The problem with passwords on the web and what to do about it

695 views

Published on

Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
695
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The problem with passwords on the web and what to do about it

  1. 1. François Marier – @fmarierThe problem withpasswords on the weband what to do about it
  2. 2. passwords
  3. 3. problem #1:passwords are hard to secure
  4. 4. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  5. 5. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  6. 6. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  7. 7. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  8. 8. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery
  9. 9. bcrypt / scrypt / pbkdf2per-user saltsite secretpassword & lockout policiessecure recovery20132013passwordpasswordguidelinesguidelines
  10. 10. passwords are hard to securethey are a liability
  11. 11. ALTER TABLE userDROP COLUMN password;
  12. 12. problem #2:passwords are hard to remember
  13. 13. pick an easy password
  14. 14. pick an easy passworduse it everywhere
  15. 15. passwords are hard to rememberthey need to be reset
  16. 16. controlemailaccountcontrolallaccounts=
  17. 17. social login
  18. 18. “People want a littledating before marriage.”Eric Vishria – Rockmelt
  19. 19. decentralized
  20. 20. myid.com/u/francois
  21. 21. privacy®
  22. 22. existing login systemsare not good enough
  23. 23. ideal web-wide identity system
  24. 24. ●decentralized●simple●cross-browserideal web-wide identity system
  25. 25. ●decentralized●simple●cross-browserideal web-wide identity system
  26. 26. ●decentralized●simple●cross-browserideal web-wide identity system
  27. 27. ●decentralized●simple●cross-browser
  28. 28. how does it work?
  29. 29. fmarier@gmail.com
  30. 30. demo #1:http://crossword.thetimes.co.uk/fmariertest@eyedee.me
  31. 31. Persona is already adecentralized system
  32. 32. decentralization is the answer, but its nota product adoption strategy
  33. 33. we cant wait for all domainsto adopt Persona
  34. 34. we cant wait for all domainsto adopt Personasolution: a temporarycentralized fallback
  35. 35. demo #2:http://sloblog.io/fmariertest@gmail.com
  36. 36. Persona already workswith all email domains
  37. 37. identity bridging
  38. 38. demo #3:http://www.reasonwell.com/fmariertest@yahoo.com
  39. 39. Persona supportsall modern browsers>= 8
  40. 40. Persona is decentralized,simple and cross-browser
  41. 41. its simple for users, but is it alsosimple for developers?
  42. 42. 1. load javascript library
  43. 43. 1. load javascript library2. setup login & logout callbacks
  44. 44. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons
  45. 45. 1. load javascript library2. setup login & logout callbacks3. add login and logout buttons4. verify proof of ownership
  46. 46. you can add support forPersona in four easy steps
  47. 47. one simple request
  48. 48. building a new site:default to Persona
  49. 49. working on an existing site/app:add support for Persona
  50. 50. Friday office hours
  51. 51. we needyour helpto eliminatesite-specificpasswords
  52. 52. To learn more about Persona:https://login.persona.org/http://identity.mozilla.com/https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setuphttps://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_pluginshttp://123done.org/https://wiki.mozilla.org/Identity#Get_Involved@fmarier http://fmarier.org
  53. 53. identity provider APIhttps://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}
  54. 54. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  55. 55. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  56. 56. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  57. 57. https://eyedee.me/.well-known/browserid:{"public-key": {"algorithm":"RS","n":"8606...","e":"65537"},"authentication": "/browserid/sign_in.html","provisioning": "/browserid/provision.html"}identity provider API
  58. 58. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  59. 59. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  60. 60. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  61. 61. identity provider API1. check for your /.well-known/browserid2. try the provisioning endpoint3. show the authentication page4. call the provisioning endpoint again
  62. 62. © 2013 François Marier <francois@mozilla.com>This work is licensed under aCreative Commons Attribution-ShareAlike 3.0 New Zealand License.Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/Photo credits:

×