Death To Passwords

1,506 views

Published on

"Death To Passwords" was delivered at Mobile Tech Con 2014 in Munich. It's a talk covering the base weaknesses of passwords and which alternative technologies can help surpassing these.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,506
On SlideShare
0
From Embeds
0
Number of Embeds
47
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Death To Passwords

  1. 1. DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Mobile Tech Con, Munich ‘14
  2. 2. DO YOU BELIEVE IN SECURITY?
  3. 3. DO YOU BELIEVE IN SECURITY?
  4. 4. A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS
  5. 5. 4.7% OF USERS USE THE PASSWORD PASSWORD
  6. 6. 8.5% ARE USING PASSWORD OR 123456
  7. 7. 9.8% USE PASSWORD 123456 OR 12345678
  8. 8. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  9. 9. 2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON- PASSWORDS-OF-2013/
  10. 10. 1.  123456 up 1 2.  Password down 1 3.  12345678 4.  Qwerty up 1 5.  Abc123 down 1 6.  123456789 New 7.  111111 up 2 8.  1234567 up 5 9.  Iloveyou up 2 10.  Adobe123 new 11.  123123 up 5 12.  Admin new 13.  1234567890 new 14.  Letmein down 7 15.  Photoshop new 16.  1234 new 17.  Monkey down 11 18.  Shadow 19.  Sunshine down 5 20.  12345 new
  11. 11. My learnings from this trend - People HATE monkeys - People are more depressed - Adobe is very popular
  12. 12. 3 Password Problems - Reused - Phished - Keylogged
  13. 13. abstrusegoose.com/296  
  14. 14. abstrusegoose.com/262  
  15. 15. xkcd.com/936  
  16. 16. Favor security too much over the experience and you’ll make the website a pain to use.
  17. 17. Basic Authentication username:password
  18. 18. Storing Passwords SQLCipher & KeyChain
  19. 19. SO WHAT?
  20. 20. People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions * * Blue Inc. 2011
  21. 21. Also they hate to register   Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  22. 22. SO WHAT CAN WE DO INSTEAD?
  23. 23. TWO FACTOR AUTH TWOFACTORAUTH.ORG
  24. 24. Authentication vs. Authorization
  25. 25. OAUTH 1.0
  26. 26. Request   Request  Token   Grant   Request  Token   Direct  User  to  Service   Obtain  AuthorizaDon   Direct  to  Consumer   Request   Access  Token   Grant   Access  Token   Access   Resources   Consumer Service Provider
  27. 27. OAUTH 1.0A
  28. 28. Android: Signpost <3   github.com/mttkay/signpost iOS: TDOAuth github.com/tweetdeck/TDOAuth
  29. 29. OAUTH 2.0
  30. 30. Direct  User  to  Service   Obtain  AuthorizaDon   Request   Access  Token   Grant   Access  Token   Direct  to  Consumer   Access   Resources  /  Profile   Consumer Service Provider
  31. 31. URL url = new URL(”http://url.com/”);! HttpURLConnection urlConnection =! !(HttpURLConnection) url.openConnection();! ! ! setRequestProperty(”Authorization”, ”Bearer …”);! HTTP Header “url.com/oauth?access_token=…”! URI parameter
  32. 32. Android Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice-- Android
  33. 33. iOS AFOAuth2Client github.com/AFNetworking/AFOAuth2Client LROAuth2Client github.com/lukeredpath/LROAuth2Client
  34. 34. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
  35. 35. Identity Techniques - OpenID - OpenID Connect - Persona
  36. 36. Identity Providers Social vs. Concrete
  37. 37. Name Email Date of Birth Locale Time Zone Address Gender Language Phone Number Creation Date
  38. 38. What’s Next? Bluetooth Smart and Co.
  39. 39. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired
  40. 40. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal

×