The document discusses the widespread misuse of weak passwords among users, highlighting that many rely on common and easily guessable passwords. It emphasizes the importance of improving security practices, such as implementing two-factor authentication and utilizing OAuth for safer user authentication methods. The content suggests that enhancing user experience while maintaining security is crucial for retaining user engagement.

1. DEATH TO PASSWORDS
LONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiD
Mobile Tech Con, Munich ‘14

2. DO YOU BELIEVE
IN SECURITY?

3. DO YOU BELIEVE
IN SECURITY?

4. A STORY ABOUT
PASSWORDS
WIKI.SCULLSECURITY.ORG/PASSWORDS

5. 4.7% OF USERS USE THE
PASSWORD PASSWORD

6. 8.5% ARE USING
PASSWORD OR 123456

7. 9.8% USE PASSWORD
123456 OR 12345678

8. ... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords

10. 2013
CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-
PASSWORDS-OF-2013/

11. 1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10. Adobe123 new
11. 123123 up 5
12. Admin new
13. 1234567890 new
14. Letmein down 7
15. Photoshop new
16. 1234 new
17. Monkey down 11
18. Shadow
19. Sunshine down 5
20. 12345 new

12. My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular

13. 3 Password Problems
- Reused
- Phished
- Keylogged

14. abstrusegoose.com/296

15. abstrusegoose.com/262

16. xkcd.com/936

17. Favor security too much over
the experience and you’ll make
the website a pain to use.

19. Basic Authentication
username:password

20. Storing Passwords
SQLCipher & KeyChain

21. SO WHAT?

22. People forget passwords…
45% admit to leaving a website instead of re-
setting their password or answering security
questions *
* Blue Inc. 2011

23. Also they hate to register
Out of 657 surveyed users 66% think that
social sign-in is a desirable alternative. *
* Blue Inc. 2011

24. SO WHAT CAN WE DO
INSTEAD?

25. TWO FACTOR AUTH
TWOFACTORAUTH.ORG

26. Authentication vs.
Authorization

28. OAUTH 1.0

30. Request
Request
Token
Grant
Request
Token
Direct
User
to
Service
Obtain
AuthorizaDon
Direct
to
Consumer
Request
Access
Token
Grant
Access
Token
Access
Resources
Consumer Service Provider

31. OAUTH 1.0A

33. Android: Signpost <3
github.com/mttkay/signpost
iOS: TDOAuth
github.com/tweetdeck/TDOAuth

34. OAUTH 2.0

35. Direct
User
to
Service
Obtain
AuthorizaDon
Request
Access
Token
Grant
Access
Token
Direct
to
Consumer
Access
Resources
/
Profile
Consumer Service Provider

36. URL url = new URL(”http://url.com/”);!
HttpURLConnection urlConnection =!
!(HttpURLConnection) url.openConnection();!
!
!
setRequestProperty(”Authorization”, ”Bearer …”);!
HTTP Header
“url.com/oauth?access_token=…”!
URI parameter

37. Android
Scribe
github.com/fernandezpablo85/scribe
PostmanLib
github.com/fedepaol/PostmanLib--Rings-Twice--
Android

38. iOS
AFOAuth2Client
github.com/AFNetworking/AFOAuth2Client
LROAuth2Client
github.com/lukeredpath/LROAuth2Client

39. OAuth 2.0 and the
Road to Hell
hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell

40. Identity Techniques
- OpenID
- OpenID Connect
- Persona

41. Identity Providers
Social vs. Concrete

43. Name
Email
Date of Birth
Locale
Time Zone
Address
Gender
Language
Phone Number
Creation Date

45. What’s Next?
Bluetooth Smart and Co.

49. Security
matters to users and developers
Difference
authentication and authorization
User Experience
should be enhanced not impaired

50. Questions?
tmesserschmidt@paypal.com
@SeraAndroid
slideshare.com/paypal