Advertisement

Dissuading Stolen Password Reuse

  • Slim TrabelsiEmail author
  • Chedy MissaouiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11263)

Abstract

The whole security community agreed on the fact that login and password based authentication systems are one of the weakest point of the current systems. Despite this global consensus password based credentials are still the most used identification and authentication method used on internet. One of the main reason for this weakness is due to the password leak phenomena. For several reasons (described in this paper) password databases are frequently leaked and shared publicly. Once these passwords it will be very hard for a user to protect his digital life, especially if this password is used in several websites (what we call domino effect). In this paper we propose a solution to reduce the attempts for replaying stolen passwords. We measure the efficiency of this solution via a deployment and the analysis on a fake website exposed to a fake password leak.

Keywords

Passwords Leakage Hacking Cyber security Authentication 

Notes

Acknowledgement

This work was partly supported by EU-funded H2020 project C3ISP [grand no. 700294].

References

  1. 1.
  2. 2.
    Database of 1.4 Billion Credentials Found on Dark Web. https://www.securityweek.com/database-14-billion-credentials-found-dark-web
  3. 3.
    How APPLE and AMAZON Security Flaws Led to My Epic Hacking. https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
  4. 4.
    LinkedIn Lost 167 Million Account Credentials in Data Breach. http://fortune.com/2016/05/18/linkedin-data-breach-email-password/
  5. 5.
    Passwords for 32M Twitter accounts may have been hacked and leaked. https://techcrunch.com/2016/06/08/twitter-hack/
  6. 6.
  7. 7.
    63% of Data Breaches Result from Weak or Stolen Passwords. http://info.idagent.com/blog/63-of-data-breaches-result-from-weak-or-stolen-passwords
  8. 8.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004).  https://doi.org/10.1145/975817.975820CrossRefGoogle Scholar
  9. 9.
  10. 10.
  11. 11.
    Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012).  https://doi.org/10.1109/msp.2011.150CrossRefGoogle Scholar
  12. 12.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26, February 2014Google Scholar
  13. 13.
    Akiyama, M., Yagi, T., Aoki, K., Hariu, T., Kadobayashi, Y.: Active credential leakage for observing web-based attack cycle. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 223–243. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-41284-4_12CrossRefGoogle Scholar
  14. 14.
    Claycomb, W.R., Nicoll, A.: Insider threats to cloud computing: directions for new research challenges. In: 2012 IEEE 36th Annual Computer Software and Applications Conference (COMPSAC), pp. 387–394. IEEE (2012)Google Scholar
  15. 15.
    Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1421–1434. ACM, October 2017Google Scholar
  16. 16.
    Dasgupta, D., Roy, A., Nag, A.: Multi-factor authentication. In: Dasgupta, D., Roy, A., Nag, A. (eds.) Advances in User Authentication. Springer, Cham, 185–233 (2017).  https://doi.org/10.1007/978-3-319-58808-7_5CrossRefGoogle Scholar
  17. 17.
    Sun, H.M., Chen, Y.H., Lin, Y.H.: oPass: a user authentication protocol resistant to password stealing and password reuse attacks. IEEE Trans. Inf. Forensics Secur. 7(2), 651–663 (2012)CrossRefGoogle Scholar
  18. 18.
    Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 187–198. ACM, November 2013Google Scholar
  19. 19.
    Schneier, B.: Attacking tor: how the NSA targets users’ online anonymity. The Guardian, vol. 4 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.SAP Security ResearchMouginsFrance
  2. 2.Tessan GroupTunisTunisia

Personalised recommendations