Måndag 19 Nov

PasswordsCon – we know your next password, part 1 Arrangör PasswordsCon

Users have to deal with the wide diversity of password requirements when creating passwords for their user accounts at Internet services. In this talk, I present the first investigation of password requirements on a global scale by analyzing 185,696 services. Second, I present a security analysis of the requirements with respect to offline brute-force attacks. Third, I present an optimal password-composition rule for password generators to cope with the wide diversity of password requirements. Altogether, the password-composition rule leads to secure passwords, a better user experience, and finally helps users to create proper passwords for their user accounts.

Most modern authentication systems have requirements for passwords beyond just the length. Password managers must be able to generate passwords that both meet these requirements and maintain a maximum level of entropy without causing their users confusion or frustration. Ideally, the generator could select characters completely at random from a set of allowed characters, but this approach will often yield passwords that do not conform to the system’s requirements. I’ll discuss possible solutions to this problem, which solution we chose at 1Password, and the entropy calculation algorithm that made that decision possible.

At KRY, we have helped hundreds of thousands of patients with a wide range of medical problems. Part of our vision is to create a modern, secure and usable experience with the patient in focus. When launching in countries without well established e-identity solutions we were faced with the problem of balancing multiple factors to create a suitable authentication scheme. This is the story of that process: what constraints and factors played part, which scenarios were considered, what we came up with and how well it has worked in practice.

Every day, attackers exploit password reuse to breach accounts, costing users and service providers dearly. Conventional wisdom blames users for choosing and reusing easily cracked passwords. However, a complete analysis of the password reuse ecosystem reveals a convoluted situation. While it's true that users poorly understand the risks of reusing passwords, nonsensical password composition policies and confusing notifications further sustain the problem.

This talk argues that reducing password reuse requires solutions going far beyond telling users to not reuse passwords. Reflecting on insights from user studies and qualitative research, I present best practices for designing password-reuse notifications and pose criteria for any potential solutions hoping to ameliorate password reuse.

Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!

This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.