Passwords suck Nico Smit November 2014 The million

  • Slides: 46
Download presentation
Passwords suck Nico Smit November 2014

Passwords suck Nico Smit November 2014

“The million passwords dilemma: ” v Just like having a million keys suck, so

“The million passwords dilemma: ” v Just like having a million keys suck, so also having a million usernames and passwords suck

“The million passwords dilemma: ” v We are developers, we make life better and

“The million passwords dilemma: ” v We are developers, we make life better and more efficient v If something is a drag, a developer finds a way to optimize it

“The million passwords dilemma: ” v We are supposed to come up with better

“The million passwords dilemma: ” v We are supposed to come up with better solutions/alternatives to the million passwords dilemma

Some possible solutions to consider

Some possible solutions to consider

Option 1: Globally recognized “proxy” login accounts

Option 1: Globally recognized “proxy” login accounts

Option 1: v Log in with Google v Log in with Facebook v Log

Option 1: v Log in with Google v Log in with Facebook v Log in with Twitter v Etc.

Option 1: v Pros v Everyone has one of these accounts, so setup is

Option 1: v Pros v Everyone has one of these accounts, so setup is complete v APIs and functionality already exists

Option 1: v Cons v. Granting access to a website through these accounts, also

Option 1: v Cons v. Granting access to a website through these accounts, also opens up your personal information to the website you log in to.

Option 1: v We as developers should be pushing universal logins on websites we

Option 1: v We as developers should be pushing universal logins on websites we develop as far as possible, when it makes sense

Option 2: Assume someone's email address and inbox is secure

Option 2: Assume someone's email address and inbox is secure

Option 2: v Its 2014, emails and mailboxes should be secure, hidden behind a

Option 2: v Its 2014, emails and mailboxes should be secure, hidden behind a username and password, encrypted connections etc.

Option 2: v So assuming that the email inbox is secure, we can send

Option 2: v So assuming that the email inbox is secure, we can send any sensitive information to the email inbox we want. (usernames, passwords, urls etc. )

Option 2: v So assuming that the email inbox is secure, we can send

Option 2: v So assuming that the email inbox is secure, we can send any sensitive information to the email inbox we want. (usernames, passwords, urls etc. )

“The encrypted url auto login”

“The encrypted url auto login”

The encrypted url auto login : v (1) Build a JSON object containing username,

The encrypted url auto login : v (1) Build a JSON object containing username, password, action to commit, page to redirect afterwards etc.

The encrypted url auto login : v (2) Encrypt the JSON object (string) with

The encrypted url auto login : v (2) Encrypt the JSON object (string) with two way encryption

The encrypted url auto login : v (3) Build a receiver for the encrypted

The encrypted url auto login : v (3) Build a receiver for the encrypted string on the website v Catch as variable from url v Decrypt v Do the awesomeness

The encrypted url auto login : v (4) End result: v Example. com? auto=df

The encrypted url auto login : v (4) End result: v Example. com? auto=df 7 gwgh 7 gfpsh

Option 2: v Pros v Never log in again, forget your password v Perform

Option 2: v Pros v Never log in again, forget your password v Perform any action on website from the url click

Option 2: v Cons v People can hack into your email account… (and everything

Option 2: v Cons v People can hack into your email account… (and everything else… so what? ) v Must have your email open on your device

Option 3: Assume someone’s PC desktop is secure

Option 3: Assume someone’s PC desktop is secure

Option 3: v Build an actual “key” to actually unlock websites

Option 3: v Build an actual “key” to actually unlock websites

“Website keys”

“Website keys”

Option 3: v Actual xml file on your computer dashboard v The xml file

Option 3: v Actual xml file on your computer dashboard v The xml file contains username, password, address, name, surname etc.

Option 3: v Drag the “key” into the login area on website to log

Option 3: v Drag the “key” into the login area on website to log in v Option to allow registration with key as well

Option 3: v After registering on a website, have the option to “download your

Option 3: v After registering on a website, have the option to “download your key for xxxxx”

Option 3: v A universal standard will have to be implemented for “website keys”

Option 3: v A universal standard will have to be implemented for “website keys”

Option 3: v Stack ‘em up. Have a folder on your dashboard full of

Option 3: v Stack ‘em up. Have a folder on your dashboard full of keys v Or password protect the folder…

Option 3: v Pros v Drag and drop v Your mother could understand it

Option 3: v Pros v Drag and drop v Your mother could understand it

Option 3: v Cons v Do you really want all your passwords lying on

Option 3: v Cons v Do you really want all your passwords lying on your PC dashboard?

Option 4: Create an online “password vault” for everything

Option 4: Create an online “password vault” for everything

Option 4: v Implement accessible API

Option 4: v Implement accessible API

Option 4: v Pure in-browser example: v At login, button that says “Get details

Option 4: v Pure in-browser example: v At login, button that says “Get details from password vault” - click

Option 4: v Pure in-browser example: v Opens in new tab, Redirects to password

Option 4: v Pure in-browser example: v Opens in new tab, Redirects to password vault with current domain name attached (? site=randomsite. com)

Option 4: v Pure in-browser example: v Email and password login to password vault

Option 4: v Pure in-browser example: v Email and password login to password vault v Immediately shows username and password for site

Option 4: v Mobile phone example: v At login, show QR code to scan:

Option 4: v Mobile phone example: v At login, show QR code to scan: “Get details from password vault”

Option 4: v Mobile phone example: v Phone goes to password vault with current

Option 4: v Mobile phone example: v Phone goes to password vault with current domain name attached (? site=randomsite. com)

Option 4: v Mobile phone example: v Email and password login to password vault

Option 4: v Mobile phone example: v Email and password login to password vault

Option 4: v Mobile phone example: v Immediately shows username and password for site

Option 4: v Mobile phone example: v Immediately shows username and password for site

Option 4: v One time pin solution: v Instead of password vault showing username

Option 4: v One time pin solution: v Instead of password vault showing username and password, let it generate a one time pin, valid for one minute

Option 4: v One time pin solution: v Website where user is trying to

Option 4: v One time pin solution: v Website where user is trying to log in, has a textbox to fill in one time pin. “Log in with password vault one time pin”

Option 4: v One time pin solution: v Submit does API call to password

Option 4: v One time pin solution: v Submit does API call to password vault, if success, logs user in

Option 4: v Pros v Everything in browser v Device independent

Option 4: v Pros v Everything in browser v Device independent

Option 4: v Cons v Getting the whole world to buy into the idea

Option 4: v Cons v Getting the whole world to buy into the idea of “one password vault”

Questions? Criticisms? Rotten tomatoes? ?

Questions? Criticisms? Rotten tomatoes? ?