DEATH TO PASSWORDS
LONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiD
Droidcon Berlin ‘14
DO YOU BELIEVE
IN SECURITY?
DO YOU BELIEVE
IN SECURITY?
A STORY ABOUT
PASSWORDS
WIKI.SCULLSECURITY.ORG/PASSWORDS
4.7% OF USERS USE THE
PASSWORD PASSWORD
8.5% ARE USING
PASSWORD OR 123456
9.8% USE PASSWORD
123456 OR 12345678
... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passw...
2013
CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-
PASSWORDS-OF-2013/
1.  123456 up 1
2.  Password down 1
3.  12345678
4.  Qwerty up 1
5.  Abc123 down 1
6.  123456789 New
7.  111111 up 2
8.  1...
My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
3 Password Problems
- Reused
- Phished
- Keylogged
abstrusegoose.com/296	
  
abstrusegoose.com/262	
  
xkcd.com/936	
  
Favor security too much over
the experience and you’ll make
the website a pain to use.
Basic Authentication
username:password
Storing Passwords
SQLCipher & KeyChain
SO WHAT?
People forget passwords…
45% admit to leaving a website instead of re-
setting their password or answering security
questi...
Also they hate to register
	
  
Out of 657 surveyed users 66% think that
social sign-in is a desirable alternative. *
* Bl...
heartbleed.com	
  
heartbleed.agilebits.com	
  
SO WHAT CAN WE DO
INSTEAD?
PASSWORDLESS
AUTHENTICATION
MEDIUM.COM/CYBER-SECURITY/9ED56D483EB
TWO FACTOR AUTH
TWOFACTORAUTH.ORG
Authentication vs.
Authorization
OAUTH 1.0
Request	
  
Request	
  Token	
  
Grant	
  
Request	
  Token	
  
Direct	
  User	
  to	
  Service	
   Obtain	
  AuthorizaEon...
OAUTH 1.0A
Android: Signpost <3	
  
github.com/mttkay/signpost
OAUTH 2.0
Direct	
  User	
  to	
  Service	
   Obtain	
  AuthorizaEon	
  
Request	
  
Access	
  Token	
  
Grant	
  
Access	
  Token	
...
URL url = new URL(”http://url.com/”);!
HttpURLConnection urlConnection =!
!(HttpURLConnection) url.openConnection();!
!
!
...
Android
Scribe
github.com/fernandezpablo85/scribe
PostmanLib
github.com/fedepaol/PostmanLib--Rings-Twice--
Android
OAuth 2.0 and the
Road to Hell
hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
Identity Techniques
- OpenID
- OpenID Connect
- Persona
Identity Providers
Social vs. Concrete
Do we always use the same
identity?
Should we always use the
same identity?
Name
Email
Date of Birth
Locale
Time Zone
Address
Gender
Language
Phone Number
Creation Date
What’s Next?
Bluetooth Smart and Co.
Security
matters to users and developers
Difference
authentication and authorization
User Experience
should be enhanced no...
BATTLEHACK ’14
BERLIN: JUNE 21ST & 22ND
WARSAW: JULY 12TH & 13TH
LONDON: OCTOBER 11TH & 12TH
MOSCOW: OCTOBER 25TH & 26TH
B...
Questions?
tmesserschmidt@paypal.com
@SeraAndroid
slideshare.com/paypal
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Upcoming SlideShare
Loading in …5
×

Death To Passwords Droid Edition

1,539 views

Published on

This speech was held at Droidcon Berlin 2014. It covers key issues of passwords and what can be done to resolve them by moving on to more advanced authentication techniques like OAuth 2.0 or even biometry.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,539
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Death To Passwords Droid Edition

  1. 1. DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Droidcon Berlin ‘14
  2. 2. DO YOU BELIEVE IN SECURITY?
  3. 3. DO YOU BELIEVE IN SECURITY?
  4. 4. A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS
  5. 5. 4.7% OF USERS USE THE PASSWORD PASSWORD
  6. 6. 8.5% ARE USING PASSWORD OR 123456
  7. 7. 9.8% USE PASSWORD 123456 OR 12345678
  8. 8. ... And it doesn’t even stop here 14% have a password from the top 10 passwords 40% have a password from the top 100 passwords 79% have a password from the top 500 passwords 91% have a password from the top 1000 passwords
  9. 9. 2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON- PASSWORDS-OF-2013/
  10. 10. 1.  123456 up 1 2.  Password down 1 3.  12345678 4.  Qwerty up 1 5.  Abc123 down 1 6.  123456789 New 7.  111111 up 2 8.  1234567 up 5 9.  Iloveyou up 2 10.  Adobe123 new 11.  123123 up 5 12.  Admin new 13.  1234567890 new 14.  Letmein down 7 15.  Photoshop new 16.  1234 new 17.  Monkey down 11 18.  Shadow 19.  Sunshine down 5 20.  12345 new
  11. 11. My learnings from this trend - People HATE monkeys - People are more depressed - Adobe is very popular
  12. 12. 3 Password Problems - Reused - Phished - Keylogged
  13. 13. abstrusegoose.com/296  
  14. 14. abstrusegoose.com/262  
  15. 15. xkcd.com/936  
  16. 16. Favor security too much over the experience and you’ll make the website a pain to use.
  17. 17. Basic Authentication username:password
  18. 18. Storing Passwords SQLCipher & KeyChain
  19. 19. SO WHAT?
  20. 20. People forget passwords… 45% admit to leaving a website instead of re- setting their password or answering security questions * * Blue Inc. 2011
  21. 21. Also they hate to register   Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011
  22. 22. heartbleed.com  
  23. 23. heartbleed.agilebits.com  
  24. 24. SO WHAT CAN WE DO INSTEAD?
  25. 25. PASSWORDLESS AUTHENTICATION MEDIUM.COM/CYBER-SECURITY/9ED56D483EB
  26. 26. TWO FACTOR AUTH TWOFACTORAUTH.ORG
  27. 27. Authentication vs. Authorization
  28. 28. OAUTH 1.0
  29. 29. Request   Request  Token   Grant   Request  Token   Direct  User  to  Service   Obtain  AuthorizaEon   Direct  to  Consumer   Request   Access  Token   Grant   Access  Token   Access   Resources   Consumer Service Provider
  30. 30. OAUTH 1.0A
  31. 31. Android: Signpost <3   github.com/mttkay/signpost
  32. 32. OAUTH 2.0
  33. 33. Direct  User  to  Service   Obtain  AuthorizaEon   Request   Access  Token   Grant   Access  Token   Direct  to  Consumer   Access   Resources  /  Profile   Consumer Service Provider
  34. 34. URL url = new URL(”http://url.com/”);! HttpURLConnection urlConnection =! !(HttpURLConnection) url.openConnection();! ! ! setRequestProperty(”Authorization”, ”Bearer …”);! HTTP Header “url.com/oauth?access_token=…”! URI parameter
  35. 35. Android Scribe github.com/fernandezpablo85/scribe PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice-- Android
  36. 36. OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
  37. 37. Identity Techniques - OpenID - OpenID Connect - Persona
  38. 38. Identity Providers Social vs. Concrete
  39. 39. Do we always use the same identity?
  40. 40. Should we always use the same identity?
  41. 41. Name Email Date of Birth Locale Time Zone Address Gender Language Phone Number Creation Date
  42. 42. What’s Next? Bluetooth Smart and Co.
  43. 43. Security matters to users and developers Difference authentication and authorization User Experience should be enhanced not impaired
  44. 44. BATTLEHACK ’14 BERLIN: JUNE 21ST & 22ND WARSAW: JULY 12TH & 13TH LONDON: OCTOBER 11TH & 12TH MOSCOW: OCTOBER 25TH & 26TH BATTLEHACK.ORG
  45. 45. Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal

×