+ All Categories
Home > Internet > Death to Passwords SXSW 15

Death to Passwords SXSW 15

Date post: 14-Jul-2015
Category:
Upload: tim-messerschmidt
View: 4,839 times
Download: 0 times
Share this document with a friend
83
@SeraAndroid #DeathToPW Death to Passwords Tim Messerschmidt Head of Developer Advocacy, International PayPal / Braintree SXSW 2015
Transcript

@SeraAndroid #DeathToPW

Death to Passwords Tim Messerschmidt Head of Developer Advocacy, International PayPal / Braintree SXSW 2015

@SeraAndroid #DeathToPW

Death to Passwords Tim Messerschmidt Head of Developer Advocacy, International PayPal / Braintree SXSW 2015

@SeraAndroid #DeathToPW

>Death to Passwords _

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

The 1000 most used passwords of 2012 wiki.skullsecurity.org/Passwords

@SeraAndroid #DeathToPW

4.7% use password

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

8.5% use password or 123456

@SeraAndroid #DeathToPW

9.8% use password, 123456 or 12345678

@SeraAndroid #DeathToPW

Top 10 14%

@SeraAndroid #DeathToPW

Top 100 40%

@SeraAndroid #DeathToPW

Top 500 79%

@SeraAndroid #DeathToPW

Top 1000 91%

@SeraAndroid #DeathToPW

2013 cbsn.ws/1siTPGH

@SeraAndroid #DeathToPW

1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123

11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345

@SeraAndroid #DeathToPW

1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123

11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345

@SeraAndroid #DeathToPW

2014 bit.ly/1xYHjdp

@SeraAndroid #DeathToPW

1.  123456 2.  password 3.  12345 4.  12345678 5.  qwerty 6.  1234567890 7.  1234 8.  baseball 9.  dragon 10. football

11. 1234567 12. monkey 13. letmein 14. abc123 15. 111111 16. mustang 17. access 18. shadow 19. master 20. michael

@SeraAndroid #DeathToPW

1.  123456 2.  password 3.  12345 up 17 4.  12345678 down 1 5.  qwerty down 1 6.  1234567890 7.  1234 up 9 8.  baseball new 9.  dragon new 10. football new

11. 1234567 down 4 12. monkey up 5 13. letmein up 1 14. abc123 down 9 15. 111111 down 8 16. mustang new 17. access new 18. shadow 19. master new 20. michael new

@SeraAndroid #DeathToPW

>Honorary mention

_

@SeraAndroid #DeathToPW

>Honorary mention 21. superman 24. batman

_

@SeraAndroid #DeathToPW

_

@SeraAndroid #DeathToPW

>The 3 key problems _

@SeraAndroid #DeathToPW abstrusegoose.com/296

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

Favor security too much over the experience and you’ll make the

website a pain to use.

smashingmagazine.com/2012/10/26/password-masking-hurt-signup-form

@SeraAndroid #DeathToPW

vs.

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

People forget passwords…

45% admit to leaving a website instead of re-setting their password or answering security questions

- Blue Inc. 2011

@SeraAndroid #DeathToPW

Let’s admit it: Passwords really suck!

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

Hashing hash(password + salt)

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

Bad hashing algorithms

MD5, SHA-1, SHA-2, SHA-3 bit.ly/1DOfzy7

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

Awesome hashing algorithms

PBKDF2, BCRYPT, SCRYPT bit.ly/1DOfzy7

@SeraAndroid #DeathToPW

2 Factor Authentication twofactorauth.org

@SeraAndroid #DeathToPW

Passwordless Authentication medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

braintreepayments.com/blog/goodbye-passwords-one-touch-hello-bitcoin

> Braintree Says Goodbye to Passwords With One Touch Payments for PayPal and Venmo, and Hello to Bitcoin _

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

Merchant app

PayPal app

Merchant app

@SeraAndroid #DeathToPW

Merchant app

PayPal app

Merchant app

@SeraAndroid #DeathToPW

Merchant app

PayPal app

Merchant app

@SeraAndroid #DeathToPW

Merchant app

PayPal app

Merchant app

@SeraAndroid #DeathToPW

People hate to register

Out of 657 surveyed users 66% think that social sign-in is a desirable alternative.

- Blue Inc. 2011

@SeraAndroid #DeathToPW

Person

Social Identity

Concrete Identity

No Identity

@SeraAndroid #DeathToPW

Authorization & Authentication stackoverflow.com/questions/6367865/is-there-a-difference-between-authentication-and-authorization

@SeraAndroid #DeathToPW

One person's data is another person's noise. - K.C. Cole

@SeraAndroid #DeathToPW

>Social vs. Concrete Identities _

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

OAuth 1.0 2007

@SeraAndroid #DeathToPW

Request Request Token

Grant Request Token

Direct User to Service

Obtain Authorization

Direct to Consumer

Request Access Token

Grant Access Token

Access Resources

The Consumer

Service Provider

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

OAuth 1.0a 2009

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

OAuth 2.0 2012

@SeraAndroid #DeathToPW

Direct User to Service

Obtain Authorization

Request Access Token

Grant Access Token

Direct to Consumer

Access Resources

The Consumer

Service Provider

@SeraAndroid / @Braintree_Dev

@SeraAndroid #DeathToPW

OAuth 2.0 Token via Header URL url = new URL("http://url.com/"); HttpURLConnection urlConnection =

(HttpURLConnection) url.openConnection(); setRequestProperty("Authorization", "Bearer …");

@SeraAndroid #DeathToPW

OAuth 2.0 Token via URI "url.com/oauth?access_token=…"

@SeraAndroid #DeathToPW

OAuth libraries oauth.net/code

@SeraAndroid #DeathToPW

OAuth libraries for Android github.com/mttkay/signpost github.com/pakerfeldt/signpost-retrofit

@SeraAndroid #DeathToPW

OAuth libraries for iOS github.com/nxtbgthng/OAuth2Client github.com/AFNetworking/AFOAuth2Manager

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

OpenID 2005

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

/\$\d+/ @SeraAndroid #DeathToPW

The Hybrids OpenID OAuth Extension

& OpenID Connect

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

Upcoming

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

A Trusted Environment

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

>The Realm of Creepy _

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

@SeraAndroid #DeathToPW

Scaling Security

@SeraAndroid #DeathToPW

FIDO Alliance fidoalliance.org

@SeraAndroid #DeathToPW

Security Needs an accessible standard

@SeraAndroid #DeathToPW

Difference Between Authentication and Authorization

@SeraAndroid #DeathToPW

User Experience Should be enhanced - not impaired

@SeraAndroid #DeathToPW

Thanks [email protected]

braintreepayments.com/developers slideshare.com/PayPal


Recommended