Skip to main content
SpringerLink
Log in

A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild

  • Conference paper
  • First Online:
Security and Trust Management (STM 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11091))

Included in the following conference series:

Abstract

The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption of a poor password management system by a website makes useless even the most robust password chosen by its users.

In this paper, we first provide an analysis of currently adopted password recovery mechanisms. Later, we model an attacker with a set of different capabilities, and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa’s top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication—and hence are excluded from our study—, while out of the remaining 278 we focused on 174—since 104 demanded information we could not produce. Of these 174, almost 25% have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to have a relevant impact on the EU industrial ecosystem.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 2012 linkedin breach just got a lot worse: 117 million new logins for sale. https://threatpost.com/2012-linkedin-breach-just-got-a-lot-worse-117-million-new-logins-for-sale/118173/. Accessed June 2018

  2. 6.5 million linkedin passwords reportedly leaked, linkedin is looking into it. http://goo.gl/dWMvd7. Accessed June 2018

  3. Amazon alexa topsites. http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html. Accessed June 2018

  4. Blockchain last block. https://blockchain.info/block/0000000000000000001ba3bf33b8c46856dfc05a3b3aebffa245f16269b54dc1. Accessed June 2018

  5. Every single yahoo account was hacked - 3 billion in all. https://www.alexa.com/topsites. Accessed June 2018

  6. Gdpr portal. https://www.eugdpr.org/. Accessed June 2018

  7. How are alexas traffic rankings determined? http://goo.gl/jMjpeS. Accessed June 2018

  8. Inside the russian hack of yahoo: How they did it. https://www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html. Accessed June 2018

  9. Man-in-the-middle attack. https://www.owasp.org/index.php/Man-in-the-middle_attack. Accessed June 2018

  10. Protonmail. https://protonmail.com/. Accessed June 2018

  11. Protonmail - two factor authentication (2fa). https://protonmail.com/support/knowledge-base/two-factor-authentication/. Accessed June 2018

  12. The real life risks of re using the same passwords. https://pixelprivacy.com/resources/reusing-passwords/. Accessed June 2018

  13. Stronger security for your google account. https://www.google.com/landing/2step/. Accessed June 2018

  14. Using burp to brute force a login page. https://goo.gl/jfwiCJ. Accessed June 2018

  15. Website security statistics report. https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf. Accessed June 2018

  16. Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication: somebody you know. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 168–178. ACM (2006)

    Google Scholar 

  17. Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: an empirical analysis. In: Proceedings of IEEE INFOCOM 2010, pp. 1–9. IEEE (2010)

    Google Scholar 

  18. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)

    Google Scholar 

  19. Furnell, S.: An assessment of website password practices. Comput. Secur. 26(7–8), 445–451 (2007)

    Article  Google Scholar 

  20. Furnell, S.: A comparison of website user authentication mechanisms. Comput. Fraud Secur. 2007(9), 5–9 (2007)

    Article  Google Scholar 

  21. Garfinkel, S.L.: Email-based identification and authentication: an alternative to PKI? IEEE Secur. Privacy 99(6), 20–26 (2003)

    Article  Google Scholar 

  22. Just, M., Aspinall, D.: Personal choice and challenge questions: a security and usability assessment. In: Proceedings of the 5th Symposium on Usable Privacy and Security, p. 8. ACM (2009)

    Google Scholar 

  23. Kamp, P.H., et al.: Linkedin password leak: salt their hide. ACM Queue 10(6), 20 (2012)

    Article  Google Scholar 

  24. Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)

    Google Scholar 

  25. Parker, D.B.: Fighting Computer Crime. Scribner, New York (1983)

    Google Scholar 

  26. Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Privacy 9(2), 43–49 (2011)

    Article  Google Scholar 

  27. Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM (2009)

    Google Scholar 

  28. Stobert, E., Biddle, R.: The password life cycle: user behaviour in managing passwords. In: Proceedings of SOUPS (2014)

    Google Scholar 

  29. Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Privacy 2(5), 25–31 (2004). https://doi.org/10.1109/MSP.2004.81

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. College of Science and Engineering, Hamad Bin Khalifa University, Doha, Qatar

    Simone Raponi & Roberto Di Pietro

Authors
  1. Simone Raponi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roberto Di Pietro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simone Raponi .

Editor information

Editors and Affiliations

  1. Open University of Cyprus, Latsia, Cyprus

    Sokratis K. Katsikas

  2. University of Malaga, Malaga, Spain

    Cristina Alcaraz

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Raponi, S., Di Pietro, R. (2018). A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild. In: Katsikas, S., Alcaraz, C. (eds) Security and Trust Management. STM 2018. Lecture Notes in Computer Science(), vol 11091. Springer, Cham. https://doi.org/10.1007/978-3-030-01141-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-01141-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-01140-6

  • Online ISBN: 978-3-030-01141-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation