François Marier – @fmarier
Killing Passwords
with JavaScript
problem #1:
passwords are hard to secure
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
bcrypt / scrypt / pbkdf2
per-user salt
site secret
password & lockout policies
secure recovery
2013
2013
password
password...
passwords are hard to secure
they are a liability
ALTER TABLE user
DROP COLUMN password;
problem #2:
passwords are hard to remember
pick an easy password
pick an easy password
use it everywhere
passwords are hard to remember
they need to be reset
control
email
account
control
all
accounts
=
“People want
a little dating
before marriage.”
Eric Vishria – Rockmelt
decentralised
myid.com/u/francois
privacy®
existing login systems
are not good enough
ideal web-wide identity system
●
decentralised
●
simple
●
cross-browser
ideal web-wide identity system
●
decentralised
●
simple
●
cross-browser
ideal web-wide identity system
●
decentralised
●
simple
cross-browser
ideal web-wide identity system
what if it were a standard
part of the web browser?
how does it work?
fmarier@gmail.com
fmarier@gmail.com
demo #1:
http://www.voo.st/
http://www.debuggex.com
fmariertest@eyedee.me
Persona is already a
decentralised system
SMS with PIN codes
SMS with PIN codes
Jabber / XMPP
SMS with PIN codes
Jabber / XMPP
Yubikeys
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
SMS with PIN codes
Jabber / XMPP
Yubikeys
LDAP accounts
Client certificates
Password-wrapped secret key
{
"public-key": {
...
decentralisation is the answer, but it's not
a product adoption strategy
we can't wait for all browsers
to adopt Persona
navigator.id.*
we can't wait for all browsers
to adopt Persona
solution: a temporary
javascript shim
L
I
F
D
Locally
Isolated
Feature
Domain
goal: trusted code
running in the browser
login.persona.org
localStorage
localStorage.setItem("key", serializedKey);
var serializedKey = localStorage.getItem("key");
storage tied to
login.persona.org
window.postMessage()
https://login.persona.org
localStorage
postMessage
Persona supports
all modern browsers
>= 8
we can't wait for all domains
to adopt Persona
we can't wait for all domains
to adopt Persona
solution: a temporary
centralised fallback
demo #2:
http://sloblog.io/
fmariertest@aol.com
Persona already works
with all email domains
identity bridging
demo #3:
http://www.reasonwell.com/
fmariertest@yahoo.com
Persona works everywhere
lessons learned
#1user testing
is critical
#2nobody wants
to be first
“how many users
does Persona have?”
700,000,000
#3if a problem has
been around for a
while, it's probably
a hard one
see if you can solve
part of the problem
$ ssh francois@myserver.com
francois@myserver.com's password:
Persona is a simple
solution for
signing into the web
how simple is it
for developers?
how simple is it
for developers?
4 easy steps
https://developer.mozilla.org/docs/Persona/Quick_Setup
1. load javascript library
<script src=”https://login.persona.org/include.js”>
1. load javascript library
2. setup login & logout callbacks
navigator.id.watch(...);
1. load javascript library
2. setup login & logout callbacks
navigator.id.watch(...);
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
navigator.id.request();
navig...
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
1. load javascript library
2. setup login & logout callbacks
3. add login and logout buttons
4. verify proof of ownership
...
one small request
building a new site:
default to Persona
working on an existing site:
add support for Persona
before
after
after
navigator.id.request()
ALTER TABLE user
DROP COLUMN password;
To learn more about Persona:
https://login.persona.org/
http://identity.mozilla.com/
https://developer.mozilla.org/docs/Pe...
identity provider API
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"655...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
https://eyedee.me/.well-known/browserid:
{
"public-key": {
"algorithm":"RS",
"n":"8606...",
"e":"65537"
},
"authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
identity provider API
1. check for your /.well-known/browserid
2. try the provisioning endpoint
3. show the authentication...
© 2013 François Marier <francois@mozilla.com>
This work is licensed under a
Creative Commons Attribution-ShareAlike 3.0 Ne...
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Killing Passwords with JavaScript
Upcoming SlideShare
Loading in …5
×

Killing Passwords with JavaScript

1,024 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,024
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Killing Passwords with JavaScript

  1. 1. François Marier – @fmarier Killing Passwords with JavaScript
  2. 2. problem #1: passwords are hard to secure
  3. 3. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  4. 4. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  5. 5. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  6. 6. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  7. 7. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
  8. 8. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
  9. 9. passwords are hard to secure they are a liability
  10. 10. ALTER TABLE user DROP COLUMN password;
  11. 11. problem #2: passwords are hard to remember
  12. 12. pick an easy password
  13. 13. pick an easy password use it everywhere
  14. 14. passwords are hard to remember they need to be reset
  15. 15. control email account control all accounts =
  16. 16. “People want a little dating before marriage.” Eric Vishria – Rockmelt
  17. 17. decentralised
  18. 18. myid.com/u/francois
  19. 19. privacy®
  20. 20. existing login systems are not good enough
  21. 21. ideal web-wide identity system
  22. 22. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  23. 23. ● decentralised ● simple ● cross-browser ideal web-wide identity system
  24. 24. ● decentralised ● simple cross-browser ideal web-wide identity system
  25. 25. what if it were a standard part of the web browser?
  26. 26. how does it work?
  27. 27. fmarier@gmail.com
  28. 28. fmarier@gmail.com
  29. 29. demo #1: http://www.voo.st/ http://www.debuggex.com fmariertest@eyedee.me
  30. 30. Persona is already a decentralised system
  31. 31. SMS with PIN codes
  32. 32. SMS with PIN codes Jabber / XMPP
  33. 33. SMS with PIN codes Jabber / XMPP Yubikeys
  34. 34. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts
  35. 35. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates
  36. 36. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }
  37. 37. decentralisation is the answer, but it's not a product adoption strategy
  38. 38. we can't wait for all browsers to adopt Persona
  39. 39. navigator.id.*
  40. 40. we can't wait for all browsers to adopt Persona solution: a temporary javascript shim
  41. 41. L I F D
  42. 42. Locally Isolated Feature Domain
  43. 43. goal: trusted code running in the browser
  44. 44. login.persona.org
  45. 45. localStorage localStorage.setItem("key", serializedKey); var serializedKey = localStorage.getItem("key");
  46. 46. storage tied to login.persona.org
  47. 47. window.postMessage()
  48. 48. https://login.persona.org localStorage postMessage
  49. 49. Persona supports all modern browsers >= 8
  50. 50. we can't wait for all domains to adopt Persona
  51. 51. we can't wait for all domains to adopt Persona solution: a temporary centralised fallback
  52. 52. demo #2: http://sloblog.io/ fmariertest@aol.com
  53. 53. Persona already works with all email domains
  54. 54. identity bridging
  55. 55. demo #3: http://www.reasonwell.com/ fmariertest@yahoo.com
  56. 56. Persona works everywhere
  57. 57. lessons learned
  58. 58. #1user testing is critical
  59. 59. #2nobody wants to be first
  60. 60. “how many users does Persona have?”
  61. 61. 700,000,000
  62. 62. #3if a problem has been around for a while, it's probably a hard one
  63. 63. see if you can solve part of the problem
  64. 64. $ ssh francois@myserver.com francois@myserver.com's password:
  65. 65. Persona is a simple solution for signing into the web
  66. 66. how simple is it for developers?
  67. 67. how simple is it for developers? 4 easy steps https://developer.mozilla.org/docs/Persona/Quick_Setup
  68. 68. 1. load javascript library <script src=”https://login.persona.org/include.js”>
  69. 69. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
  70. 70. 1. load javascript library 2. setup login & logout callbacks navigator.id.watch(...);
  71. 71. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons navigator.id.request(); navigator.id.logout();
  72. 72. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
  73. 73. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership no API key needed
  74. 74. one small request
  75. 75. building a new site: default to Persona
  76. 76. working on an existing site: add support for Persona
  77. 77. before
  78. 78. after
  79. 79. after navigator.id.request()
  80. 80. ALTER TABLE user DROP COLUMN password;
  81. 81. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
  82. 82. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
  83. 83. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  84. 84. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  85. 85. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  86. 86. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
  87. 87. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  88. 88. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  89. 89. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  90. 90. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
  91. 91. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Yubikey: https://secure.flickr.com/photos/knk/3379897261/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits:

×