The problem with passwords on the web and what to do about it

Transcript

1. François Marier – @fmarier The problem with passwords on the

   web and what to do about it

2. passwords

3. problem #1: passwords are hard to secure

4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None

14. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

15. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

16. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

17. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

18. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery

19. bcrypt / scrypt / pbkdf2 per-user salt site secret password

    & lockout policies secure recovery 2013 2013 password password guidelines guidelines

20. passwords are hard to secure they are a liability

21. ALTER TABLE user DROP COLUMN password;

22. problem #2: passwords are hard to remember

23. None
24. None

25. pick an easy password

26. pick an easy password use it everywhere

27. passwords are hard to remember they need to be reset

28. None

29. control email account control all accounts =

30. social login

31. “People want a little dating before marriage.” Eric Vishria –

    Rockmelt
32. None

33. decentralized

34. myid.com/u/francois

35. None
36. None

37. privacy ®

38. existing login systems are not good enough

39. ideal web-wide identity system

40. • decentralized • simple • cross-browser ideal web-wide identity system

41. • decentralized • simple • cross-browser ideal web-wide identity system

42. • decentralized • simple • cross-browser ideal web-wide identity system

43. • decentralized • simple • cross-browser

44. how does it work?

45. [email protected]

46. demo #1: http://crossword.thetimes.co.uk/ [email protected]

47. Persona is already a decentralized system

48. decentralization is the answer, but it's not a product adoption

    strategy

49. we can't wait for all domains to adopt Persona

50. we can't wait for all domains to adopt Persona solution:

    a temporary centralized fallback

51. demo #2: http://sloblog.io/ [email protected]

52. Persona already works with all email domains

53. identity bridging

54. demo #3: http://www.reasonwell.com/ [email protected]

55. None
56. None
57. None

58. Persona supports all modern browsers >= 8

59. Persona is decentralized, simple and cross-browser

60. it's simple for users, but is it also simple for

    developers?

61. 1. load javascript library

62. 1. load javascript library 2. setup login & logout callbacks

63. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons

64. 1. load javascript library 2. setup login & logout callbacks

    3. add login and logout buttons 4. verify proof of ownership

65. you can add support for Persona in four easy steps

66. one simple request

67. None

68. building a new site: default to Persona

69. working on an existing site/app: add support for Persona

70. Friday office hours

71. we need your help to eliminate site-specific passwords

72. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook

    https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org

73. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537"

    }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }

74. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

75. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

76. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

77. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html",

    "provisioning": "/browserid/provision.html" } identity provider API

78. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

79. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

80. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

81. identity provider API 1. check for your /.well-known/browserid 2. try

    the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again

82. © 2013 François Marier <[email protected]> This work is licensed under

    a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: