DEATH TO PASSWORDS
LONG LIVE SECURITY
Tim Messerschmidt / @SeraAndroiD
Droidcon Berlin ‘14
DO YOU BELIEVE
IN SECURITY?
DO YOU BELIEVE
IN SECURITY?
A STORY ABOUT
PASSWORDS
WIKI.SCULLSECURITY.ORG/PASSWORDS
4.7% OF USERS USE THE
PASSWORD PASSWORD
8.5% ARE USING
PASSWORD OR 123456
9.8% USE PASSWORD
123456 OR 12345678
... And it doesn’t even stop here
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Death To Passwords Droid Edition
2013
CBSNEWS.COM/NEWS/THE-25-MOST-COMMON-
PASSWORDS-OF-2013/
1.  123456 up 1
2.  Password down 1
3.  12345678
4.  Qwerty up 1
5.  Abc123 down 1
6.  123456789 New
7.  111111 up 2
8.  1234567 up 5
9.  Iloveyou up 2
10.  Adobe123 new
11.  123123 up 5
12.  Admin new
13.  1234567890 new
14.  Letmein down 7
15.  Photoshop new
16.  1234 new
17.  Monkey down 11
18.  Shadow
19.  Sunshine down 5
20.  12345 new
Death To Passwords Droid Edition
My learnings from this trend
- People HATE monkeys
- People are more depressed
- Adobe is very popular
3 Password Problems
- Reused
- Phished
- Keylogged
abstrusegoose.com/296	
  
abstrusegoose.com/262	
  
xkcd.com/936	
  
Favor security too much over
the experience and you’ll make
the website a pain to use.
Death To Passwords Droid Edition
Basic Authentication
username:password
Storing Passwords
SQLCipher & KeyChain
SO WHAT?
People forget passwords…
45% admit to leaving a website instead of re-
setting their password or answering security
questions *
* Blue Inc. 2011
Also they hate to register
	
  
Out of 657 surveyed users 66% think that
social sign-in is a desirable alternative. *
* Blue Inc. 2011
heartbleed.com	
  
heartbleed.agilebits.com	
  
SO WHAT CAN WE DO
INSTEAD?
PASSWORDLESS
AUTHENTICATION
MEDIUM.COM/CYBER-SECURITY/9ED56D483EB
TWO FACTOR AUTH
TWOFACTORAUTH.ORG
Authentication vs.
Authorization
Death To Passwords Droid Edition
OAUTH 1.0
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Request	
  
Request	
  Token	
  
Grant	
  
Request	
  Token	
  
Direct	
  User	
  to	
  Service	
   Obtain	
  AuthorizaEon	
  
Direct	
  to	
  Consumer	
  
Request	
  
Access	
  Token	
  
Grant	
  
Access	
  Token	
  
Access	
  
Resources	
  
Consumer Service Provider
OAUTH 1.0A
Death To Passwords Droid Edition
Android: Signpost <3	
  
github.com/mttkay/signpost
OAUTH 2.0
Direct	
  User	
  to	
  Service	
   Obtain	
  AuthorizaEon	
  
Request	
  
Access	
  Token	
  
Grant	
  
Access	
  Token	
  
Direct	
  to	
  Consumer	
  
Access	
  
Resources	
  /	
  Profile	
  
Consumer Service Provider
URL url = new URL(”http://url.com/”);!
HttpURLConnection urlConnection =!
!(HttpURLConnection) url.openConnection();!
!
!
setRequestProperty(”Authorization”, ”Bearer …”);!
HTTP Header
“url.com/oauth?access_token=…”!
URI parameter
Android
Scribe
github.com/fernandezpablo85/scribe
PostmanLib
github.com/fedepaol/PostmanLib--Rings-Twice--
Android
OAuth 2.0 and the
Road to Hell
hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell
Identity Techniques
- OpenID
- OpenID Connect
- Persona
Identity Providers
Social vs. Concrete
Death To Passwords Droid Edition
Do we always use the same
identity?
Should we always use the
same identity?
Death To Passwords Droid Edition
Name
Email
Date of Birth
Locale
Time Zone
Address
Gender
Language
Phone Number
Creation Date
Death To Passwords Droid Edition
What’s Next?
Bluetooth Smart and Co.
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Death To Passwords Droid Edition
Security
matters to users and developers
Difference
authentication and authorization
User Experience
should be enhanced not impaired
Death To Passwords Droid Edition
BATTLEHACK ’14
BERLIN: JUNE 21ST & 22ND
WARSAW: JULY 12TH & 13TH
LONDON: OCTOBER 11TH & 12TH
MOSCOW: OCTOBER 25TH & 26TH
BATTLEHACK.ORG
Questions?
tmesserschmidt@paypal.com
@SeraAndroid
slideshare.com/paypal

More Related Content

PDF
Death To Passwords
PPTX
Death to passwords - DroidCon Paris 2014
PPTX
Top 10 Web Hacking Techniques of 2014
PPTX
SydPHP Security in PHP
PPTX
2017 - TYPO3 CertiFUNcation: Scott Helme - The Encrypted Web Is Coming
PPTX
Sucuri Webinar: Is SSL enough to secure your website?
PPTX
Logs: Understanding Them to Better Manage Your WordPress Site
PDF
New iOS12 iOS11 bug safari crash iphone restart
Death To Passwords
Death to passwords - DroidCon Paris 2014
Top 10 Web Hacking Techniques of 2014
SydPHP Security in PHP
2017 - TYPO3 CertiFUNcation: Scott Helme - The Encrypted Web Is Coming
Sucuri Webinar: Is SSL enough to secure your website?
Logs: Understanding Them to Better Manage Your WordPress Site
New iOS12 iOS11 bug safari crash iphone restart

What's hot (6)

PDF
Introduction to Backups and Security
PPTX
How to remove isearch.omiga-plus.com?
PPTX
Tech trends on startups for 2011
PDF
2 Factor Authentication for Wordpress
PPTX
Joomla spécialiste
PDF
How to prevent a Phishing attack - Panda Security
Introduction to Backups and Security
How to remove isearch.omiga-plus.com?
Tech trends on startups for 2011
2 Factor Authentication for Wordpress
Joomla spécialiste
How to prevent a Phishing attack - Panda Security
Ad

Viewers also liked (12)

PPTX
Kraken
PDF
Kraken Front-Trends
PPTX
Future Of Payments
PDF
Startup Highway Workshop
PPTX
Berlin Battle hack presentation
PDF
From Good To Great
PPTX
Battle Hack London Intro
PDF
Death To Passwords
PPTX
Reinvigorating Stagnant Innovation Through Your Developer Network
PPTX
Mobile payments at Droidcon Eastern Europe
PDF
The web can do that better - My adventure with HTML5 Vide, WebRTC and Shared ...
PPTX
PayPal's Private Cloud @ Scale
Kraken
Kraken Front-Trends
Future Of Payments
Startup Highway Workshop
Berlin Battle hack presentation
From Good To Great
Battle Hack London Intro
Death To Passwords
Reinvigorating Stagnant Innovation Through Your Developer Network
Mobile payments at Droidcon Eastern Europe
The web can do that better - My adventure with HTML5 Vide, WebRTC and Shared ...
PayPal's Private Cloud @ Scale
Ad

Similar to Death To Passwords Droid Edition (20)

PDF
Death to Passwords
PDF
#MBLTdev: Современная аутентификация (PayPal)
PDF
Death to Passwords SXSW 15
PDF
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
PDF
Secure the experience, experience security
PDF
Three types of Authentications
PDF
sthlm.js - Passwords are so 1990
PDF
Pro Dev Day 2018 - Passwords are Dead
PPTX
Authentication for Droids
PDF
Passwords are so 1990
PDF
DevFest Porto - Passwords are so 1990
PDF
User Authentication: Passwords and Beyond
PPTX
Passwordless auth
ODP
All Your Password Are Belong To Us
PDF
PPT
14_526_topic07uuuuuuuuuuuuuuuuuuuuuu.ppt
PDF
Passwords: Security vs Usability
PPT
The problem with the real world
PPTX
Codemotion ES 2014: Love Always Takes Care & Humility
PPTX
The Yubikey
Death to Passwords
#MBLTdev: Современная аутентификация (PayPal)
Death to Passwords SXSW 15
Chrome Dev Summit 2020 Extended: Improve Your Web Authentication Security
Secure the experience, experience security
Three types of Authentications
sthlm.js - Passwords are so 1990
Pro Dev Day 2018 - Passwords are Dead
Authentication for Droids
Passwords are so 1990
DevFest Porto - Passwords are so 1990
User Authentication: Passwords and Beyond
Passwordless auth
All Your Password Are Belong To Us
14_526_topic07uuuuuuuuuuuuuuuuuuuuuu.ppt
Passwords: Security vs Usability
The problem with the real world
Codemotion ES 2014: Love Always Takes Care & Humility
The Yubikey

More from PayPal (17)

PDF
KrakenJS
PDF
Concrete indentity really getting to know your users
PDF
Online Identity: Getting to know your users
PDF
Open Identity - getting to know your users
PPTX
The Profitable Startup
PDF
Droidcon Paris: The new Android SDK
PDF
Hack & Tell
PDF
Payments for the REST of us
PDF
Droidcon DE 2013
PDF
SQLite
PDF
How PayPal uses Open Identity
PPTX
MWC Keynote
PPTX
AngularJS vs jQuery
PPTX
Seedhack 2013
PDF
PayPal Access GDG DevFest
PDF
Apps World London 2012
PDF
Adaptive Payments SDK - Magento Developers Paradise
KrakenJS
Concrete indentity really getting to know your users
Online Identity: Getting to know your users
Open Identity - getting to know your users
The Profitable Startup
Droidcon Paris: The new Android SDK
Hack & Tell
Payments for the REST of us
Droidcon DE 2013
SQLite
How PayPal uses Open Identity
MWC Keynote
AngularJS vs jQuery
Seedhack 2013
PayPal Access GDG DevFest
Apps World London 2012
Adaptive Payments SDK - Magento Developers Paradise

Recently uploaded (20)

PDF
4 layer Arch & Reference Arch of IoT.pdf
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
PDF
Comparative analysis of machine learning models for fake news detection in so...
PPTX
Configure Apache Mutual Authentication
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
PDF
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
PDF
giants, standing on the shoulders of - by Daniel Stenberg
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
PDF
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
PDF
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
PDF
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
PPTX
future_of_ai_comprehensive_20250822032121.pptx
PPTX
Microsoft User Copilot Training Slide Deck
PDF
Co-training pseudo-labeling for text classification with support vector machi...
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
PDF
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
PDF
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
4 layer Arch & Reference Arch of IoT.pdf
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
Comparative analysis of machine learning models for fake news detection in so...
Configure Apache Mutual Authentication
Rapid Prototyping: A lecture on prototyping techniques for interface design
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Transform-Quality-Engineering-with-AI-A-60-Day-Blueprint-for-Digital-Success.pdf
giants, standing on the shoulders of - by Daniel Stenberg
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
Transform-Your-Supply-Chain-with-AI-Driven-Quality-Engineering.pdf
Transform-Your-Factory-with-AI-Driven-Quality-Engineering.pdf
future_of_ai_comprehensive_20250822032121.pptx
Microsoft User Copilot Training Slide Deck
Co-training pseudo-labeling for text classification with support vector machi...
Convolutional neural network based encoder-decoder for efficient real-time ob...
The-2025-Engineering-Revolution-AI-Quality-and-DevOps-Convergence.pdf
IT-ITes Industry bjjbnkmkhkhknbmhkhmjhjkhj
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Enhancing plagiarism detection using data pre-processing and machine learning...

Death To Passwords Droid Edition