passwords suck nico smit november 2014. “the million passwords dilemma:” just like having a...
TRANSCRIPT
Passwords suckNico Smit
November 2014
“The million passwords dilemma:”
Just like having a million keys suck, so
also having a million usernames and
passwords suck
“The million passwords dilemma:”
We are developers, we make life better
and more efficient
If something is a drag, a developer finds
a way to optimize it
“The million passwords dilemma:”
We are supposed to come up with
better solutions/alternatives to the
million passwords dilemma
Some possible solutions to consider
Option 1:
Globally recognized “proxy” login accounts
Option 1: Log in with Google
Log in with Facebook
Log in with Twitter
Etc.
Option 1: Pros
Everyone has one of these accounts,
so setup is complete
APIs and functionality already exists
Option 1: ConsGranting access to a website through
these accounts, also opens up your personal information to the website you log in to.
Option 1: We as developers should be pushing
universal logins on websites we
develop as far as possible, when it
makes sense
Option 2:
Assume someone's email address and inbox is secure
Option 2: Its 2014, emails and mailboxes should
be secure, hidden behind a username
and password, encrypted connections
etc.
Option 2: So assuming that the email inbox is
secure, we can send any sensitive
information to the email inbox we
want. (usernames, passwords, urls etc.)
Option 2: So assuming that the email inbox is
secure, we can send any sensitive
information to the email inbox we
want. (usernames, passwords, urls etc.)
“The encrypted url auto login”
The encrypted url auto login : (1) Build a JSON object containing
username, password, action to commit,
page to redirect afterwards etc .
The encrypted url auto login : (2) Encrypt the JSON object (string)
with two way encryption
The encrypted url auto login : (3) Build a receiver for the encrypted
string on the website
Catch as variable from url
Decrypt
Do the awesomeness
The encrypted url auto login : (4) End result:
Example.com?auto=df7gwgh7gfpsh
Option 2: Pros
Never log in again, forget your
password
Perform any action on website from
the url click
Option 2: Cons
People can hack into your email
account… (and everything else… so
what?)
Must have your email open on your
device
Option 3:
Assume someone’s PC desktop is secure
Option 3: Build an actual “key” to actually unlock
websites
“Website keys”
Option 3: Actual xml file on your computer
dashboard
The xml file contains username,
password, address, name, surname etc.
Option 3: Drag the “key” into the login area on
website to log in
Option to allow registration with key as
well
Option 3: After registering on a website, have the
option to “download your key for
xxxxx”
Option 3: A universal standard will have to be
implemented for “website keys”
Option 3: Stack ‘em up. Have a folder on your
dashboard full of keys
Or password protect the folder…
Option 3: Pros
Drag and drop
Your mother could understand it
Option 3: Cons
Do you really want all your
passwords lying on your PC
dashboard?
Option 4:
Create an online “password vault” for everything
Option 4: Implement accessible API
Option 4:
Pure in-browser example:
At login, button that says “Get details
from password vault” - click
Option 4:
Pure in-browser example:
Opens in new tab, Redirects to
password vault with current domain
name attached (?
site=randomsite.com)
Option 4:
Pure in-browser example:
Email and password login to
password vault
Immediately shows username and
password for site
Option 4:
Mobile phone example:
At login, show QR code to scan: “Get
details from password vault”
Option 4:
Mobile phone example:
Phone goes to password vault with
current domain name attached (?
site=randomsite.com)
Option 4:
Mobile phone example:
Email and password login to
password vault
Option 4:
Mobile phone example:
Immediately shows username and
password for site
Option 4:
One time pin solution:
Instead of password vault showing
username and password, let it
generate a one time pin, valid for
one minute
Option 4:
One time pin solution:
Website where user is trying to log
in, has a textbox to fill in one time
pin. “Log in with password vault one
time pin”
Option 4:
One time pin solution:
Submit does API call to password
vault, if success, logs user in
Option 4: Pros
Everything in browser
Device independent
Option 4: Cons
Getting the whole world to buy into
the idea of “one password vault”
Questions?
Criticisms?
Rotten tomatoes??