THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, - PowerPoint PPT Presentation

THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY FRENZEL AND JP WHEELER

INTRODUCTION • Easy to guess passwords undermine security • Many online services offer password composition policies and meters • Reasons to be concerned about password reuse • Large influx of new users • Increase in number of sites requiring credentials • Recent high-profile leaks make the concern for cross-site password reuse more prevalent

KEY CONTRIBUTIONS • Empirical estimate of the rate of direct password reuse for the same user over different websites based on the largest data set yet collected • Analysis of non-identical passwords from same users across different online accounts • Survey to understand users’ behavior in password construction across different online accounts • A cross-site guessing algorithm which uses a leaked password at one site to produce guesses for passwords potentially used at other sites for the same user

PASSWORD COMPOSITION POLICY • The hardest passwords to crack are random character strings, but such passwords are considered too complex to remember • Common password composition policies • Password must not contain the user’s name • At least n characters long • Passwords must contain characters from two or more of these categories: • Uppercase characters • Lowercase characters • Digit • Symbol • Increasing complexity of policies leads to password fatigue

RELATED WORKS • Narayanan and Shmatikov developed an improved dictionary attack by using a training set to obtain probabilities of candidate substrings • Florencio et al. monitored password habits of half a million users. Their study revealed the average user has 6.5 passwords over 3.9 different sites • Zhang et al. looked at how users modified their passwords when forced to change. They created a generic algorithm that could guess future passwords. • There has also been research on defending against cross-site password attacks by deploying password management tools like PwdHash.

OUR DATASET • Only used sets with both username and password • 6077 unique users with at least two leaked passwords

PASSWORD SIMILARITY • Distance-like functions • Edit-distance like functions • Token-based distance functions • Alignment-like functions

PASSWORD SIMILARITY ACROSS DIFFERENT SITES

SURVEY • Survey was to gain insight into users’ behavior and thought processes when creating passwords for different websites • 224 responses from students and professional staff at various universities

SURVEY

PROMINENT TRANSFORMATIONS • Examined 40% of leaked passwords • We found many interesting transformation rules, such as adding a few random extra characters or adding emoticons • Our algorithm does not incorporate the interesting rules in order to preserve simplicity

GUESSING ALGORITHM • Given a user’s password for a particular site our algorithm should determine the user’s password for other sites with a low number of guesses • Our algorithm consists of several phases executed in a given order until the desired password is found

OUR ALGORITHM • Character sequence • Attempts to look for known pattern sequences • After finding pattern we apply the corresponding transformation sequentially • Deletions • Guesser tries deleting transformations iteratively from the following set: {Digit, Symbol, Uppercase letter, Lowercase letter}

OUR ALGORITHM • Insertions • Inserting numbers or symbols at the front or end • Limit to up to two insertions • Capitalizations • Capitalizes all letters, then the front, then the back, then combinations of both • Reversals • Transformation simply reverses the input password

OUR ALGORITHM • Leet-speak • Tries the popular leet transformations • Substring movement • Splits the input into substrings where the delimiter character belongs to the set {Digit, Symbol, Uppercase Letter} • Subword modification • Finds subwords and capitalizes the first letter of each

EVALUATING ALGORITHM • Evaluate our guesser in terms of number of guesses required to crack target password • Only analyzed non-identical passwords • Compare our approach to three competitors: • RockYou guesser • Edit Distance guesser • John the Ripper

EVALUATING ALGORITHM

CONCLUSION • Limitations • Text-based • Simple guessing scheme • Countermeasures • We found 43% of users re-use passwords confirming suspicion that this is a significant security vulnerability • Many users introduce small modifications to their passwords and many users share the same method of modification • Prototype guessing algorithm can crack 10% of nonidentical passwords in less than 10 attempts • In less than 100 attempts the algorithm can crack 30% of such pairs

QUESTIONS