(Why) Passwords don't work

1,232 views

Published on

Some slides from a talk on the problems of using passwords. See http://jw35.blogspot.com/2009/11/re-using-ravens-password-database.html for some of the narrative around these topics.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,232
On SlideShare
0
From Embeds
0
Number of Embeds
86
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • What security properties do you want?\nWhat are you trying to protect, and from who?\nDoes one size fit all?\n
  • What security properties do you want?\nWhat are you trying to protect, and from who?\nDoes one size fit all?\n
  • \n
  • Oh so easy\nIt all comes down to trust\nC.f. Phoenix 30 years ago - password checking could be disabled\n
  • Now we just have to trust a smaller group\nWho would do this? Oh, think of intruder alarms\n
  • No longer need to trust users\nDo need to trust anyone/thing that sees the list - any user on any system and then some\nMalicious and/or incompetent\nCould use crypt, but doesn’t really help\n
  • Note that this is ‘LDAP authentication’, but could be other things\nClient system still sees plaintext password\n\n
  • Designed largely to solve this problem\nBut...\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • How does the user know?\n
  • Users can always give their PWD away\nAnd the always have to trust something which may not be safe\n
  • Users can always give their PWD away\nAnd the always have to trust something which may not be safe\n
  • Users can always give their PWD away\nAnd the always have to trust something which may not be safe\n
  • Users can always give their PWD away\nAnd the always have to trust something which may not be safe\n
  • \n
  • (Why) Passwords don't work

    1. 1. In a change from ouradvertised program...
    2. 2. Why Passwords Don’t Work Jon Warbrick
    3. 3. What are we trying to achieve?
    4. 4. What are we trying to achieve?Protection from• a bored University student• a tabloid journalist• an organized criminal• the NSA
    5. 5. What are we trying to achieve?Protection from• a bored University student• a tabloid journalist• an organized criminal• the NSA Protection of • a student’s photo archive • the heir to the thrones email • the University financial system
    6. 6. http://xkcd.com/538/Licensed under a Creative Commons Attribution-NonCommercial 2.5 License http://creativecommons.org/licenses/by-nc/2.5/
    7. 7. Option one:Forget passwords
    8. 8. Option two:A single, fixed password
    9. 9. Option three:Distribute a list
    10. 10. Option four:Central verification
    11. 11. Option five:Kerberos (or similar)
    12. 12. Other problems
    13. 13. Other problems
    14. 14. Other problems“secret”
    15. 15. Other problems“secret”
    16. 16. Other problems“secret”
    17. 17. Where do we go from here?

    ×