Killing Passwords with JavaScript

Transcript

1. François Marier – @fmarier Killing Passwords with JavaScript

2. None
3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None

12. problem #1: passwords are hard to secure

13. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

14. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

19. passwords are hard to secure they are a liability

20. ALTER TABLE user DROP COLUMN password;

21. problem #2: passwords are hard to remember

22. None
23. None

24. pick an easy password

25. pick an easy password use it everywhere

26. passwords are hard to remember they need to be reset

27. None

28. control email account control all accounts =

29. None

30. “People want a little dating before marriage.” Eric Vishria –

    Rockmelt
31. None

32. decentralised

33. myid.com/u/francois

34. None
35. None

36. privacy ®

37. existing login systems are not good enough

38. ideal web-wide identity system

39. • decentralised • simple • cross-browser ideal web-wide identity system

40. • decentralised • simple • cross-browser ideal web-wide identity system

41. • decentralised • simple cross-browser ideal web-wide identity system

42. what if it were a standard part of the web

    browser?
43. None

44. how does it work?

45. [email protected]

46. [email protected]

47. demo #1: http://www.voo.st/ http://www.debuggex.com [email protected]

48. Persona is already a decentralised system

49. SMS with PIN codes

50. SMS with PIN codes Jabber / XMPP

51. SMS with PIN codes Jabber / XMPP Yubikeys

52. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

53. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates

54. SMS with PIN codes Jabber / XMPP Yubikeys LDAP accounts

    Client certificates Password-wrapped secret key { "public-key": { "algorithm": "RS", "n":"685484565272...", "e":"65537" }, "encrypted-private-key": { "iv": "tmg7gztUQT...", "salt": "JMtGwlF5UWY", "ct": "8DdOjD1IA1..." }, "authentication": "...", "provisioning": "..." }

55. decentralisation is the answer, but it's not a product adoption

    strategy

56. we can't wait for all browsers to adopt Persona

57. navigator.id.*

58. None
59. None
60. None

61. we can't wait for all browsers to adopt Persona solution:

    a temporary javascript shim

62. L I F D

63. Locally Isolated Feature Domain

64. goal: trusted code running in the browser

65. login.persona.org

66. localStorage localStorage.setItem("key", serializedKey); var serializedKey = localStorage.getItem("key");

67. storage tied to login.persona.org

68. window.postMessage()

69. https://login.persona.org localStorage postMessage

70. Persona supports all modern browsers >= 8

71. we can't wait for all domains to adopt Persona

72. we can't wait for all domains to adopt Persona solution:

    a temporary centralised fallback

73. demo #2: http://sloblog.io/ [email protected]

74. Persona already works with all email domains

75. identity bridging

76. demo #3: http://www.reasonwell.com/ [email protected]

77. None
78. None

79. Persona works everywhere

80. lessons learned

81. #1user testing is critical

82. None
83. None
84. None
85. None
86. None

87. #2nobody wants to be first

88. “how many users does Persona have?”

89. None

90. 700,000,000

91. #3if a problem has been around for a while, it's

    probably a hard one

92. see if you can solve part of the problem

93. $ ssh [email protected] [email protected]'s password:

94. None

95. Persona is a simple solution for signing into the web

96. how simple is it for developers?

97. how simple is it for developers? 4 easy steps https://developer.mozilla.org/docs/Persona/Quick_Setup

98. 1. load javascript library <script src=”https://login.persona.org/include.js”>

99. 1. load javascript library 2. setup login & logout callbacks

    navigator.id.watch(...);

100. 1. load javascript library 2. setup login & logout callbacks

     navigator.id.watch(...);

101. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons navigator.id.request(); navigator.id.logout();

102. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership

103. 1. load javascript library 2. setup login & logout callbacks

     3. add login and logout buttons 4. verify proof of ownership no API key needed

104. one small request

105. None

106. building a new site: default to Persona

107. working on an existing site: add support for Persona

108. before

109. after

110. after navigator.id.request()

111. None

112. ALTER TABLE user DROP COLUMN password;

113. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

     https://developer.mozilla.org/docs/Persona/Libraries_and_plugins https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

114. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

     }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

115. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

116. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

117. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

118. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

     "provisioning": "/browserid/provision.html" } identity provider API

119. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

120. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

121. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

122. identity provider API 1. check for your /.well-known/browserid 2. try

     the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

123. © 2013 François Marier <[email protected]> This work is licensed under

     a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Laptop password: https://secure.flickr.com/photos/reidrac/4696900602/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Yubikey: https://secure.flickr.com/photos/knk/3379897261/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: