SAuth: Protecting User Accounts from Password Database Leaks - - PowerPoint PPT Presentation

sauth protecting user accounts from password database
SMART_READER_LITE
LIVE PREVIEW

SAuth: Protecting User Accounts from Password Database Leaks - - PowerPoint PPT Presentation

Apr 06, 2024 134 likes •447 views

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

slide-1
SLIDE 1

SAuth: Protecting User Accounts from Password Database Leaks

Georgios Kontaxis‡, Elias Athanasopoulos‡ Georgios Portokalidis*, Angelos Keromytis‡

‡Columbia University *Stevens Institute of Technology

slide-2
SLIDE 2

Authentication recognizes passwords not users …

slide-3
SLIDE 3

… and unfortunately passwords get leaked

slide-4
SLIDE 4

With stolen password, Attacker impersonates Alice

slide-5
SLIDE 5

Password leaks happen all the time

150.0 million Adobe 2013 250.000 Twitter

Before being detected and shut down

2013 6.5 million LinkedIn 2012 1.0 million Sony 2011 1.5 million Gawker Media

Domino attack prompted resets in other sites

2010 32.0 million RockYou Gaming 2009

  • May go unnoticed until it’s too late
slide-6
SLIDE 6

Passwords get cracked all the time

  • Weak passwords

– short, dictionary words, names, patterns, etc.

  • Fast hardware

– Commodity parallel architectures (GPUs) – Cloud-powered cracking platforms

  • 6 days after the 6.5 million LinkedIn

password leak, 90% of them were cracked

slide-7
SLIDE 7

Enhanced Authentication Today

  • Two-Factor Authentication

– How many tokens/app can a user handle?

  • Single sign-on services

– Single point of failure – Relying party gets to find out user identity* – Privacy issues from coarse-grained data sharing

slide-8
SLIDE 8

How about Authentication Synergy?

  • Forgot your password?
slide-9
SLIDE 9

How about Authentication Synergy?

  • User’s Authentication State
slide-10
SLIDE 10

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-11
SLIDE 11

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-12
SLIDE 12

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-13
SLIDE 13

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-14
SLIDE 14

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-15
SLIDE 15

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-16
SLIDE 16

SAuth: Synergy-based Enhanced Authentication

  • We propose: cooperating sites pool authentication resources
slide-17
SLIDE 17

SAuth: Synergy-based Enhanced Authentication

  • Password leak on Evernote will protect account access
slide-18
SLIDE 18

SAuth: Synergy-based Enhanced Authentication

  • Attacker has compromised Alice’s password on Evernote
slide-19
SLIDE 19

SAuth: Synergy-based Enhanced Authentication

  • Attacker impersonates Alice on Evernote
slide-20
SLIDE 20

SAuth: Synergy-based Enhanced Authentication

  • Attacker is unable to produce Alice’s Twitter password
slide-21
SLIDE 21

SAuth: Synergy-based Enhanced Authentication

  • Authentication process fails, Evernote denies access
slide-22
SLIDE 22

Password Reuse Woes

  • User has 7 passwords, re-uses 5 of them
  • Password shared across 6 sites [Florencio WWW ’07]
slide-23
SLIDE 23

Decoy Passwords

  • Uncertainty about the actual password
  • Store N-1 decoy passwords along
  • Attack reduced to online guessing
  • All decoys are valid passwords,

server does not know the difference

  • How many decoys?

– 16,384 for NIST L2 security when password is reused P[N] P[…] P[1] P[0] Username

slide-24
SLIDE 24

Realistic Decoy Passwords

  • User password must blend-in with the decoys

– Crackers are already factoring in human behavior – Complex vs Popular Passwords – Ideal: have the user type N passwords, remember 1 – Practical: generation within the password ecosystem

  • Any blind automated method will generate outliers
  • Probabilistic production seeded by user’s password,

biased towards structures of similar popularity and semantics

03% $ 10% ! 05% digit-string 37% string-digit

  • RockYou Leak ‘09
slide-25
SLIDE 25

Summary

  • Authentication Synergy results in leak-resistant

password authentication

– Complements existing security – Respect for user privacy, verifiable site cooperation – Minimal changes server-side, no changes client-side

  • Decoys mitigate password reuse habits

– Generated off the user password, consider its context and general human password habits

slide-26
SLIDE 26

tinyurl.com/sauth

kontaxis@cs.columbia.edu

slide-27
SLIDE 27

Intentionally left blank

slide-28
SLIDE 28

Intentionally left blank

slide-29
SLIDE 29

Unintentionally left blank

slide-30
SLIDE 30

Honeywords, Kamouflage and SAuth Decoy Passwords

  • Honeywords

– Does not yet consider human password habits – Honeywords are not valid passwords – Use of any honeyword will raise an alarm – Auxiliary honeychecking server

  • Kamouflage password manager

– Considers human password habits – Master password decoys are all valid – Online guessing attack should raise alarm

  • SAuth Decoy Passwords

– Considers human password habits – Decoy passwords are all valid – Online guessing attack should raise alarm