Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tangled Web of Password Reuse

Published byViktor Geisler Modified over 6 years ago

Similar presentations

Presentation on theme: "Tangled Web of Password Reuse"— Presentation transcript:

1 Tangled Web of Password Reuse
Anupam Das (UIUC), Joseph Bonneau (Princeton University), Matthew Caesar (UIUC), Nikita Borisov (UIUC), XiaoFeng Wang (Indiana University at Bloomington) 2014 September 20, 2018September 20, 2018

2 Audience Poll How many of you use the web?
How many of you use web sites with accounts/passwords? How many of you use different passwords on all the sites you use? 2 September 20, 2018September 20, 2018

3 So passwords are reused!
The Problem s Social Networks However, on average a user has 6-7 passwords! [Florencio et al. WWW’07] On average a user maintains 25 distinct online accounts! [Florencio et al. WWW’07] Online Entertainment Online Storage So passwords are reused! How our interaction with the web has evolved greatly over the last decade….. Online Banking Online Shopping 3 September 20, 2018September 20, 2018

4 What’s wrong with reuse?
Some High Profile Leaks: Linkedin : 6.5 million Yahoo Voice mail: 450,000 Twitter: 56,000 RockYou: 32 million Adobe: 150 million Enables cross-site password guessing. 4 September 20, 2018September 20, 2018

5 What if passwords are not same?
Known password Unknown password Search Space Using common transformations Say modify passwords based on web site policy. Use leaked password to guess unknown password Potentially reduce the search space. 5 September 20, 2018September 20, 2018

6 Our work We study the problem of password reuse across different web sites- Characterize extent of the problem Conduct measurement and user study Characterize severity of the problem Develop and evaluate cross-site guessing algorithm 6 September 20, 2018September 20, 2018

7 Challenges and approaches
How you obtain data to evaluate on? User study, collect publicly leaked passwords How do we analyze data? Derive typical transformations What’s a good algorithm to guess passwords? Parameterize and derive ordering of transformations that minimizes the number of guesses 7 September 20, 2018September 20, 2018

8 Getting data with a user study
To gain insight into users’ behavior and thought processes when creating passwords for different websites, we conducted an anonymous survey. We had a total of 224 participants. 8 September 20, 2018September 20, 2018

9 Getting more data from leaked passwords
Publicly leaked and password pairs from 11 different web sites: Site # Year csdn.net 2011 gawker.com 748559 2010 voices.yahoo.com 442837 2012 militarysingles.com 163482 rootkit.com 81450 myspace.com 49711 2006 porn.com 25934 hotmail.com 8504 2009 facebook.com 8183 youporn.com 5388 Total 6077 unique users Passwords Per user Percentage 2 97.75% 3 1.82% 4 0.26% 5 0.15% 6 0.02% 9 September 20, 2018September 20, 2018

10 Snapshot of leaked passwords
ID Passwords 116 iloveyou 117 loving loving1 118 naughty NAUGHTY 119 password pa55wOrd 120 logout0616 logout 121 butcher05 Butcher05 122 joey1992 joey92 123 123456 124 gzwz0204 0204gzwz 125 mike04 jade1979 126 lucky777 lucky7 -id Passwords Identical Substring Others (more complex transformations) 10 September 20, 2018

11 Categorizing passwords
We focus on trying to guess these passwords We categorize the password pairs to 3 different categories 43% 38% 19% 11 September 20, 2018September 20, 2018

12 Characterizing similarity of passwords
To get a better understanding of the similarity of the non-identical passwords, we look at different similarity metrics. Non-identical passwords Token-based distance functions Dice, Overlap Edit distance-like functions Levenshtein, Damerau Levenshtein Distance-like functions Manhattan, Cosine Alignment-like functions Smith-Waterman, Neddleman-Wunsch, LCS 12 September 20, 2018September 20, 2018

13 Deriving transformation operations
Lets start with passwords that are substring of each other as they require only insertions or deletions. Insertion/Deletion Location Location Percentage At start 10% At end 88% At both ends 2% Similar to what we found from our user study. Most insertions/deletions are of length= 2 13 September 20, 2018September 20, 2018

14 Deriving more complex transformations
Sequential key: qwerasdf 1234qwer Sequential alternative key: 12345  Sequential alphabet: abcde  12345 Capitalization: naughty  NAUGHTY Reverse: 654321 LeetSpeak Transformation: password  pa$$w0rd Substring Movement: gzwz0204  0204gzwz Other less common transformations also exist repeating character sequences swap of positions using address Etc. 14 September 20, 2018September 20, 2018

15 Automating password guessing
The question to ask: Given a leaked password (as seed), can we design an algorithm to automatically guess other passwords? Answer: Yes, we can! Goals: Compute the orderings and parameterizations that require minimum number of guesses We obtain the ordering using 40% of our data Make the design applicable for online attack scenario. 15 September 20, 2018September 20, 2018

16 Number of guesses Able to guess ~30% passwords within 100 attempts.
Non-identical Passwords We were able to guess 75% of the passwords in the ‘Substring’ category within 100 attempts ~30% even with relatively simple analysis, this kind of attack can get around online rate limits in a large number of cases, so this is a real security concern! Legend: ED guesser -- Edit Distance based Guesser Able to guess ~30% passwords within 100 attempts. Our approach is therefore suitable for online attack scenarios. 16 September 20, 2018September 20, 2018

17 Similarity of guessed passwords
Cracked Passwords Non-Cracked Passwords even with relatively simple analysis, this kind of attack can get around online rate limits in a large number of cases, so this is a real security concern! Majority of the correctly guessed passwords had high similarity score. Majority of the non-cracked passwords had small similarity score 17 September 20, 2018September 20, 2018

18 Conclusion Password reuse is common
We found 43-51% of users reused their passwords Password reuse is harmful Makes cross-site guessing easier. We were able to guess 30% of the non-identical passwords within 100 attempts. Even a “low-value” website compromise can be serious. A hack of your Zynga (Farmville) account can potentially compromise your Gmail account! Details about the project is available at- 18 September 20, 2018September 20, 2018

19 END 19 September 20, 2018September 20, 2018

Download ppt "Tangled Web of Password Reuse"

Similar presentations

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.

Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Longest Common Subsequence

Longest Common Subsequence
Why Are Computers Necessary in Today’s World?

Why Are Computers Necessary in Today’s World?
Social Media Networking Sites Charlotte Jenkins Designing the Social Web 06-10-2011.

Social Media Networking Sites Charlotte Jenkins Designing the Social Web
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.

Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.
Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.
Comparing protein structure and sequence similarities Sumi Singh Sp 2015.

Comparing protein structure and sequence similarities Sumi Singh Sp 2015.
How To Protect Your Privacy and Avoid Identity Theft Online.

How To Protect Your Privacy and Avoid Identity Theft Online.
The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.

The purpose of this Software Requirements Specification document is to clearly define the system under development, that is, the International Etruscan.
Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.

Multiple Password Interference in text Passwords and click based Graphical Passwords by Sonia Chiasson, Alian Forget, Elizabeth Stobert, PC van Oorschot.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.
Managing Network Security ref:www.microsoft.com. Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.

Managing Network Security ref: Overview Using Group Policy to Secure the User Environment Using Group Policy to Configure Account Policies.
It’s no secret It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions By Schechter, Brush and Egelman ® 2009 Presenter:

It’s no secret It’s no secret Measuring the security and reliability of authentication via ‘secret’ questions By Schechter, Brush and Egelman ® 2009 Presenter:
Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.

Using Identity Credential Usage Logs to Detect Anomalous Service Accesses Daisuke Mashima Dr. Mustaque Ahamad College of Computing Georgia Institute of.
 A viruses is a program that can harm or track your computer. E.g. browser hijacker.  When a viruses accesses the computer it can accesses the HDD and.

 A viruses is a program that can harm or track your computer. E.g. browser hijacker.  When a viruses accesses the computer it can accesses the HDD and.
Using E-mail A presentation of the Elmhurst Public Library.

Using A presentation of the Elmhurst Public Library.
PREPARED BY: SYAIDATUL SYAZANA BT PAUZI INTRODUCTION What is the definition of Phishing Hacking.

PREPARED BY: SYAIDATUL SYAZANA BT PAUZI INTRODUCTION What is the definition of Phishing Hacking.
Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,

Peeping Tom in the Neighborhood Keystroke Eavesdropping on Multi-User Systems USENIX 2009 Kehuan Zhang, Indiana University, Bloomington XiaoFeng Wang,
User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

User Friendly Passwords Nicole Longworth Michael Shoppell RJ Brown.

Similar presentations

Ads by Google