THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, - - PowerPoint PPT Presentation

the tangled web of password reuse
SMART_READER_LITE
LIVE PREVIEW

THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, - - PowerPoint PPT Presentation

Dec 27, 2022 132 likes •333 views

THE TANGLED WEB OF PASSWORD REUSE DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY FRENZEL AND JP WHEELER INTRODUCTION Easy to guess passwords undermine security Many online services offer password composition policies and

slide-1
SLIDE 1

THE TANGLED WEB OF PASSWORD REUSE

DAS, BONNEAU, CAESAR, BORISOV, AND WANG PRESENTED BY: CODY FRENZEL AND JP WHEELER

slide-2
SLIDE 2

INTRODUCTION

  • Easy to guess passwords undermine security
  • Many online services offer password composition policies

and meters

  • Reasons to be concerned about password reuse
  • Large influx of new users
  • Increase in number of sites requiring credentials
  • Recent high-profile leaks make the concern for cross-site

password reuse more prevalent

slide-3
SLIDE 3

KEY CONTRIBUTIONS

  • Empirical estimate of the rate of direct password reuse for the

same user over different websites based on the largest data set yet collected

  • Analysis of non-identical passwords from same users across

different online accounts

  • Survey to understand users’ behavior in password construction

across different online accounts

  • A cross-site guessing algorithm which uses a leaked password

at one site to produce guesses for passwords potentially used at other sites for the same user

slide-4
SLIDE 4

PASSWORD COMPOSITION POLICY

  • The hardest passwords to crack are random character strings,

but such passwords are considered too complex to remember

  • Common password composition policies
  • Password must not contain the user’s name
  • At least n characters long
  • Passwords must contain characters from two or more of

these categories:

  • Uppercase characters
  • Lowercase characters
  • Digit
  • Symbol
  • Increasing complexity of policies leads to password fatigue
slide-5
SLIDE 5

RELATED WORKS

  • Narayanan and Shmatikov developed an improved dictionary

attack by using a training set to obtain probabilities of candidate substrings

  • Florencio et al. monitored password habits of half a million
  • users. Their study revealed the average user has 6.5

passwords over 3.9 different sites

  • Zhang et al. looked at how users modified their passwords

when forced to change. They created a generic algorithm that could guess future passwords.

  • There has also been research on defending against cross-site

password attacks by deploying password management tools like PwdHash.

slide-6
SLIDE 6

OUR DATASET

  • Only used sets with both username and password
  • 6077 unique users with at least two leaked passwords
slide-7
SLIDE 7

PASSWORD SIMILARITY

  • Distance-like functions
  • Edit-distance like functions
  • Token-based distance functions
  • Alignment-like functions
slide-8
SLIDE 8

PASSWORD SIMILARITY ACROSS DIFFERENT SITES

slide-9
SLIDE 9

SURVEY

  • Survey was to gain insight into users’ behavior and thought

processes when creating passwords for different websites

  • 224 responses from students and professional staff at various

universities

slide-10
SLIDE 10

SURVEY

slide-11
SLIDE 11

PROMINENT TRANSFORMATIONS

  • Examined 40% of leaked

passwords

  • We found many interesting

transformation rules, such as adding a few random extra characters or adding emoticons

  • Our algorithm does not

incorporate the interesting rules in order to preserve simplicity

slide-12
SLIDE 12

GUESSING ALGORITHM

  • Given a user’s password for a particular site our algorithm

should determine the user’s password for other sites with a low number of guesses

  • Our algorithm consists of several phases executed in a given
  • rder until the desired password is found
slide-13
SLIDE 13

OUR ALGORITHM

  • Character sequence
  • Attempts to look for known

pattern sequences

  • After finding pattern we

apply the corresponding transformation sequentially

  • Deletions
  • Guesser tries deleting

transformations iteratively from the following set: {Digit, Symbol, Uppercase letter, Lowercase letter}

slide-14
SLIDE 14

OUR ALGORITHM

  • Insertions
  • Inserting numbers or

symbols at the front or end

  • Limit to up to two insertions
  • Capitalizations
  • Capitalizes all letters, then

the front, then the back, then combinations of both

  • Reversals
  • Transformation simply

reverses the input password

slide-15
SLIDE 15

OUR ALGORITHM

  • Leet-speak
  • Tries the popular leet

transformations

  • Substring movement
  • Splits the input into

substrings where the delimiter character belongs to the set {Digit, Symbol, Uppercase Letter}

  • Subword modification
  • Finds subwords and

capitalizes the first letter of each

slide-16
SLIDE 16

EVALUATING ALGORITHM

  • Evaluate our guesser in terms of number of guesses required

to crack target password

  • Only analyzed non-identical passwords
  • Compare our approach to three competitors:
  • RockYou guesser
  • Edit Distance guesser
  • John the Ripper
slide-17
SLIDE 17

EVALUATING ALGORITHM

slide-18
SLIDE 18

CONCLUSION

  • Limitations
  • Text-based
  • Simple guessing scheme
  • Countermeasures
  • We found 43% of users re-use passwords confirming suspicion

that this is a significant security vulnerability

  • Many users introduce small modifications to their passwords

and many users share the same method of modification

  • Prototype guessing algorithm can crack 10% of nonidentical

passwords in less than 10 attempts

  • In less than 100 attempts the algorithm can crack 30% of such

pairs

slide-19
SLIDE 19

QUESTIONS