The problem with passwords on the web and what to do about it
•
0 likes•1,075 views
Handling user passwords safely is hard, but replacing passwords on the web in a reasonable way is even harder. Really, this should have been in the browser all along. This is where Persona comes in.
Report
Share
Related slideshows
The problem with passwords on the web and what to do about it
- 1. François Marier – @fmarier The problem with passwords on the web and what to do about it
- 2. passwords
- 3. problem #1: passwords are hard to secure
- 14. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 15. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 16. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 17. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 18. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery
- 19. bcrypt / scrypt / pbkdf2 per-user salt site secret password & lockout policies secure recovery 2013 2013 password password guidelines guidelines
- 20. passwords are hard to secure they are a liability
- 21. ALTER TABLE user DROP COLUMN password;
- 22. problem #2: passwords are hard to remember
- 25. pick an easy password
- 26. pick an easy password use it everywhere
- 27. passwords are hard to remember they need to be reset
- 30. social login
- 31. “People want a little dating before marriage.” Eric Vishria – Rockmelt
- 33. decentralized
- 37. privacy®
- 38. existing login systems are not good enough
- 39. ideal web-wide identity system
- 44. how does it work?
- 47. Persona is already a decentralized system
- 48. decentralization is the answer, but it's not a product adoption strategy
- 49. we can't wait for all domains to adopt Persona
- 50. we can't wait for all domains to adopt Persona solution: a temporary centralized fallback
- 52. Persona already works with all email domains
- 58. Persona supports all modern browsers >= 8
- 59. Persona is decentralized, simple and cross-browser
- 60. it's simple for users, but is it also simple for developers?
- 61. 1. load javascript library
- 62. 1. load javascript library 2. setup login & logout callbacks
- 63. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons
- 64. 1. load javascript library 2. setup login & logout callbacks 3. add login and logout buttons 4. verify proof of ownership
- 65. you can add support for Persona in four easy steps
- 68. building a new site: default to Persona
- 69. working on an existing site/app: add support for Persona
- 71. we need your help to eliminate site-specific passwords
- 72. To learn more about Persona: https://login.persona.org/ http://identity.mozilla.com/ https://developer.mozilla.org/docs/Persona/Why_Persona https://developer.mozilla.org/docs/Persona/Quick_Setup https://github.com/mozilla/browserid-cookbook https://developer.mozilla.org/docs/Persona/Libraries_and_plugins http://123done.org/ https://wiki.mozilla.org/Identity#Get_Involved @fmarier http://fmarier.org
- 73. identity provider API https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" }
- 74. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 75. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 76. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 77. https://eyedee.me/.well-known/browserid: { "public-key": { "algorithm":"RS", "n":"8606...", "e":"65537" }, "authentication": "/browserid/sign_in.html", "provisioning": "/browserid/provision.html" } identity provider API
- 78. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 79. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 80. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 81. identity provider API 1. check for your /.well-known/browserid 2. try the provisioning endpoint 3. show the authentication page 4. call the provisioning endpoint again
- 82. © 2013 François Marier <francois@mozilla.com> This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 New Zealand License. Hotel doorman: https://secure.flickr.com/photos/wildlife_encounters/8024166802/ Top 500 passwords: http://xato.net/passwords/more-top-worst-passwords/ Parchment: https://secure.flickr.com/photos/27613359@N03/6750396225/ Uncle Sam: https://secure.flickr.com/photos/donkeyhotey/5666065982/ Restaurant dinner: https://secure.flickr.com/photos/yourdon/3977084094/ Stop sign: https://secure.flickr.com/photos/artbystevejohnson/6673406227/ Photo credits: