RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
MOTIVATION Rate-limiting do not not more than reuse 8 characters “… the verifier shall limit attempts on a single account to no more than 100.” change (NIST Special Publication 800-63B) once a month Research Question at least 8 Do real-world websites take appropriate measures characters to prevent unauthorized accesses to their users’ accounts? upper case, lower case, numbers, special characters WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 2 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
STUDY PROCEDURE Number of attempts Tor network Final valid attempt Usability: min. 10 Hide identity Correct credentials NIST: max. 100 Circumvent IP blocking From same Tor session First impression No resource wasting WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 3 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
WEBSITES Existing Accounts History & Value Don’t be evil Our own accounts WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 4 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
PASSWORDS Baseline Composition Policies Manual Verification “8 or more characters” Pwned Passwords v2 Remove non-compliant passwords “12345678” not allowed 500 million breached passwords Bad practice still in use WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 5 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 6 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 7 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 8 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
ACCOUNT LOCKOUT Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 9 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
ACCOUNT LOCKOUT Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 10 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
SUCCESSFUL LOGIN Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 11 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
SUCCESSFUL LOGIN Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 12 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
BLOCKING Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 13 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
BLOCKING Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 14 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
Recommend
More recommend