Passwords suck Nico Smit November 2014
“The million passwords dilemma:” Just like having a million keys suck, so also having a million usernames and passwords suck
“The million passwords dilemma:” We are developers, we make life better and more efficient If something is a drag, a developer finds a way to optimize it
“The million passwords dilemma:” We are supposed to come up with better solutions/alternatives to the million passwords dilemma
Some possible solutions to consider
Option 1: Globally recognized “proxy” login accounts
Option 1: Log in with Google Log in with Facebook Log in with Twitter Etc.
Option 1: Pros Everyone has one of these accounts, so setup is complete APIs and functionality already exists
Option 1: Cons Granting access to a website through these accounts, also opens up your personal information to the website you log in to.
Option 1: We as developers should be pushing universal logins on websites we develop as far as possible, when it makes sense
Option 2: Assume someone's address and inbox is secure
Option 2: Its 2014, s and mailboxes should be secure, hidden behind a username and password, encrypted connections etc.
Option 2: So assuming that the inbox is secure, we can send any sensitive information to the inbox we want. (usernames, passwords, urls etc.)
Option 2: So assuming that the inbox is secure, we can send any sensitive information to the inbox we want. (usernames, passwords, urls etc.)
“The encrypted url auto login”
The encrypted url auto login : (1) Build a JSON object containing username, password, action to commit, page to redirect afterwards etc.
The encrypted url auto login : (2) Encrypt the JSON object (string) with two way encryption
The encrypted url auto login : (3) Build a receiver for the encrypted string on the website Catch as variable from url Decrypt Do the awesomeness
The encrypted url auto login : (4) End result: Example.com?auto=df7gwgh7gfpsh
Option 2: Pros Never log in again, forget your password Perform any action on website from the url click
Option 2: Cons People can hack into your account… (and everything else… so what?) Must have your open on your device
Option 3: Assume someone’s PC desktop is secure
Option 3: Build an actual “key” to actually unlock websites
“Website keys”
Option 3: Actual xml file on your computer dashboard The xml file contains username, password, address, name, surname etc.
Option 3: Drag the “key” into the login area on website to log in Option to allow registration with key as well
Option 3: After registering on a website, have the option to “download your key for xxxxx”
Option 3: A universal standard will have to be implemented for “website keys”
Option 3: Stack ‘em up. Have a folder on your dashboard full of keys Or password protect the folder…
Option 3: Pros Drag and drop Your mother could understand it
Option 3: Cons Do you really want all your passwords lying on your PC dashboard?
Option 4: Create an online “password vault” for everything
Option 4: Implement accessible API
Option 4: Pure in-browser example: At login, button that says “Get details from password vault” - click
Option 4: Pure in-browser example: Opens in new tab, Redirects to password vault with current domain name attached (?site=randomsite.com)
Option 4: Pure in-browser example: and password login to password vault Immediately shows username and password for site
Option 4: Mobile phone example: At login, show QR code to scan: “Get details from password vault”
Option 4: Mobile phone example: Phone goes to password vault with current domain name attached (?site=randomsite.com)
Option 4: Mobile phone example: and password login to password vault
Option 4: Mobile phone example: Immediately shows username and password for site
Option 4: One time pin solution: Instead of password vault showing username and password, let it generate a one time pin, valid for one minute
Option 4: One time pin solution: Website where user is trying to log in, has a textbox to fill in one time pin. “Log in with password vault one time pin”
Option 4: One time pin solution: Submit does API call to password vault, if success, logs user in
Option 4: Pros Everything in browser Device independent
Option 4: Cons Getting the whole world to buy into the idea of “one password vault”
Questions? Criticisms? Rotten tomatoes??