sauth protecting user accounts from password database
play

SAuth: Protecting User Accounts from Password Database Leaks - PowerPoint PPT Presentation

Apr 06, 2024 •134 likes •441 views

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

  1. SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis ‡ , Elias Athanasopoulos ‡ Georgios Portokalidis * , Angelos Keromytis ‡ ‡ Columbia University * Stevens Institute of Technology

  2. Authentication recognizes passwords not users …

  3. … and unfortunately passwords get leaked

  4. With stolen password, Attacker impersonates Alice

  5. Password leaks happen all the time • May go unnoticed until it’s too late 2009 RockYou Gaming 32.0 million 2010 Gawker Media 1.5 million Domino attack prompted resets in other sites 2011 Sony 1.0 million 2012 LinkedIn 6.5 million 2013 Twitter 250.000 Before being detected and shut down 2013 Adobe 150.0 million

  6. Passwords get cracked all the time • Weak passwords – short, dictionary words, names, patterns, etc. • Fast hardware – Commodity parallel architectures (GPUs) – Cloud-powered cracking platforms • 6 days after the 6.5 million LinkedIn password leak, 90% of them were cracked

  7. Enhanced Authentication Today • Two-Factor Authentication – How many tokens/app can a user handle? • Single sign-on services – Single point of failure – Relying party gets to find out user identity* – Privacy issues from coarse-grained data sharing

  8. How about Authentication Synergy? • Forgot your password?

  9. How about Authentication Synergy? • User’s Authentication State

  10. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  11. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  12. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  13. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  14. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  15. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  16. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  17. SAuth: Synergy-based Enhanced Authentication • Password leak on Evernote will protect account access

  18. SAuth: Synergy-based Enhanced Authentication • Attacker has compromised Alice’s password on Evernote

  19. SAuth: Synergy-based Enhanced Authentication • Attacker impersonates Alice on Evernote

  20. SAuth: Synergy-based Enhanced Authentication • Attacker is unable to produce Alice’s Twitter password

  21. SAuth: Synergy-based Enhanced Authentication • Authentication process fails, Evernote denies access

  22. Password Reuse Woes • User has 7 passwords, re-uses 5 of them • Password shared across 6 sites [Florencio WWW ’07]

  23. Decoy Passwords • Uncertainty about the actual password • Store N-1 decoy passwords along • Attack reduced to online guessing • All decoys are valid passwords, server does not know the difference Username P[0] P[1] P[…] P[N] • How many decoys? – 16,384 for NIST L2 security when password is reused

  24. Realistic Decoy Passwords • User password must blend-in with the decoys – Crackers are already factoring in human behavior – Complex vs Popular Passwords string-digit 37% digit-string 05% ! 10% $ 03% - RockYou Leak ‘09 – Ideal: have the user type N passwords, remember 1 – Practical: generation within the password ecosystem • Any blind automated method will generate outliers • Probabilistic production seeded by user’s password, biased towards structures of similar popularity and semantics

  25. Summary • Authentication Synergy results in leak-resistant password authentication – Complements existing security – Respect for user privacy, verifiable site cooperation – Minimal changes server-side, no changes client-side • Decoys mitigate password reuse habits – Generated off the user password, consider its context and general human password habits

  26. tinyurl.com/sauth kontaxis@cs.columbia.edu

  27. Intentionally left blank

  28. Intentionally left blank

  29. Unintentionally left blank

  30. Honeywords, Kamouflage and SAuth Decoy Passwords • Honeywords – Does not yet consider human password habits – Honeywords are not valid passwords – Use of any honeyword will raise an alarm – Auxiliary honeychecking server • Kamouflage password manager – Considers human password habits – Master password decoys are all valid – Online guessing attack should raise alarm • SAuth Decoy Passwords – Considers human password habits – Decoy passwords are all valid – Online guessing attack should raise alarm

Recommend

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on the%process%of%valida1ng%a%users%creden1als%against% what%is%saved%in%the%database Does%the%password%match%what%is%saved%in%the% database?

718 views • 14 slides
User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a computer may have just one user account, but several system accounts help keep the computer running. Accounts enable multiple users to share a single

481 views • 11 slides
-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from their respective districts must visit www.wbppms.gov.in. 2. In the web portal click on either Get Started or Signin in the upper right

408 views • 9 slides
SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management in samba 2.0 Smbpasswd is used mainly for password storage No other password database backend Smbpasswd stores the unix user name and uid

450 views • 17 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
www.healthnet.com Enter your user name and password or Click on Register Now to create a user

www.healthnet.com Enter your user name and password or Click on Register Now to create a user

www.healthnet.com Enter your user name and password or Click on Register Now to create a user name and password if you dont have one Click on County of San Bernardino

162 views • 5 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N. Asokan Aalto University, Finland This work was supported by the Cloud Security Services (CloSer) project funded by Tekes - the Finnish Funding

351 views • 20 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log

Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log

State College Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log on to highmarkblueshield.com Enter User ID & Password in the Log In box, or For new registrants click Register

486 views • 24 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data

Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data

Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data reference, non- nicknames user, transactional transactional product/offer catalogs user accounts service catalogs

1.98k views • 150 slides
PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie

PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie

A C F T 1 PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie des Dpts et de Rsolution (FGDR) was created by the law of 25 June 1999 to compensate you in the event that your bank or

212 views • 4 slides
myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the

myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the

myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the provided user name and password 2 ACCEPT USER AGREEMENT Scroll down to review and accept the User Agreement Review and click on Accept to

721 views • 25 slides
Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and

Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and

Acquire USER ID and Password Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and Password Screen 2 < Click No and then click continue> Acquire USER ID and Password Screen 3 < Click Request User ID

508 views • 11 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Capricorn Portal Tutorial Capricorn Login Page , User id will be you registered EmailID and

Capricorn Portal Tutorial Capricorn Login Page , User id will be you registered EmailID and

Capricorn Portal Tutorial Capricorn Login Page , User id will be you registered EmailID and Password will be provided and you can change it by clicking forgot password, you will receive OTP in Email for Password Reset. After login Dashboard

536 views • 12 slides
Registrant's Guide to Protecting Domain Name Registration Accounts (SAC044) Steve Sheng ICANN

Registrant's Guide to Protecting Domain Name Registration Accounts (SAC044) Steve Sheng ICANN

Registrant's Guide to Protecting Domain Name Registration Accounts (SAC044) Steve Sheng ICANN 1 What is it? A guide for registrants A complement to SAC040 Overview of threats Best practices to follow Making informed

282 views • 5 slides
Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com)

Hacking and protecting Oracle Database Vault Esteban Martnez Fay Argeniss (www.argeniss.com) July 2010 Agenda Introduction to Oracle Database Vault What is Oracle Database Vault, What changes introduce, Oracle Database Vault

688 views • 49 slides
Goals Database Administration All large and small databases need database Database

Goals Database Administration All large and small databases need database Database

PHP Miscellaneous $db->insert_id IT420: Database Management and Retrieves the ID generated for an Organization AUTO_INCREMENT column by the previous INSERT query Return value: Managing Multi-user The ID generated for an

140 views • 11 slides
Motivation Database as a service (DaaS) User Service Provider Service Level Database

Motivation Database as a service (DaaS) User Service Provider Service Level Database

Wentao Wu 1 , Yun Chi 2 , Shenghuo Zhu 2 , Junichi Tatemura 2 , Hakan Hacigumus 2 , Jeffrey Naughton 1 1 Dept of Computer Sciences, University of Wisconsin-Madison 2 NEC Laboratories America 1 Motivation Database as a service (DaaS) User

556 views • 26 slides
[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database]

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database]

[keystone_authtoken] auth_uri = http:// admin_password = PASSWORD [api_database] Connection = mysql://USER:PASSWORD@HOST/TABLE !{SECRET: container_ref : key_name } !{ENV: env_var }

430 views • 16 slides
Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user - Ex) parent

689 views • 51 slides
Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a

Windows Not just for houses Everyone Uses Windows! Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user - Ex) parent

1.09k views • 66 slides

More recommend