will any password do exploring rate limiting on the web
play

WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY18, - PowerPoint PPT Presentation

RUHR-UNIVERSITT BOCHUM WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Drmuth MOTIVATION Rate-limiting do not not more than reuse 8


  1. RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  2. MOTIVATION Rate-limiting do not not more than reuse 8 characters “… the verifier shall limit attempts on a single account to no more than 100.” change (NIST Special Publication 800-63B) once a month Research Question at least 8 Do real-world websites take appropriate measures characters to prevent unauthorized accesses to their users’ accounts? upper case, lower case, numbers, special characters WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 2 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  3. STUDY PROCEDURE Number of attempts Tor network Final valid attempt    Usability: min. 10 Hide identity Correct credentials    NIST: max. 100 Circumvent IP blocking From same Tor session  First impression  No resource wasting WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 3 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  4. WEBSITES Existing Accounts  History & Value Don’t be evil  Our own accounts WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 4 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  5. PASSWORDS Baseline Composition Policies Manual Verification    “8 or more characters” Pwned Passwords v2 Remove non-compliant  passwords  “12345678” not allowed 500 million breached  passwords Bad practice still in use WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 5 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  6. RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 6 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  7. RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 7 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  8. RESULTS OVERVIEW Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 8 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  9. ACCOUNT LOCKOUT Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 9 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  10. ACCOUNT LOCKOUT Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 10 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  11. SUCCESSFUL LOGIN Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 11 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  12. SUCCESSFUL LOGIN Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 12 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  13. BLOCKING Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 13 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

  14. BLOCKING Time Alexa Service Guesses Login CAPTCHA Lockout Blocking 2nd Step Notification (Min.) o • o • 1 Google 25 10 - - o o • o 3 Facebook 25 4 - - o • o • 7 Yahoo 25 5 Email Code Suspicious 12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious o o • • 30 Netflix 25 7 - - • • o • 84 Amazon 25 15 Email Code - • • o o 89 Dropbox 25 19 - Sign-in o o • o 285 IKEA 7 2 - Account Locked o o • • 664 Grammarly 13 6 - - • o o • 992 Plex 25 7 - - • • o • 1220 Uber 25 9 SMS Code - • o o o 4333 Trainline 25 3 - - WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB 14 WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Recommend


More recommend