sauth protecting user accounts from password database
play

SAuth: Protecting User Accounts from Password Database Leaks - PowerPoint PPT Presentation

Apr 06, 2024 •134 likes •441 views

SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis , Elias Athanasopoulos Georgios Portokalidis * , Angelos Keromytis Columbia University * Stevens Institute of Technology Authentication recognizes

  1. SAuth: Protecting User Accounts from Password Database Leaks Georgios Kontaxis ‡ , Elias Athanasopoulos ‡ Georgios Portokalidis * , Angelos Keromytis ‡ ‡ Columbia University * Stevens Institute of Technology

  2. Authentication recognizes passwords not users …

  3. … and unfortunately passwords get leaked

  4. With stolen password, Attacker impersonates Alice

  5. Password leaks happen all the time • May go unnoticed until it’s too late 2009 RockYou Gaming 32.0 million 2010 Gawker Media 1.5 million Domino attack prompted resets in other sites 2011 Sony 1.0 million 2012 LinkedIn 6.5 million 2013 Twitter 250.000 Before being detected and shut down 2013 Adobe 150.0 million

  6. Passwords get cracked all the time • Weak passwords – short, dictionary words, names, patterns, etc. • Fast hardware – Commodity parallel architectures (GPUs) – Cloud-powered cracking platforms • 6 days after the 6.5 million LinkedIn password leak, 90% of them were cracked

  7. Enhanced Authentication Today • Two-Factor Authentication – How many tokens/app can a user handle? • Single sign-on services – Single point of failure – Relying party gets to find out user identity* – Privacy issues from coarse-grained data sharing

  8. How about Authentication Synergy? • Forgot your password?

  9. How about Authentication Synergy? • User’s Authentication State

  10. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  11. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  12. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  13. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  14. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  15. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  16. SAuth: Synergy-based Enhanced Authentication • We propose: cooperating sites pool authentication resources

  17. SAuth: Synergy-based Enhanced Authentication • Password leak on Evernote will protect account access

  18. SAuth: Synergy-based Enhanced Authentication • Attacker has compromised Alice’s password on Evernote

  19. SAuth: Synergy-based Enhanced Authentication • Attacker impersonates Alice on Evernote

  20. SAuth: Synergy-based Enhanced Authentication • Attacker is unable to produce Alice’s Twitter password

  21. SAuth: Synergy-based Enhanced Authentication • Authentication process fails, Evernote denies access

  22. Password Reuse Woes • User has 7 passwords, re-uses 5 of them • Password shared across 6 sites [Florencio WWW ’07]

  23. Decoy Passwords • Uncertainty about the actual password • Store N-1 decoy passwords along • Attack reduced to online guessing • All decoys are valid passwords, server does not know the difference Username P[0] P[1] P[…] P[N] • How many decoys? – 16,384 for NIST L2 security when password is reused

  24. Realistic Decoy Passwords • User password must blend-in with the decoys – Crackers are already factoring in human behavior – Complex vs Popular Passwords string-digit 37% digit-string 05% ! 10% $ 03% - RockYou Leak ‘09 – Ideal: have the user type N passwords, remember 1 – Practical: generation within the password ecosystem • Any blind automated method will generate outliers • Probabilistic production seeded by user’s password, biased towards structures of similar popularity and semantics

  25. Summary • Authentication Synergy results in leak-resistant password authentication – Complements existing security – Respect for user privacy, verifiable site cooperation – Minimal changes server-side, no changes client-side • Decoys mitigate password reuse habits – Generated off the user password, consider its context and general human password habits

  26. tinyurl.com/sauth kontaxis@cs.columbia.edu

  27. Intentionally left blank

  28. Intentionally left blank

  29. Unintentionally left blank

  30. Honeywords, Kamouflage and SAuth Decoy Passwords • Honeywords – Does not yet consider human password habits – Honeywords are not valid passwords – Use of any honeyword will raise an alarm – Auxiliary honeychecking server • Kamouflage password manager – Considers human password habits – Master password decoys are all valid – Online guessing attack should raise alarm • SAuth Decoy Passwords – Considers human password habits – Decoy passwords are all valid – Online guessing attack should raise alarm

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on

1 What%is%User%Authen.ca.on? 2 3 User%Authen+ca+on the%process%of%valida1ng%a%users%creden1als%against% what%is%saved%in%the%database Does%the%password%match%what%is%saved%in%the% database?

718 views • 14 slides
User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a

User Accounts Even a single-user workstation (Desktop Computer) uses multiple accounts. Such a computer may have just one user account, but several system accounts help keep the computer running. Accounts enable multiple users to share a single

481 views • 11 slides
-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from their respective districts must visit www.wbppms.gov.in. 2. In the web portal click on either Get Started or Signin in the upper right

408 views • 9 slides
SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management

SAM, GUMS, IDMAP From discussion to reality by Andrew Bartlett & Simo Sorce User Management in samba 2.0 Smbpasswd is used mainly for password storage No other password database backend Smbpasswd stores the unix user name and uid

450 views • 17 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
www.healthnet.com Enter your user name and password or Click on Register Now to create a user

www.healthnet.com Enter your user name and password or Click on Register Now to create a user

www.healthnet.com Enter your user name and password or Click on Register Now to create a user name and password if you dont have one Click on County of San Bernardino

162 views • 5 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N.

Protecting Password Databases using Trusted Hardware Klaudia Krawiecka, Andrew Paverd, N. Asokan Aalto University, Finland This work was supported by the Cloud Security Services (CloSer) project funded by Tekes - the Finnish Funding

351 views • 20 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log

Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log

State College Area School District November 6, 2015 HSA Presentation MANAGING YOUR SPENDING ACCOUNTS 2 Log on to highmarkblueshield.com Enter User ID & Password in the Log In box, or For new registrants click Register

486 views • 24 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data

Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data

Big Data Without a Big Database Kate Matsudaira popforms @katemats Two kinds of data reference, non- nicknames user, transactional transactional product/offer catalogs user accounts service catalogs

1.98k views • 150 slides
PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie

PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie

A C F T 1 PROTECTING S T H E E YOUR ACCOUNTS IN THE EVENT THAT YOUR BANK FAILS The Fonds de Garantie des Dpts et de Rsolution (FGDR) was created by the law of 25 June 1999 to compensate you in the event that your bank or

212 views • 4 slides
myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the

myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the

myCignaPlans User Guide myCignaplans.com Username: XXXXXXX Password: XXXXXXX Log in with the provided user name and password 2 ACCEPT USER AGREEMENT Scroll down to review and accept the User Agreement Review and click on Accept to

721 views • 25 slides
Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and

Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and

Acquire USER ID and Password Screen 1 Go to www.myenroll.com < Click Request User ID and Password> Acquire USER ID and Password Screen 2 < Click No and then click continue> Acquire USER ID and Password Screen 3 < Click Request User ID

508 views • 11 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks Bauhaus-Universitt Weimar www.webis.de NDSS 2017, February 27 th 2017 Mnemonic Password Creation Password: Show password Random

684 views • 17 slides
DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2

DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2

1 SELECTED TOPICS IN DISTRIBUTED AND PARALLEL SYSTEMS Grid Technologies - Practical Lab Lab 03 - Schedule 2 Create new certificates requests Discussion of Homework 01 Material required for next Assignment MyProxy Java CoG

315 views • 12 slides
PGP, Pretty Good Privacy General Created 1991 by Philip Zimmerman (a former political

PGP, Pretty Good Privacy General Created 1991 by Philip Zimmerman (a former political

PGP, Pretty Good Privacy General Created 1991 by Philip Zimmerman (a former political activist irritated by restricting freedom of using encryptation) Uses IDEA, a symmetric very strong cryptoalgorithm, to encrypt data. RSA is

558 views • 16 slides
UL HPC School 2017 PS1: Getting Started on the UL HPC platform UL High Performance Computing

UL HPC School 2017 PS1: Getting Started on the UL HPC platform UL High Performance Computing

UL HPC School 2017 PS1: Getting Started on the UL HPC platform UL High Performance Computing (HPC) Team C. Parisot University of Luxembourg (UL), Luxembourg http://hpc.uni.lu C. Parisot (University of Luxembourg) UL HPC School 2017 1 / 22

1.3k views • 52 slides
CMSC 818D Spring 2015 Course Overview Michelle Mazurek With some slides adapted from Lorrie

CMSC 818D Spring 2015 Course Overview Michelle Mazurek With some slides adapted from Lorrie

CMSC 818D Spring 2015 Course Overview Michelle Mazurek With some slides adapted from Lorrie Cranor 1 and Blase Ur Todays class Introducing me Introducing you Human Factors for Security and Privacy? Overview of course

715 views • 44 slides
Designated Teacher Briefing March 2018 Updates: DfE Ofsted Virtual School New Guidance issued

Designated Teacher Briefing March 2018 Updates: DfE Ofsted Virtual School New Guidance issued

Virtual School Designated Teacher Briefing March 2018 Updates: DfE Ofsted Virtual School New Guidance issued Revised Statutory Guidance- February 2018 Sections 1 to 7 of the Children and Social Work Act 2017 made changes to the

1.51k views • 96 slides
Eur uropean opean Le Lever eraged ged Finance Finance Associa ociation ion

Eur uropean opean Le Lever eraged ged Finance Finance Associa ociation ion

Eur uropean opean Le Lever eraged ged Finance Finance Associa ociation ion European Leveraged Finance Association (ELFA) ELFA is a newly formed, independent

578 views • 5 slides
- Final Year Strategy School of Computer Science Deborah Till Careers Adviser Learning

- Final Year Strategy School of Computer Science Deborah Till Careers Adviser Learning

- Final Year Strategy School of Computer Science Deborah Till Careers Adviser Learning Outcomes: By the end of the session, students will be able to: understand what jobs graduates in their subject do understand how they can start

470 views • 21 slides

More recommend