Abstract
The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption of a poor password management system by a website makes useless even the most robust password chosen by its users.
In this paper, we first provide an analysis of currently adopted password recovery mechanisms. Later, we model an attacker with a set of different capabilities, and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa’s top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication—and hence are excluded from our study—, while out of the remaining 278 we focused on 174—since 104 demanded information we could not produce. Of these 174, almost 25% have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to have a relevant impact on the EU industrial ecosystem.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
2012 linkedin breach just got a lot worse: 117 million new logins for sale. https://threatpost.com/2012-linkedin-breach-just-got-a-lot-worse-117-million-new-logins-for-sale/118173/. Accessed June 2018
6.5 million linkedin passwords reportedly leaked, linkedin is looking into it. http://goo.gl/dWMvd7. Accessed June 2018
Amazon alexa topsites. http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html. Accessed June 2018
Blockchain last block. https://blockchain.info/block/0000000000000000001ba3bf33b8c46856dfc05a3b3aebffa245f16269b54dc1. Accessed June 2018
Every single yahoo account was hacked - 3 billion in all. https://www.alexa.com/topsites. Accessed June 2018
Gdpr portal. https://www.eugdpr.org/. Accessed June 2018
How are alexas traffic rankings determined? http://goo.gl/jMjpeS. Accessed June 2018
Inside the russian hack of yahoo: How they did it. https://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html. Accessed June 2018
Man-in-the-middle attack. https://www.owasp.org/index.php/Man-in-the-middle_attack. Accessed June 2018
Protonmail. https://protonmail.com/. Accessed June 2018
Protonmail - two factor authentication (2fa). https://protonmail.com/support/knowledge-base/two-factor-authentication/. Accessed June 2018
The real life risks of re using the same passwords. https://pixelprivacy.com/resources/reusing-passwords/. Accessed June 2018
Stronger security for your google account. https://www.google.com/landing/2step/. Accessed June 2018
Using burp to brute force a login page. https://goo.gl/jfwiCJ. Accessed June 2018
Website security statistics report. https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf. Accessed June 2018
Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication: somebody you know. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 168–178. ACM (2006)
Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of IEEE INFOCOM 2010, pp. 1–9. IEEE (2010)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)
Furnell, S.: An assessment of website password practices. Comput. Secur. 26(7–8), 445–451 (2007)
Furnell, S.: A comparison of website user authentication mechanisms. Comput. Fraud Secur. 2007(9), 5–9 (2007)
Garfinkel, S.L.: Email-based identification and authentication: an alternative to PKI? IEEE Secur. Privacy 99(6), 20–26 (2003)
Just, M., Aspinall, D.: Personal choice and challenge questions: a security and usability assessment. In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 8. ACM (2009)
Kamp, P.H., et al.: Linkedin password leak: salt their hide. ACM Queue 10(6), 20 (2012)
Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)
Parker, D.B.: Fighting Computer Crime. Scribner, New York (1983)
Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Privacy 9(2), 43–49 (2011)
Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM (2009)
Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of SOUPS (2014)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Privacy 2(5), 25–31 (2004). https://doi.org/10.1109/MSP.2004.81
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Raponi, S., Di Pietro, R. (2018). A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild. In: Katsikas, S., Alcaraz, C. (eds) Security and Trust Management. STM 2018. Lecture Notes in Computer Science(), vol 11091. Springer, Cham. https://doi.org/10.1007/978-3-030-01141-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-01141-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01140-6
Online ISBN: 978-3-030-01141-3
eBook Packages: Computer ScienceComputer Science (R0)