Death To Passwords Droid Edition
-
Upload
paypal -
Category
Technology
-
view
737 -
download
0
description
Transcript of Death To Passwords Droid Edition
![Page 1: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/1.jpg)
DEATH TO PASSWORDSLONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiDDroidcon Berlin ‘14
![Page 2: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/2.jpg)
DO YOU
BELIEVE
IN SECURITY?
![Page 3: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/3.jpg)
DO YOU
BELIEVE
IN SECURITY?
![Page 4: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/4.jpg)
A STORY
ABOUT
PASSWORDSWIKI.SCULLSECURITY.ORG/PASS
WORDS
![Page 5: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/5.jpg)
4.7% OF
USERS USE
THE
PASSWORD
PASSWORD
![Page 6: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/6.jpg)
8.5% ARE
USING
PASSWORD
OR 123456
![Page 7: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/7.jpg)
9.8% USE
PASSWORD
123456 OR
12345678
![Page 8: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/8.jpg)
... And it doesn’t even stop here
14% have a password from the top 10
passwords
40% have a password from the top 100
passwords
79% have a password from the top 500
passwords
91% have a password from the top
1000 passwords
![Page 9: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/9.jpg)
![Page 10: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/10.jpg)
2013CBSNEWS.COM/NEWS/THE-25-
MOST-COMMON-PASSWORDS-
OF-2013/
![Page 11: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/11.jpg)
1. 123456 up 1
2. Password down 1
3. 12345678
4. Qwerty up 1
5. Abc123 down 1
6. 123456789 New
7. 111111 up 2
8. 1234567 up 5
9. Iloveyou up 2
10.Adobe123 new
11.123123 up 5
12.Admin new
13.1234567890 new
14.Letmein down 7
15.Photoshop new
16.1234 new
17.Monkey down 11
18.Shadow
19.Sunshine down 5
20.12345 new
![Page 12: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/12.jpg)
![Page 13: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/13.jpg)
My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
![Page 14: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/14.jpg)
3 Password Problems
- Reused
- Phished
- Keylogged
![Page 15: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/15.jpg)
abstrusegoose.com/296
![Page 16: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/16.jpg)
abstrusegoose.com/262
![Page 17: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/17.jpg)
xkcd.com/936
![Page 18: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/18.jpg)
Favor security too much
over the experience and
you’ll make the website
a pain to use.
![Page 19: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/19.jpg)
![Page 20: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/20.jpg)
Basic
Authenticationusername:password
![Page 21: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/21.jpg)
Storing
PasswordsSQLCipher &
KeyChain
![Page 22: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/22.jpg)
SO WHAT?
![Page 23: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/23.jpg)
People forget
passwords…
45% admit to leaving a website
instead of re-setting their password
or answering security questions *
* Blue Inc. 2011
![Page 24: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/24.jpg)
Also they hate to
register
Out of 657 surveyed users 66%
think that social sign-in is a
desirable alternative. *
* Blue Inc. 2011
![Page 25: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/25.jpg)
heartbleed.com
![Page 26: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/26.jpg)
heartbleed.agilebits.com
![Page 27: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/27.jpg)
SO WHAT CAN
WE DO
INSTEAD?
![Page 28: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/28.jpg)
PASSWORDLE
SS
AUTHENTICATI
ONMEDIUM.COM/CYBER-
SECURITY/9ED56D483EB
![Page 29: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/29.jpg)
TWO FACTOR
AUTHTWOFACTORAUTH.ORG
![Page 30: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/30.jpg)
Authentication
vs.Authorization
![Page 31: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/31.jpg)
![Page 32: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/32.jpg)
OAUTH 1.0
![Page 33: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/33.jpg)
![Page 34: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/34.jpg)
![Page 35: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/35.jpg)
![Page 36: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/36.jpg)
RequestRequest Token
GrantRequest Token
Direct User to Service Obtain Authorization
Direct to ConsumerRequest
Access Token
GrantAccess Token
AccessResources
Consumer Service Provider
![Page 37: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/37.jpg)
OAUTH 1.0A
![Page 38: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/38.jpg)
![Page 39: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/39.jpg)
Android: Signpost <3github.com/mttkay/signpost
![Page 40: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/40.jpg)
OAUTH 2.0
![Page 41: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/41.jpg)
Direct User to Service Obtain Authorization
RequestAccess Token
GrantAccess Token
Direct to ConsumerAccess
Resources / Profile
Consumer Service Provider
![Page 42: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/42.jpg)
URL url = new URL(”http://url.com/”);
HttpURLConnection urlConnection =
(HttpURLConnection) url.openConnection();
setRequestProperty(”Authorization”, ”Bearer …”);
HTTP Header
“url.com/oauth?access_token=…”
URI parameter
![Page 43: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/43.jpg)
Android
Scribegithub.com/fernandezpablo85/scribe
PostmanLibgithub.com/fedepaol/PostmanLib--
Rings-Twice--Android
![Page 44: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/44.jpg)
OAuth 2.0 and
the Road to
Hellhueniverse.com/2012/07/oauth-2-0-and-the-
road-to-hell
![Page 45: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/45.jpg)
Identity Techniques
- OpenID
- OpenID Connect
- Persona
![Page 46: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/46.jpg)
Identity
ProvidersSocial vs. Concrete
![Page 47: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/47.jpg)
![Page 48: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/48.jpg)
Do we always use
the same identity?
![Page 49: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/49.jpg)
Should we always
use the same
identity?
![Page 50: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/50.jpg)
![Page 51: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/51.jpg)
Name
Date of Birth
LocaleTime Zone
Address
Gender
Language
Phone Number
Creation Date
![Page 52: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/52.jpg)
![Page 53: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/53.jpg)
What’s Next?Bluetooth Smart and
Co.
![Page 54: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/54.jpg)
![Page 55: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/55.jpg)
![Page 56: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/56.jpg)
![Page 57: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/57.jpg)
![Page 58: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/58.jpg)
![Page 59: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/59.jpg)
Securitymatters to users anddevelopers
Differenceauthentication and authorization
User Experienceshould be enhanced not impaired
![Page 60: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/60.jpg)
![Page 61: Death To Passwords Droid Edition](https://reader033.fdocuments.us/reader033/viewer/2022051313/547ea6855906b592718b46ad/html5/thumbnails/61.jpg)
BATTLEHACK ’14
BERLIN: JUNE 21ST & 22ND
WARSAW: JULY 12TH & 13TH
LONDON: OCTOBER 11TH & 12TH
MOSCOW: OCTOBER 25TH & 26TH
BATTLEHACK.ORG