we are going to kill passwords. - oneconference · is this going to work? • passwords are...

We are going to kill passwords. Koen Sandbrink One Conference 2019

Upload: others

Post on 26-Jun-2020

1 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

We are going to kill passwords.

Koen Sandbrink

One Conference 2019

Page 2: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

CC-BY-SA Iijjccoo / Wikimedia Commons

Page 3: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

Passwords• 4000 years old

• 4000 ways to fail

Page 4: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

Passwords• 4000 years old

• 4000 ways to fail

Page 5: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

CC-BY-SA Robert Lawton / Wikimedia Commons

Page 6: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

What is the problem?• Passwords are breached

• Passwords are phished

• Passwords are guessed

• Passwords are not user-friendly

Page 7: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

FIDO-allianc

FIDO Alliance

Page 8: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

FIDO Alliance• Universal Authentication Framework (UAF)

• Universal Second Factor (U2F)

• Client To Authenticator Protocol (CTAP)

• FIDO 2.0 →W3C Web Authentication

Page 9: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

How does it work?

Is this going to work?• Passwords are breached

• If public keys are leaked, there is no problem

• Passwords are phished

• WebAuthn authenticates domain; phishing doesn’t work

• Passwords are guessed

• Stealing private keys is not scalable

• Passwords are not user-friendly

• Tokens are user-friendly

Page 11: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

Single factor is not that bad anymore

Less secure More secure

Page 12: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

Is this perfect?• Lost tokens

• Weak biometrics

• Weak cryptography

• Wrong user actions

Page 13: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

The last three hurdles…• What are the administration costs?

• Who’s on first?

• Apple says yes?

Page 14: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

World domination plan• Track 1: create demand

• Track 2: create supply

Page 15: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

CC-BY-SA Iijjccoo / Wikimedia Commons

Page 16: We are going to kill passwords. - OneConference · Is this going to work? • Passwords are breached • If public keys are leaked, there is no problem • Passwords are phished •

[email protected]

english.ncsc.nl

Increasing the Security of Weak Passwords: the SPARTAN ...Secure passwords are difﬁcult for users to remember, and memorable passwords are often easy to guess. SPARse Two-dimensional

Passwords Issa

U.S. v. Auernheimer (Weev) Appeal Reply Brief: ICC-IDs Are Not "Passwords"

Text passwords Hazim Almuhimedi. Agenda How good are the passwords people are choosing? Human issues The Memorability and Security of Passwords Human

Passwords Are Everywhere! - Deer Run

Passwords are high value targets

Unit 3 Going places. Grammar Present Continuous Tense are going to are you getting to is anybody seeing is going with are you going I’m going to Xi’an

THE LOGIN SCREEN. ALL USERS ARE ASSIGNED PASSWORDS

How Users Choose and Reuse Passwords...strong passwords, we ﬁnd that: (1) a median user has 40 online accounts, (2) most passwords are very weak and could be brute-forced in a day

“Passwords are No Longer Sufficient” Brian Rivers University of Georgia

ANNUAL REPORT Delivering Reliable Financial Value · How to create secure, memorable passwords Strong passwords are essential for your protection. Learn how to create passwords that

Authentication II Going beyond passwords. Agenda Announcements Announcements Biometrics Biometrics Physical devices Physical devices General authentication

25/10/20151. Passwords are high value targets 2,000,000 passwords stolen from Facebook, Twitter and Google The Independent, 5 December 2013 Stolen Facebook

Password Cracking 2020 Didier Guillevic · Didier Guillevic Password Cracking - 2020 Summary - TL;DR 3 How passwords are stored How passwords are cracked 1. Brute force (short password,

Passwords and You CREATING AND MAINTAINING SECURE PASSWORDS

Using a Password Manager Are your passwords safe? Ryan Leavitt DoIT Security

Doing our best to thwart TLAs armed with ASICs …Verifying passwords for user authentication. Encrypting or signing ﬁles. In most situations where passwords are used, they are passed

ˆˇ˝˘ ˛˘ ˙ ˛˙ ˙ˆ ˜˚˛˜˝˚˙ ˚˛˛ ˘ ˆ˝˘ ˆ · 2021. 1. 13. · Recovery are tools for breaking passwords. ... • Tally ERP 9 Vault passwords. SETTING UP AND INITIAL

Passwords are like Underwear

WHERE ARE THEY GOING? Students are attending 86 different colleges in 25 different states 58% are going to Public Colleges or Universities 37% are going

P@$$w0rd Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work

Passwords that are Secure and Memorable

Module 4 Unit 10 Where Are You Going on Holiday. How are you going to get there? Where are you going on holiday? I m going to … I m going byplane America

Radical Relaunch. Where are we? Where are we going? How are we going to get there?

Security Awareness Passwords - Illinois.gov · 3 Passwords Password Cracking Find weak passwords Verify the use of good passwords Characters (complex) Estimated time to crack 7 15

Mark Shtern. Passwords are the most common authentication method They are inherently insecure

El Futuro Inmediato 1.I am going to play 2.You (s) are going to live 3.We are going to read 4.They are going to make 5.You (pl) are going to be 6.He is

See How It Was Done!If you are wondering how strong your current passwords are you can test them without going online and then modify them if they are not sufficiently strong: 1 Do

Where are we going and how are we going to get there?

Many, including vulnerable populations, are delaying ... · are uncomfortable going to a hospital are uncomfortable going to a dentist are uncomfortable going to chiropractor, physical

How Safe are Oracle Passwords? Quick Tip Session UGF9198 Troy Ligon

Kanishka_3D Passwords

Chapter 7 Passwords · users often neglect this. Therefore, passwords are one of the weakest links in the information-security chain. Passwords rely on secrecy. After a password is

GLENORIE SCHOOL BULLETIN · 2020. 4. 8. · Cyber-safety tips Safe passwords Encourage your child to set passwords that are easy to remember but hard to guess. The best passwords

VoIP Security - Methodology and Results - Black … Configuration • Default passwords Very common on Asterisk, as are easily guessable SIP passwords • Bad dial plan logic Dial