Passwords

A lightning talk about password security

Gregor Schmidt / rug-b / 2016-04-07

About me

Freelance Ruby and JavaScript developer


Go to nach-vorne.eu for details.

About

Helping the user to choose adequate passwords

Not About

Storing passwords securely

see How to Safely Store Your Users' Passwords in 2016

Inspired by a blog post titled

Stop forcing your arbitrary password rules on me.

by Ryan Winchester

Replace this

Your password must be at least 8 characters including one uppercase letter, one number, 3 Emojis & the first verse of Bohemian Rhapsody.

With this

Algorithms termining the amount of time it takes to actually crack a password using brute force like approaches

Classic
password requirements
lead to

  • passwords that are difficult to memoize
  • simple passwords with 1Aa. attached

How to compute password strength

zxcvbn
A realistic password strength estimator.

ZXCVBN computes

  • estimated guesses needed to crack password
  • crack time estimations based on different scenarios
  • score from 0 (too risky) to 4 (very unguessable)

Available in all languages

Originally published in JavaScript, there are now ports to the most popular programming languages and plugins for various frameworks.

... including two ruby ports [1] [2] and a devise [3] plugin.

Result



Client-side feedback backed by server-side validations

Personal wish

Death to all password requirements!

Remove requirements

Help users make good password choices
if they want to.

You know what's even better?

No passwords !

Alternatives

OAuth

if your service is tightly coupled to external service

Alternatives

Email

"password reset" all the time

Thanks

The slides are available at

nach-vorne.eu/talks/passwords