Tangled Web of Password Reuse

Slides:

Advertisements

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Advertisements

Longest Common Subsequence

Why Are Computers Necessary in Today’s World?

Social Media Networking Sites Charlotte Jenkins Designing the Social Web

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Comparing protein structure and sequence similarities Sumi Singh Sp 2015.

How To Protect Your Privacy and Avoid Identity Theft Online.

The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

BUSINESS B1 Information Security.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

It’s no secret It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions By Schechter, Brush and Egelman ® 2009 Presenter:

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

 A viruses is a program that can harm or track your computer. E.g. browser hijacker.  When a viruses accesses the computer it can accesses the HDD and.

Using A presentation of the Elmhurst Public Library.

PREPARED BY: SYAIDATUL SYAZANA BT PAUZI INTRODUCTION What is the definition of Phishing Hacking.

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Using Social Media for Fundraising and Communication with Supporters Lindsay Boyle – Communications & Research Coordinator Claire Chapman – Information.

 Who Uses Web Search for What? And How?. Contribution  Combine behavioral observation and demographic features of users  Provide important insight.

Building Structures. Building Relationships. Passwords February 2010 Marshall Tuck.

MINRMS: an efficient algorithm for determining protein structure similarity using root-mean-squared-distance Andrew I. Jewett, Conrad C. Huang and Thomas.

Audit COM380 University of Sunderland Harry R. Erwin, PhD.

Prepare to set up you new Gmail Account. What are you using? Software Program Name Owned bySoftware Location Outlook ExpressMicrosoftOn Your Computer.

Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.

Don’t Follow me : Spam Detection in Twitter January 12, 2011 In-seok An SNU Internet Database Lab. Alex Hai Wang The Pensylvania State University International.

Intro to Data Structures Concepts ● We've been working with classes and structures to form linked lists – a linked list is an example of something known.

SOCIAL NETWORKING SAFETY & SECURITY. 2 CLASSROOM ETIQUETTE Please turn off all cell phones Leave food & drink outside Water bottles are okay “Respect/

AP CSP: Identifying People with Data and The Cost of Free

PASSWORD SECURITY A Melbourne Athenaeum Library

Prediction Games Players compete by making predictions about upcoming event/observation in the real world Predictions are scored after event At TAMU, we.

Survey Design and Analysis

Creating your online identity

Choosing A Username and Password

Information Systems in Organizations

Welcome! To the ETS – Create Client Account & Maintenance

How to use the internet safely and How to protect my personal data?

Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)

Gmail Password Recovery Process

HOW TO SET UP AUTHORIZED USERS TO VIEW AND PAY YOUR STUDENT BILL

Authentication CSE 465 – Information Assurance Fall 2017 Adam Doupé

Challenges We Face On the Internet

Application of the Internet

Vocabulary Big Data - “Big data is a broad term for datasets so large or complex that traditional data processing applications are inadequate.” Moore’s.

Digital Analytics Best Practices for Financial Services Environments

Year 10 ICT ECDL/ICDL IT Security.

To the ETS – Password Reset Online Training Course

Forensics Week 11.

Transforming IT Management

What is in the Web? And Commerce on the Web

Information Technology Services Education and Awareness Team

Human-Computable Passwords

Setting up an online account

Anupam Das , Nikita Borisov

Introduction to Computers

Why Are Computers Necessary in Today’s World?

Unit# 5: Internet and Worldwide Web

Security and Usability of Password Based User Authentication Systems

Authentication CSE 365 – Information Assurance Fall 2018 Adam Doupé

REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS Mansour Alsaleh,Mohammad Mannan and P.C van Oorschot.

Website Testing Checklist

To the ETS – Password Reset Online Training Course

Data Structures Introduction

Information Technology Services Education and Awareness Team

The Internet: Encryption & Public Keys

Enabling Prediction of Performance

Dark Web Domain Status Report

Authentication CSE 365 – Information Assurance Fall 2019 Adam Doupé

Presentation transcript:

Tangled Web of Password Reuse Anupam Das (UIUC), Joseph Bonneau (Princeton University), Matthew Caesar (UIUC), Nikita Borisov (UIUC), XiaoFeng Wang (Indiana University at Bloomington) 2014 September 20, 2018September 20, 2018

Audience Poll How many of you use the web? How many of you use web sites with accounts/passwords? How many of you use different passwords on all the sites you use? 2 September 20, 2018September 20, 2018

So passwords are reused! The Problem Emails Social Networks However, on average a user has 6-7 passwords! [Florencio et al. WWW’07] On average a user maintains 25 distinct online accounts! [Florencio et al. WWW’07] Online Entertainment Online Storage So passwords are reused! How our interaction with the web has evolved greatly over the last decade….. Online Banking Online Shopping 3 September 20, 2018September 20, 2018

What’s wrong with reuse? Some High Profile Leaks: Linkedin : 6.5 million Yahoo Voice mail: 450,000 Twitter: 56,000 RockYou: 32 million Adobe: 150 million Enables cross-site password guessing. 4 September 20, 2018September 20, 2018

What if passwords are not same? Known password Unknown password Search Space Using common transformations Say modify passwords based on web site policy. Use leaked password to guess unknown password Potentially reduce the search space. 5 September 20, 2018September 20, 2018

Our work We study the problem of password reuse across different web sites- Characterize extent of the problem Conduct measurement and user study Characterize severity of the problem Develop and evaluate cross-site guessing algorithm 6 September 20, 2018September 20, 2018

Challenges and approaches How you obtain data to evaluate on? User study, collect publicly leaked passwords How do we analyze data? Derive typical transformations What’s a good algorithm to guess passwords? Parameterize and derive ordering of transformations that minimizes the number of guesses 7 September 20, 2018September 20, 2018

Getting data with a user study To gain insight into users’ behavior and thought processes when creating passwords for different websites, we conducted an anonymous survey. We had a total of 224 participants. 8 September 20, 2018September 20, 2018

Getting more data from leaked passwords Publicly leaked email and password pairs from 11 different web sites: Site # Year csdn.net 6428630 2011 gawker.com 748559 2010 voices.yahoo.com 442837 2012 militarysingles.com 163482 rootkit.com 81450 myspace.com 49711 2006 porn.com 25934 hotmail.com 8504 2009 facebook.com 8183 youporn.com 5388 Total 6077 unique users Passwords Per user Percentage 2 97.75% 3 1.82% 4 0.26% 5 0.15% 6 0.02% 9 September 20, 2018September 20, 2018

Snapshot of leaked passwords Email ID Passwords 116 iloveyou 117 loving loving1 118 naughty NAUGHTY 119 password pa55wOrd 120 logout0616 logout 121 butcher05 Butcher05 122 joey1992 joey92 123 123456 12345678 124 gzwz0204 0204gzwz 125 mike04 jade1979 126 lucky777 lucky7 Email-id Passwords Identical Substring Others (more complex transformations) 10 September 20, 2018

Categorizing passwords We focus on trying to guess these passwords We categorize the password pairs to 3 different categories 43% 38% 19% 11 September 20, 2018September 20, 2018

Characterizing similarity of passwords To get a better understanding of the similarity of the non-identical passwords, we look at different similarity metrics. Non-identical passwords Token-based distance functions Dice, Overlap Edit distance-like functions Levenshtein, Damerau Levenshtein Distance-like functions Manhattan, Cosine Alignment-like functions Smith-Waterman, Neddleman-Wunsch, LCS 12 September 20, 2018September 20, 2018

Deriving transformation operations Lets start with passwords that are substring of each other as they require only insertions or deletions. Insertion/Deletion Location Location Percentage At start 10% At end 88% At both ends 2% Similar to what we found from our user study. Most insertions/deletions are of length= 2 13 September 20, 2018September 20, 2018

Deriving more complex transformations Sequential key: qwerasdf 1234qwer Sequential alternative key: 12345  !@#$% Sequential alphabet: abcde  12345 Capitalization: naughty  NAUGHTY Reverse: 123456 654321 LeetSpeak Transformation: password  pa$$w0rd Substring Movement: gzwz0204  0204gzwz Other less common transformations also exist repeating character sequences swap of positions using email address Etc. 14 September 20, 2018September 20, 2018

Automating password guessing The question to ask: Given a leaked password (as seed), can we design an algorithm to automatically guess other passwords? Answer: Yes, we can! Goals: Compute the orderings and parameterizations that require minimum number of guesses We obtain the ordering using 40% of our data Make the design applicable for online attack scenario. 15 September 20, 2018September 20, 2018

Number of guesses Able to guess ~30% passwords within 100 attempts. Non-identical Passwords We were able to guess 75% of the passwords in the ‘Substring’ category within 100 attempts ~30% even with relatively simple analysis, this kind of attack can get around online rate limits in a large number of cases, so this is a real security concern! Legend: ED guesser -- Edit Distance based Guesser Able to guess ~30% passwords within 100 attempts. Our approach is therefore suitable for online attack scenarios. 16 September 20, 2018September 20, 2018

Similarity of guessed passwords Cracked Passwords Non-Cracked Passwords even with relatively simple analysis, this kind of attack can get around online rate limits in a large number of cases, so this is a real security concern! Majority of the correctly guessed passwords had high similarity score. Majority of the non-cracked passwords had small similarity score 17 September 20, 2018September 20, 2018

Conclusion Password reuse is common We found 43-51% of users reused their passwords Password reuse is harmful Makes cross-site guessing easier. We were able to guess 30% of the non-identical passwords within 100 attempts. Even a “low-value” website compromise can be serious. A hack of your Zynga (Farmville) account can potentially compromise your Gmail account! Details about the project is available at- http://web.engr.illinois.edu/~das17/passwordreuse.html 18 September 20, 2018September 20, 2018

END 19 September 20, 2018September 20, 2018