passwords suck nico smit november 2014. “the million passwords dilemma:” just like having a...

Passwords suckNico Smit

November 2014

“The million passwords dilemma:”

Just like having a million keys suck, so

also having a million usernames and

passwords suck

“The million passwords dilemma:”

We are developers, we make life better

and more efficient

If something is a drag, a developer finds

a way to optimize it

“The million passwords dilemma:”

We are supposed to come up with

better solutions/alternatives to the

million passwords dilemma

Some possible solutions to consider

Option 1:

Globally recognized “proxy” login accounts

Option 1: Log in with Google

Log in with Facebook

Log in with Twitter

Etc.

Option 1: Pros

Everyone has one of these accounts,

so setup is complete

APIs and functionality already exists

Option 1: ConsGranting access to a website through

these accounts, also opens up your personal information to the website you log in to.

Option 1: We as developers should be pushing

universal logins on websites we

develop as far as possible, when it

makes sense

Option 2:

Assume someone's email address and inbox is secure

Option 2: Its 2014, emails and mailboxes should

be secure, hidden behind a username

and password, encrypted connections

etc.

Option 2: So assuming that the email inbox is

secure, we can send any sensitive

information to the email inbox we

want. (usernames, passwords, urls etc.)

Option 2: So assuming that the email inbox is

secure, we can send any sensitive

information to the email inbox we

want. (usernames, passwords, urls etc.)

“The encrypted url auto login”

The encrypted url auto login : (1) Build a JSON object containing

username, password, action to commit,

page to redirect afterwards etc .

The encrypted url auto login : (2) Encrypt the JSON object (string)

with two way encryption

The encrypted url auto login : (3) Build a receiver for the encrypted

string on the website

Catch as variable from url

Decrypt

Do the awesomeness

The encrypted url auto login : (4) End result:

Example.com?auto=df7gwgh7gfpsh

Option 2: Pros

Never log in again, forget your

password

Perform any action on website from

the url click

Option 2: Cons

People can hack into your email

account… (and everything else… so

what?)

Must have your email open on your

device

Option 3:

Assume someone’s PC desktop is secure

Option 3: Build an actual “key” to actually unlock

websites

“Website keys”

Option 3: Actual xml file on your computer

dashboard

The xml file contains username,

password, address, name, surname etc.

Option 3: Drag the “key” into the login area on

website to log in

Option to allow registration with key as

well

Option 3: After registering on a website, have the

option to “download your key for

xxxxx”

Option 3: A universal standard will have to be

implemented for “website keys”

Option 3: Stack ‘em up. Have a folder on your

dashboard full of keys

Or password protect the folder…

Option 3: Pros

Drag and drop

Your mother could understand it

Option 3: Cons

Do you really want all your

passwords lying on your PC

dashboard?

Option 4:

Create an online “password vault” for everything

Option 4: Implement accessible API

Option 4:

Pure in-browser example:

At login, button that says “Get details

from password vault” - click

Option 4:

Pure in-browser example:

Opens in new tab, Redirects to

password vault with current domain

name attached (?

site=randomsite.com)

Option 4:

Pure in-browser example:

Email and password login to

password vault

Immediately shows username and

password for site

Option 4:

Mobile phone example:

At login, show QR code to scan: “Get

details from password vault”

Option 4:

Mobile phone example:

Phone goes to password vault with

current domain name attached (?

site=randomsite.com)

Option 4:

Mobile phone example:

Email and password login to

password vault

Option 4:

Mobile phone example:

Immediately shows username and

password for site

Option 4:

One time pin solution:

Instead of password vault showing

username and password, let it

generate a one time pin, valid for

one minute

Option 4:

One time pin solution:

Website where user is trying to log

in, has a textbox to fill in one time

pin. “Log in with password vault one

time pin”

Option 4:

One time pin solution:

Submit does API call to password

vault, if success, logs user in

Option 4: Pros

Everything in browser

Device independent

Option 4: Cons

Getting the whole world to buy into

the idea of “one password vault”

Questions?

Criticisms?

Rotten tomatoes??