●simple●cross-browserideal web-wide identity system
    • ●decentralized●simple●cross-browserideal web-wide identity system
    • ●decentralized●simple●cross-browserideal web-wide identity system
    • ●decentralized●simple●cross-browser
    • how does it work?
    • fmarier@gmail.com
    • demo #1:http://crossword.thetimes.co.uk/fmariertest@eyedee.me
    • Persona is already adecentralized system
    • decentralization is the answer, but its nota product adoption strategy
    • we cant wait for all domainsto adopt Persona
    • we cant wait for all domainsto adopt Personasolution: a temporarycentralized fallback
    • demo #2:http://sloblog.io/fmariertest@gmail.com
    • Persona already workswith all email domains
    • identity bridging
    • demo #3:http://www.reasonwell.com/fmariertest@yahoo.com
    • Persona supportsall modern browsers>= 8
    • Persona is decentralized,simple and cross-browser
    • its simple for users, but is it alsosimple for developers?
    • 1. load javascript library
    • 1. load javascript library2. setup login & logout callbacks
    • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
    • 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
    • you can add support forPersona in four easy steps
    • one simple request
    • building a new site:default to Persona
    • working on an existing site/app:add support for Persona
    • Friday office hours
    • we needyour helpto eliminatesite-specificpasswords
    • To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
    • identity provider APIhttps://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}
    • https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
    • https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
    • https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
    • https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
    • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
    • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
    • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
    • identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
    • © 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/Photo credits: