Death To Passwords

DEATH TO PASSWORDS LONG LIVE SECURITY Tim Messerschmidt / @SeraAndroiD Droidcon Berlin ‘14

DO YOU BELIEVE IN SECURITY?

DO YOU BELIEVE IN SECURITY?

A STORY ABOUT PASSWORDS WIKI.SCULLSECURITY.ORG/PASSWORDS

4.7% OF USERS USE THE PASSWORD PASSWORD

8.5% ARE USING PASSWORD OR 123456

9.8% USE PASSWORD 123456 OR 12345678

... And it doesn’t even stop here

14% have a password from the top 10 passwords

40% have a password from the top 100 passwords

79% have a password from the top 500 passwords

91% have a password from the top 1000 passwords

2013 CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-PASSWORDS-OF-2013/

1.  123456 up 1 2.  Password down 1

3.  12345678

4.  Qwerty up 1

5.  Abc123 down 1

6.  123456789 New

7.  111111 up 2

8.  1234567 up 5

9.  Iloveyou up 2

10.  Adobe123 new

11.  123123 up 5 12.  Admin new

13.  1234567890 new

14.  Letmein down 7

15.  Photoshop new

16.  1234 new

17.  Monkey down 11

18.  Shadow

19.  Sunshine down 5

20.  12345 new

My learnings from this trend

- People HATE monkeys

- People are more depressed

- Adobe is very popular

3 Password Problems - Reused

- Phished

- Keylogged

abstrusegoose.com/296  

abstrusegoose.com/262  

xkcd.com/936  

Favor security too much over the experience and you’ll make the website a pain to use.

Basic Authentication username:password

Storing Passwords SQLCipher & KeyChain

SO WHAT?

People forget passwords…

45% admit to leaving a website instead of re-setting their password or answering security questions * * Blue Inc. 2011

Also they hate to register  

Out of 657 surveyed users 66% think that social sign-in is a desirable alternative. * * Blue Inc. 2011

heartbleed.com  

heartbleed.agilebits.com  

SO WHAT CAN WE DO INSTEAD?

PASSWORDLESS AUTHENTICATION MEDIUM.COM/CYBER-SECURITY/9ED56D483EB

TWO FACTOR AUTH TWOFACTORAUTH.ORG

Authentication vs. Authorization

OAUTH 1.0

Request  Request  Token  

Grant  Request  Token  

Direct  User  to  Service   Obtain  AuthorizaEon  

Direct  to  Consumer  Request  Access  Token  

Grant  Access  Token  

Access  Resources  

Consumer Service Provider

OAUTH 1.0A

Android: Signpost <3  github.com/mttkay/signpost

OAUTH 2.0

Direct  User  to  Service   Obtain  AuthorizaEon  

Request  Access  Token  

Grant  Access  Token  

Direct  to  Consumer  Access  Resources  /  Profile  

Consumer Service Provider

URL url = new URL(”http://url.com/”);!HttpURLConnection urlConnection =!

!(HttpURLConnection) url.openConnection();!!!setRequestProperty(”Authorization”, ”Bearer …”);!

HTTP Header

“url.com/oauth?access_token=…”!

URI parameter

Android

Scribe github.com/fernandezpablo85/scribe

PostmanLib github.com/fedepaol/PostmanLib--Rings-Twice--Android

OAuth 2.0 and the Road to Hell hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell

Identity Techniques - OpenID

- OpenID Connect

- Persona

Identity Providers Social vs. Concrete

Do we always use the same identity?

Should we always use the same identity?

Name

Email

Date of Birth

Locale

Time Zone

Address

Gender

Language

Phone Number

Creation Date

What’s Next? Bluetooth Smart and Co.

Security matters to users and developers

Difference authentication and authorization

User Experience should be enhanced not impaired

BATTLEHACK ’14 BERLIN: JUNE 21ST & 22ND WARSAW: JULY 12TH & 13TH LONDON: OCTOBER 11TH & 12TH MOSCOW: OCTOBER 25TH & 26TH

BATTLEHACK.ORG

Questions? tmesserschmidt@paypal.com @SeraAndroid slideshare.com/paypal