| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
We all know passwords are a major pain point for the security industry. But the biggest problem isn't password reuse, Password123! or users who fall for a phish too easily. It;s that the current design of password authentication in the browser is fundamentally flawed. Asking users to submit their passwords in the body of POST requests may have made sense back in the early days of the Web, but not anymore. Between flaws in the transport layer, malicious JavaScript and phishing websites, it is simply too risky to transmit passwords into the DOM and through HTTP, and neither multifactor authentication nor federated identity management solves these problems. But we can do better: all we need to do is deploy some well-established crypto and rethink how we prove and verify possession of a password. This talk will describe and demonstrate a redesign of browser-based password authentication that adds phishing resistance and protects against man-in-the-middle attackers while training users on good security habits. Bio: Cliff Smith is an Ethical Hacker at Parameter Security in St. Charles, MO. He wrote his first lines of code more than 20 years ago on a TI-99/4A. Today, he breaks web and mobile applications for a living at Parameter. His work experience includes penetration testing, secure code reviews, compliance audits, web application development, system administration, and law practice for a mid-sized firm in St. Louis.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast