The problem with passwords on the web and what to do about it
- 1. François Marier – @fmarier The problem with passwords on the web and what to do about it
- 2. passwords
- 3. problem #1: passwords are hard to secure
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 19. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 20. passwords are hard to secure they are a liability
- 21. ALTER TABLE user DROP COLUMN password;
- 22. problem #2: passwords are hard to remember
- 25. pick an easy password
- 26. pick an easy password use it everywhere
- 27. passwords are hard to remember they need to be reset
- 30. social login
- 31. “People want a little dating before marriage.” Eric Vishria – Rockmelt
- 33. decentralized
- 37. privacy®
- 38. existing login systems are not good enough
- 39. ideal web-wide identity system
- 44. how does it work?
- 47. Persona is already a decentralized system
- 48. decentralization is the answer, but it's not a product adoption strategy
- 49. we can't wait for all domains to adopt Persona
- 50. we can't wait for all domains to adopt Persona solution: a temporary centralized fallback
- 52. Persona already works with all email domains
- 58. Persona supports all modern browsers >= 8
- 59. Persona is decentralized, simple and cross-browser
- 60. it's simple for users, but is it also simple for developers?
- 61. 1. load javascript library
- 62. 1. load javascript library 2. setup login & logout callbacks
- 63. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
- 64. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 65. you can add support for Persona in four easy steps
- 68. building a new site: default to Persona
- 69. working on an existing site/app: add support for Persona
- 71. we need your help to eliminate site-specific passwords
- 72. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 73. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 74. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 75. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 76. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 77. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 78. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 79. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 80. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 81. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 82. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: