A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Redesigning Password Authentication for the Modern Web - Cliff Smith (ShowMeCon 2019) (Hacking Illustrated Series InfoSec Tutorial Videos)

Redesigning Password Authentication for the Modern Web
Cliff Smith

ShowMeCon 2019

We all know passwords are a major pain point for the security industry. But the biggest problem isn't password reuse, Password123! or users who fall for a phish too easily. It;s that the current design of password authentication in the browser is fundamentally flawed. Asking users to submit their passwords in the body of POST requests may have made sense back in the early days of the Web, but not anymore. Between flaws in the transport layer, malicious JavaScript and phishing websites, it is simply too risky to transmit passwords into the DOM and through HTTP, and neither multifactor authentication nor federated identity management solves these problems. But we can do better: all we need to do is deploy some well-established crypto and rethink how we prove and verify possession of a password. This talk will describe and demonstrate a redesign of browser-based password authentication that adds phishing resistance and protects against man-in-the-middle attackers while training users on good security habits.

Bio: Cliff Smith is an Ethical Hacker at Parameter Security in St. Charles, MO. He wrote his first lines of code more than 20 years ago on a TI-99/4A. Today, he breaks web and mobile applications for a living at Parameter. His work experience includes penetration testing, secure code reviews, compliance audits, web application development, system administration, and law practice for a mid-sized firm in St. Louis.

Back to ShowMeCon 2019 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast