DEATH TO PASSWORDSLONG LIVE SECURITY

Tim Messerschmidt / @SeraAndroiDDroidcon Berlin ‘14

DO YOU

BELIEVE

IN SECURITY?

DO YOU

BELIEVE

IN SECURITY?

A STORY

ABOUT

PASSWORDSWIKI.SCULLSECURITY.ORG/PASS

WORDS

4.7% OF

USERS USE

THE

PASSWORD

PASSWORD

8.5% ARE

USING

PASSWORD

OR 123456

9.8% USE

PASSWORD

123456 OR

12345678

... And it doesn’t even stop here

14% have a password from the top 10

passwords

40% have a password from the top 100

passwords

79% have a password from the top 500

passwords

91% have a password from the top

1000 passwords

2013CBSNEWS.COM/NEWS/THE-25-

MOST-COMMON-PASSWORDS-

OF-2013/

1. 123456 up 1

2. Password down 1

3. 12345678

4. Qwerty up 1

5. Abc123 down 1

6. 123456789 New

7. 111111 up 2

8. 1234567 up 5

9. Iloveyou up 2

10.Adobe123 new

11.123123 up 5

12.Admin new

13.1234567890 new

14.Letmein down 7

15.Photoshop new

16.1234 new

17.Monkey down 11

18.Shadow

19.Sunshine down 5

20.12345 new

My learnings from this trend

- People HATE monkeys

- People are more depressed

- Adobe is very popular

3 Password Problems

- Reused

- Phished

- Keylogged

abstrusegoose.com/296

abstrusegoose.com/262

xkcd.com/936

Favor security too much

over the experience and

you’ll make the website

a pain to use.

Basic

Authenticationusername:password

Storing

PasswordsSQLCipher &

KeyChain

SO WHAT?

People forget

passwords…

45% admit to leaving a website

instead of re-setting their password

or answering security questions *

* Blue Inc. 2011

Also they hate to

register

Out of 657 surveyed users 66%

think that social sign-in is a

desirable alternative. *

* Blue Inc. 2011

heartbleed.com

heartbleed.agilebits.com

SO WHAT CAN

WE DO

INSTEAD?

PASSWORDLE

SS

AUTHENTICATI

ONMEDIUM.COM/CYBER-

SECURITY/9ED56D483EB

TWO FACTOR

AUTHTWOFACTORAUTH.ORG

Authentication

vs.Authorization

OAUTH 1.0

RequestRequest Token

GrantRequest Token

Direct User to Service Obtain Authorization

Direct to ConsumerRequest

Access Token

GrantAccess Token

AccessResources

Consumer Service Provider

OAUTH 1.0A

Android: Signpost <3github.com/mttkay/signpost

OAUTH 2.0

Direct User to Service Obtain Authorization

RequestAccess Token

GrantAccess Token

Direct to ConsumerAccess

Resources / Profile

Consumer Service Provider

URL url = new URL(”http://url.com/”);

HttpURLConnection urlConnection =

(HttpURLConnection) url.openConnection();

setRequestProperty(”Authorization”, ”Bearer …”);

HTTP Header

“url.com/oauth?access_token=…”

URI parameter

Android

Scribegithub.com/fernandezpablo85/scribe

PostmanLibgithub.com/fedepaol/PostmanLib--

Rings-Twice--Android

OAuth 2.0 and

the Road to

Hellhueniverse.com/2012/07/oauth-2-0-and-the-

road-to-hell

Identity Techniques

- OpenID

- OpenID Connect

- Persona

Identity

ProvidersSocial vs. Concrete

Do we always use

the same identity?

Should we always

use the same

identity?

Name

Email

Date of Birth

LocaleTime Zone

Address

Gender

Language

Phone Number

Creation Date

What’s Next?Bluetooth Smart and

Co.

Securitymatters to users anddevelopers

Differenceauthentication and authorization

User Experienceshould be enhanced not impaired

BATTLEHACK ’14

BERLIN: JUNE 21ST & 22ND

WARSAW: JULY 12TH & 13TH

LONDON: OCTOBER 11TH & 12TH

MOSCOW: OCTOBER 25TH & 26TH

BATTLEHACK.ORG

Questions?

tmesserschmidt@paypal.com

@SeraAndroid

slideshare.com/paypal