kill all passwords

Kill all Passwords

Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

Why do we need this?

Passwords are awesome!

twitter: @jcleblanc | hashtag: #ConvergeSE

1.  123456 2.  password 3.  12345678 4.  qwerty 5.  abc123 6.  123456789 7.  111111 8.  1234567 9.  iloveyou 10. adobe123

11. 123123 12. admin 13. 1234567890 14. letmein 15. photoshop 16. 1234 17. monkey 18. shadow 19. sunshine 20. 12345

Top Passwords of 2014


4.7% of users have the password password;

8.5% have the passwords password or 123456;

9.8% have the passwords password, 123456 or 12345678;

14% have a password from the top 10 passwords




Poor Password Choices



The Weakest Link

The Key Issues


People Forget Passwords


Security over Usability


Replacing the Concept of a Username and Password

Securing Current Methods


Bad Security Algorithms

MD5, SHA-1, SHA-2, SHA-3


Good Security Algorithms

PBKDF2, BCRYPT, SCRYPT



Key Stretching

Scaling Authentication



Establishing Trust Zones

Location Awareness

Habit Awareness

Browser Uniqueness

Device Fingerprinting

There’s more to it



Variable Authentication


Usability vs Security

Use Another Site Login Mixed OAuth 2 / OpenID Connect for auth Roll Your Own Username / Password Fingerprint Scanning

State of Developer Auth



What Happened to OAuth 1.0a?


Security Concerns with OAuth 2 / OpenID Connect

Identity Biometrics


False negative: Valid user can’t log in False positive: Invalid user can log in

False Positive /

Negative Rates


The FIDO Alliance http://fidoalliance.org/



The Future of Secure Identity & Data Encryption

Thank You! slideshare.net/jcleblanc

Jonathan LeBlanc (@jcleblanc) Head of Global Developer Advocacy at PayPal + Braintree

kill all passwords

Technology