JSFoo 2013

All about being creative with JavaScript

Killing passwords with JavaScript

Submitted by Francois Marier (@fmarier) on Monday, 22 July 2013

Section: Full talk Technical level: Intermediate Status: Confirmed & Scheduled


Attendees will understand why asking users for passwords is a bad idea and they will learn the basics of the BrowserID protocol so that they can take advantage of Persona on their own sites or webapps.


The year is 2013. Sites are getting owned left and right. Password databases are leaked for the lulz. You look at the hashed passwords in your database and hope your site's not gonna be next.

As with most other problems on the web, the answer, it turns out, is JavaScript. As a wise man once said: "When in doubt, always bet on JavaScript."

Mozilla is working on a new cross-browser login system for the web that's built entirely in JavaScript. Powered by node.js on the backend, it pushes most of the crypto to the browser in order to create a secure and privacy-respecting experience.

All you need to get started is an email address and a handful of JavaScript. No passwords to hash, no confirmation emails to send, nothing to install. Welcome to the future.

Speaker bio

François is a software engineer on the Mozilla Identity team where he fights for the open Web by building alternatives to centralised proprietary silos.

A long time Debian developer, François has been involved in Open Source for over 10 years and regularly contributes to several projects. He also volunteers for the Free Software Foundation and leads the development of Libravatar.org.



  • Francois Marier (@fmarier) Proposer 6 years ago (edited 6 years ago)

    Persona is in production and is already used by many sites (see for example https://www.voo.st/ or http://sloblog.io).

    It works on all modern browsers both on desktop and mobile (basically IE8 and up) and there are also lots of 3rd-party plugins and libraries for various frameworks and languages.

    • Pocha (@pocha-codelearn) 6 years ago

      Nice :). Thanks for the links. Would really love to see this in action at Jsfoo.

      • Pocha (@pocha-codelearn) 6 years ago

        Btw. I tried deploying https://github.com/ringe/devise-browserid/ in Rails app with devise. It did not work. Is there something (external), I am missing in it. It shows error ‘uninitialized constant Warden::BrowserId’ at the place where I have included ‘<%= browserid_include_tag %>’

        I understand you might not be Rails guy but thought no harm asking :).

        • Francois Marier (@fmarier) Proposer 6 years ago

          I’ve unfortunately never used that particular plugin, so I’d recommend you contact the author directly :)

  • Pocha (@pocha-codelearn) 6 years ago

    Can you mention the current state of technology ? Is this acceptable across most of the modern browser ? I have not seen any of the popular site implementing this. Care to put up an example site ?

  • Suroor Wijdan (@suroorwijdan) 6 years ago

    Is it production ready for large scale apps including enterprise?

  • Om Shankar (@omshiv) 6 years ago (edited 6 years ago)

    This is amazing.

    I always wondered whatever happened to Mozilla Personas.
    Looking forward.

Login to leave a comment