User Identity - NSConference 2013

Transcript

1. @qnoid www qnoid.com Wednesday, 6 March 13

2. Disclaimer I am no security expert. Wednesday, 6 March 13

3. stop using passwords every time you do, God kills a

   kitten Wednesday, 6 March 13

4. User Identity 1. the use of a password. 2. the

   lie. 3. forced upon. 4. the joke. 5. the proposal. Wednesday, 6 March 13

5. https://twitter.com/qnoid/status/307208571941163010 Wednesday, 6 March 13

6. “the use of a password” Wednesday, 6 March 13

7. password policy “a set of rules designed to enhance computer

   security by encouraging users to employ strong passwords and use them properly.” 1 1. http://en.wikipedia.org/wiki/Password_policy Wednesday, 6 March 13

8. fixed size of 5 numbers (no reuse) cursed those born

   in single digit days, single digit months Wednesday, 6 March 13

9. consonant, vowel, consonant, consonant, vowel, consonant, number, number “An Environ

   password”1 1. http://en.wikipedia.org/wiki/Password_policy Wednesday, 6 March 13

10. 1. http://xkcd.com/936/ Wednesday, 6 March 13

11. “Furthermore, for extra security reasons, a password change is obligatory

    by the system every two months.”1 just in time you memorised it 1. http://goo.gl/szQPs National Bank of Greece Wednesday, 6 March 13

12. security questions in case you forget your password Wednesday, 6

    March 13

13. “What is your oldest cousin's first and last name?” so

    good, they made a website1 1. http://goodsecurityquestions.com/examples.htm Wednesday, 6 March 13

14. Common password practice1 • never share a computer account •

    never use the same password for more than one account • never tell a password to anyone, including people who claim to be from customer service or security • never write down a password • never communicate a password by telephone, e-mail or instant messaging • being careful to log off before leaving a computer unattended • changing passwords whenever there is suspicion they may have been compromised • operating system password and application passwords are different • password should be alpha-numeric 1. http://en.wikipedia.org/wiki/Password_policy Wednesday, 6 March 13

15. or else? Wednesday, 6 March 13

16. “the greatest lie about security” dear user, using a password

    keeps you secure, honestly. Wednesday, 6 March 13

17. POST /authenticate username + password Wednesday, 6 March 13

18. GET /foo who are you again? Wednesday, 6 March 13

19. eureka! I know who you are Wednesday, 6 March 13

20. Session ID let me put this right here Wednesday, 6

    March 13

21. wait, wat? what has just happened? Wednesday, 6 March 13

22. but, it’s personal only the user has access to the

    computer Wednesday, 6 March 13

23. but, it’s short-lived yes, but how long? Wednesday, 6 March

    13

24. 0 down to the millisecond Wednesday, 6 March 13

25. “has forced” no password = no access Wednesday, 6 March

    13

26. please state your name and by the way, I need

    you to think of a password Wednesday, 6 March 13

27. “biggest joke on us” you should be able to tell

    by now Wednesday, 6 March 13

28. so why do I need a password again? you are

    using it wrong Wednesday, 6 March 13

29. password = genius albeit primitive Wednesday, 6 March 13

30. openid integration Wednesday, 6 March 13

31. oauth stay away from my lawn Wednesday, 6 March 13

32. residence based authentication one way to do it Wednesday, 6

    March 13

33. innovate on user authentication Wednesday, 6 March 13

34. @xoxco Ben Brown http://notes.xoxco.com/post/27999787765/is-it-time-for-password-less-login Wednesday, 6 March 13

35. @lukew Luke Wroblewski http://storify.com/lukew/yahoo-display-password-test Wednesday, 6 March 13

36. @marcoarment Marco Arment http://www.marco.org/2013/02/24/the-magazine-sharing Wednesday, 6 March 13

37. @newrelic New Relic http://blog.newrelic.com/2013/01/29/introducing-the-new-relic-for-the-iphone/ Wednesday, 6 March 13

38. client implementation on iOS qnoid/TBUserIdentity Wednesday, 6 March 13

39. server implementation on rails qnoid/user_identity Wednesday, 6 March 13

40. Discussion http://goo.gl/H5z0w @qnoid Wednesday, 6 March 13