Passwords and freedom: can we lose the former and retain the latter?

François Marier – @fmarier

passwords and freedom:can we lose the former and retain the latter?

passwords

problem #1:

passwords are hard to secure

they are a liability

ALTER TABLE userDROP COLUMN password;

problem #2:

passwords are hard to remember

pick an easy password

use it everywhere

decentralized

privacy®

existing login systemsare not good enough

ideal web-wide identity system

● decentralized● simple● cross-browser

how does it work?

fmarier@gmail.com

demo #1:

http://crossword.thetimes.co.uk/

fmariertest@eyedee.me

Persona is already adecentralized system

decentralization is the answer, but it's not

a product adoption strategy

we can't wait for all domainsto adopt Persona

solution: a temporarycentralized fallback

demo #2:

http://sloblog.io

fmariertest@gmail.com

Persona already workswith all email domains

identity bridging

demo #3:

http://www.reasonwell.com/

fmariertest@yahoo.com

Persona supportsall modern browsers

Persona is decentralized,simple and cross-browser

it's simple for users, but is it also

simple for developers?

navigator.id.watch({ loggedInEmail: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: “francois@mozilla.com”, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { // do something } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.request()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/'; } ); }, onlogout: function () { window.location = '/logout'; }});

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

$ curl -d "assertion=<ASSERTION>& audience=http://123done.org" https://verifier.login.persona.org/verify

{ status: “okay”,

audience: “http://123done.org”,

expires: 1344849682560,

email: “francois@mozilla.com”,

issuer: “login.persona.org”}

{ status: “failed”,

reason: “assertion has expired”}

navigator.id.logout()

navigator.id.watch({ loggedInUser: null, onlogin: function (assertion) { $.post('/login', {assertion: assertion}, function (data) { window.location = '/home'; } ); }, onlogout: function () { window.location = '/logout'; }});

1. load javascript library

2. setup login & logout callbacks

3. add login and logout buttons

4. verify proof of ownership

you can add support forPersona in four easy steps

one simple request

building a new site:default to Persona

working on an existing site/app:add support for Persona

To learn more about Persona:

https://login.persona.org/http://identity.mozilla.com/

https://developer.mozilla.org/docs/Persona/Why_Personahttps://developer.mozilla.org/docs/Persona/Quick_Setup

https://github.com/mozilla/browserid-cookbookhttps://developer.mozilla.org/docs/Persona/Libraries_and_plugins

http://123done.org/https://wiki.mozilla.org/Identity#Get_Involved

@fmarier http://fmarier.org

identity provider API

https://eyedee.me/.well-known/browserid:

{ "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html"}

1. check for your /.well-known/browserid

2. try the provisioning endpoint

3. show the authentication page

4. call the provisioning endpoint again

Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/

Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/

Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/

Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/

Photo credits:

Passwords and freedom: can we lose the former and retain the latter?

Technology

Yugioh Passwords - UPDATED

Passwords And Security

PDF Passwords-Eltima

You$and$Your$Passwords$sites.duke.edu/training/files/2012/10/PasswordPresentation.pdf · Recommendaons$ • Notjustone$strong$passwords,$butmulLple$ strong$passwords$ • Password$Escrow$

Simple Secure Passwords

Passwords Perfectos

Digital Citizenshipdigitalcitizenshipsusd.weebly.com/uploads/7/8/6/6/78661500/__stud… · 1 powerful passwords dos and don’ts of powerful passwords powerful passwords / student

Chapter 7 Passwords - cdn.ttgtmedia.comcdn.ttgtmedia.com/.../HackingforDummiesCh07.pdf · Chapter 7 Passwords ... Therefore, passwords are one of the weakest links in ... This includes

Passwords & security

passwords and passphrases

Default Router Passwords

Passwords and You CREATING AND MAINTAINING SECURE PASSWORDS

Passwords Issa

graphical-passwords authentication

Passwords Everywhere

Passwords, Passwords and more Passwords

Auto-pilot for all your passwords. · Remembers your passwords so you don’t have to. Auto-pilot for all your passwords. Remembers your passwords so you don’t have to. Forget forgotten

2 Ch3 Passwords

Security Awareness Passwords - Illinois.gov · 3 Passwords Password Cracking Find weak passwords Verify the use of good passwords Characters (complex) Estimated time to crack 7 15

Alternatives to Passwords David Bohn. Password : History The average working professional has 6 passwords to perform daily functions Passwords if used