Upload
paypal
View
745
Download
0
Embed Size (px)
DESCRIPTION
This speech was held at Droidcon Berlin 2014. It covers key issues of passwords and what can be done to resolve them by moving on to more advanced authentication techniques like OAuth 2.0 or even biometry.
Citation preview
DEATH TO PASSWORDSLONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiDDroidcon Berlin ‘14
DO YOU
BELIEVE
IN SECURITY?
DO YOU
BELIEVE
IN SECURITY?
A STORY
ABOUT
PASSWORDSWIKI.SCULLSECURITY.ORG/PASS
WORDS
4.7% OF
USERS USE
THE
PASSWORD
PASSWORD
8.5% ARE
USING
PASSWORD
OR 123456
9.8% USE
PASSWORD
123456 OR
12345678
... And it doesn’t even stop here
14% have a password from the top 10
passwords
40% have a password from the top 100
passwords
79% have a password from the top 500
passwords
91% have a password from the top
1000 passwords
2013CBSNEWS.COM/NEWS/THE-25-
MOST-COMMON-PASSWORDS-
OF-2013/
1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10.Adobe123 new
11.123123 up 5
12.Admin new
13.1234567890 new
14.Letmein down 7
15.Photoshop new
16.1234 new
17.Monkey down 11
18.Shadow
19.Sunshine down 5
20.12345 new
My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
3 Password Problems
- Reused
- Phished
- Keylogged
abstrusegoose.com/296
abstrusegoose.com/262
xkcd.com/936
Favor security too much
over the experience and
you’ll make the website
a pain to use.
Basic
Authenticationusername:password
Storing
PasswordsSQLCipher &
KeyChain
SO WHAT?
People forget
passwords…
45% admit to leaving a website
instead of re-setting their password
or answering security questions *
* Blue Inc. 2011
Also they hate to
register
Out of 657 surveyed users 66%
think that social sign-in is a
desirable alternative. *
* Blue Inc. 2011
heartbleed.com
heartbleed.agilebits.com
SO WHAT CAN
WE DO
INSTEAD?
PASSWORDLE
SS
AUTHENTICATI
ONMEDIUM.COM/CYBER-
SECURITY/9ED56D483EB
TWO FACTOR
AUTHTWOFACTORAUTH.ORG
Authentication
vs.Authorization
OAUTH 1.0
RequestRequest Token
GrantRequest Token
Direct User to Service Obtain Authorization
Direct to ConsumerRequest
Access Token
GrantAccess Token
AccessResources
Consumer Service Provider
OAUTH 1.0A
Android: Signpost <3github.com/mttkay/signpost
OAUTH 2.0
Direct User to Service Obtain Authorization
RequestAccess Token
GrantAccess Token
Direct to ConsumerAccess
Resources / Profile
Consumer Service Provider
URL url = new URL(”http://url.com/”);
HttpURLConnection urlConnection =
(HttpURLConnection) url.openConnection();
setRequestProperty(”Authorization”, ”Bearer …”);
HTTP Header
“url.com/oauth?access_token=…”
URI parameter
Android
Scribegithub.com/fernandezpablo85/scribe
PostmanLibgithub.com/fedepaol/PostmanLib--
Rings-Twice--Android
OAuth 2.0 and
the Road to
Hellhueniverse.com/2012/07/oauth-2-0-and-the-
road-to-hell
Identity Techniques
- OpenID
- OpenID Connect
- Persona
Identity
ProvidersSocial vs. Concrete
Do we always use
the same identity?
Should we always
use the same
identity?
Name
Date of Birth
LocaleTime Zone
Address
Gender
Language
Phone Number
Creation Date
What’s Next?Bluetooth Smart and
Co.
Securitymatters to users anddevelopers
Differenceauthentication and authorization
User Experienceshould be enhanced not impaired
BATTLEHACK ’14
BERLIN: JUNE 21ST & 22ND
WARSAW: JULY 12TH & 13TH
LONDON: OCTOBER 11TH & 12TH
MOSCOW: OCTOBER 25TH & 26TH
BATTLEHACK.ORG