user authentication on the web
play

User authentication on the web Joseph Bonneau jcb82@cl.cam.ac.uk - PowerPoint PPT Presentation

May 08, 2023 •569 likes •1.11k views

User authentication on the web Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory SOCIALNETS workshop November 18, 2010 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 1 / 10 Looming authentication challenges The old world 1

  1. User authentication on the web Joseph Bonneau jcb82@cl.cam.ac.uk Computer Laboratory SOCIALNETS workshop November 18, 2010 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 1 / 10

  2. Looming authentication challenges The old world 1 The emerging world 2 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 1 / 10

  3. WEIS 2010: Large study of password deployments “Identity” websites J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  4. WEIS 2010: Large study of password deployments “E-Commerce” websites J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  5. WEIS 2010: Large study of password deployments “Content” websites J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  6. WEIS 2010: Large study of password deployments Mozilla Firefox v 3.5.8 with: Autofill Forms 0.9.5.2 CipherFox 2.3.0 Cookie Monster 0.98.0 DOM Inspector 2.0.4 Greasemonkey 0.8.20100211.5 Screengrab 0.96.2 Tamper Data 11.0.1 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  7. WEIS 2010: Large study of password deployments feature scoring enrolment Password selection advice given + 1 pt Minimum password length required + 1 pt Dictionary words prohibited + 1 pt Numbers or symbols required + 1 pt User list protected from probing + 1 pt Cleartext password sent in email after enrolment − 1 pt login Password hashed in-browser before POST + 1 pt Limits placed on password guessing + 1 pt User list protected from probing + 1 pt Federated identity login accepted + 1 pt password update Password re-entry required to authorise update + 1 pt Notification email sent after password reset + 1 pt password recovery Password update required after recovery + 1 pt Cleartext password sent in email upon request − 1 pt User list protected from probing + 1 pt encryption Full TLS for all password submission + 2 pts POST only TLS for password submission + 1 pt J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  8. The realities of web authentication 1 . 0 0 . 8 Proportion of sites collecting passwords 0 . 6 0 . 4 0 . 2 0 . 0 0 100 200 300 400 500 Traffic rank Frequency of password collection J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 2 / 10

  9. The realities of web authentication ∼ all websites collect email address as username ∼ all websites use email for password reset ∼ all websites use persistent login cookies by default J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 3 / 10

  10. Many schoolbook errors are quite common 29-50% of sites store passwords in the clear J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  11. Many schoolbook errors are quite common RockYou SQL injection hack January 2010 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  12. Many schoolbook errors are quite common countermeasure I E C Tot. CAPTCHA 11 2 1 14 timeout 2 1 2 5 reset 1 3 1 5 none 37 43 46 126 Many websites allow unlimited brute-force guessing J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  13. Many schoolbook errors are quite common Ask User probing is rarely prevented J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  14. Many schoolbook errors are quite common interface I E C Tot. enrolment 4 1 1 6 login 43 41 38 132 reset 11 7 2 20 all 1 1 0 2 User probing is rarely prevented J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  15. Many schoolbook errors are quite common 40 35 30 µ α marginal guesswork ˜ 25 Password [RockYou] Password [Klein] 20 Password [Spafford] Password [Schneier] 15 10 5 0 0 . 0 0 . 2 0 . 4 0 . 6 0 . 8 1 . 0 success rate α J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  16. Many schoolbook errors are quite common TLS Deployment I E C Tot. Full 10 39 10 59 Full/POST 3 1 1 5 Inconsistent 14 6 5 25 None 23 4 34 61 TLS deployment remains uneven, poorly done J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  17. Many schoolbook errors are quite common Firesheep J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 4 / 10

  18. Security policies vary far more than requirements JCPenney Gamespot The Golf World $ Buy.com $ Mixx Wikipedia Godmail Legend Wordpress Wash. Post Cafe Press $ AliBaba $ Identity site TLS deployed, 6 char. min. password, emailed reset links, no password advice, guessing restrictions in place, email addresses verified Fairfax Dig. Digg E-commerce site Deviant Art $ W. S. Journal Craigslist Hushmail LinkedIn Content site No TLS, 6 char. min. password, personal knowledge questions for reset, no password advice, no guessing or user probing restrictions, email addresses verified Payment $ On The Snow ZZ Network TigerDirect $ rediff Cluster of sites Topix Times of India Ass. Cont. Twitter TLS deployed, 6 char. min. password, emailed reset links, no password advice, no guessing or user probing restrictions, email addresses not verified Bill O’Reilly Chicago Trib. CNET Bloomberg Reuters $ Houston Chron. CNN Press-Telegram Bath & Body W. LA Times SJ Mercury News Horchow $ Times Online Best Buy $ IKEA NewEgg Dallas M. N. Miami.com The Economist $ Ft. Worth S.-T. A. & Fitch Build-A-Bear W. MySpace Fin. Times $ Orlando Sent. Anthropologie $ Sears $ LiveJournal $ DVD Empire New York Post Costco $ $ Weather Und. Post-Tribune Frederick’s $ Sephora $ Google $ Seattle Weekly Eddie Bauer Home Depot $ Amazon $ Ebay $ ShopBop Blick Weather Channel Hermes $ Sus. Bus. efollet.com Overstock $ Facebook $ Shoplet Two Peas in a B. Oriental Trad. Target $ Yahoo! Lucky Vitamin Art Beads REI $ Spiegel $ 3Dup Rand McNally Things Rem. CNBC Sierra T. P. $ Zappos! $ MS Live Bodybuilding $ Gawab Walmart $ aNobii Plaxo CBS Sports hi5 ResearchGate Swiss Mail Reddit Sonico Wasabi No TLS, no password requirements or advice, emailed temp. passwords for reset, no password advice, no guessing or user probing restrictions, email addresses verified SF Chronicle Forbes Lincoln J. S. Gap $ Barnes & Noble $ IMDB Florida-Times U. TCPalm NY Times PhillyBurbs Indian Express Milwaukee J. S. Ticket Web $ TicketMaster $ The Guardian The Drum The Courier-J. Football Fan. CD Wow SoftHome Last.fm The Tennessean Xanga ESPN AOL Children’s Place $ Fertility Fr. The Pirate Bay LiveMocha Truthdig StumbleUpon Mail.com No TLS, no password requirements, cleartext passwords emailed, no guessing or user probing restrictions, email addresses verified Nashv. Scene eBooks Ask Jeeves Mail2World EmailAccount Topeka C.-J. Canada.com philly.com Macy’s USA Today $ PhotoBucket $ TalkBizNow Sac. Bee Victoria’s S. $ Huff. Post 0 1 2 3 4 5 6 7 8 9 10 score J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 5 / 10

  19. More popular sites do better 10 password score page views per million 0 1E-2 1E-1 1E+0 1E+1 1E+2 1E+3 1E+4 1E+5 E-commerce News/Customization User interaction J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 6 / 10

  20. Economic failures Bad websites can do real damage to good ones Password insecurity is a negative externality Password over-collection is a tragedy of the commons J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 7 / 10

  21. Economic failures Bad websites can do real damage to good ones Password insecurity is a negative externality Password over-collection is a tragedy of the commons J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 7 / 10

  22. Economic failures Bad websites can do real damage to good ones Password insecurity is a negative externality Password over-collection is a tragedy of the commons J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 7 / 10

  23. Looming authentication challenges The old world 1 The emerging world 2 J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 7 / 10

  24. OpenID—Single sign-on R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) U E End user (a human) U A User agent (a browser) U E − → R I’m U @ P ! J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 8 / 10

  25. OpenID—Single sign-on J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 8 / 10

  26. OpenID—Single sign-on R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) U E End user (a human) U A User agent (a browser) U E − → R I’m U @ P ! R ← → P K R-P , n ← D-H key exchange J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 8 / 10

  27. OpenID—Single sign-on R Relying party (www.example.com) P OpenID Provider (Facebook, Google, etc.) U E End user (a human) U A User agent (a browser) U E − → R I’m U @ P ! R ← → P K R-P , n ← D-H key exchange U E ← − R OK, go verify with P ( HTTP 302 ) U E − → P I want to talk to R , who you share n with J. Bonneau (U. of Cambridge) SOCIALNETS November 18, 2010 8 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR

Django User Authentication OVERVIEW OF USER AUTHENTICATION Anthony Alampi OWNER, X FACTOR CONSULTANTS www.XFactorConsultants.com User Authentication (Auth) The methods by which a web app verifies the identity of a user and limits their

334 views • 8 slides
Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01

Information Security Identification and authentication Advanced User Authentication I 2019-02-01 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

573 views • 32 slides
Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02

Information Security Identification and authentication Advanced User Authentication I 2018-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

568 views • 41 slides
Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26

Information Security Identification and authentication Advanced User Authentication I 2016-01-26 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for this part of the course Background Statistics in user authentication Biometric systems

865 views • 40 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2016-01-29 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

683 views • 44 slides
Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II

Information Security Identification and authentication Advanced User Authentication II 2019-02-08 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background Authentication eID

1.19k views • 102 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III

Information Security Identification and authentication Advanced User Authentication III 2016-02-02 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture II within this part of the course Background Statistics Statistics in user

1.49k views • 70 slides
User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau

User authentication on the web Joseph Bonneau Computer Laboratory Part II Security lecture 2012 J. Bonneau (U. of Cambridge) User authentication on the web February 22, 2012 1 / 41

1.72k views • 132 slides
Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III

Information Security Identification and authentication Advanced User Authentication II and III (somewhat abbreviated ) 2018-02-09 Amund Hunstad Guest Lecturer, amund@foi.se Agenda for lecture I within this part of the course Background

1.24k views • 106 slides
User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens

ITS335 User Authentication Authentication Passwords User Authentication Storing Passwords Selecting Passwords ITS335: IT Security Tokens Biometrics Sirindhorn International Institute of Technology Summary Thammasat University Prepared

663 views • 40 slides
TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC.

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC.

SOCIAL ENGINEERING - HOW NOT TO BE A VICTIM! BHUSHAN GUPTA GUPTA CONSULTING, LLC. WWW.BGUPTA.COM WHAT IS YOUR PASSWORD? Jimmy Kimmel Live @Gupta Consulting, LLC. www.bgupta.com 2 JIMMY KIMMEL LIVE - OBSERVATIONS Most Common Password

965 views • 62 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org> Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership

Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership

Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership for Maternal and Child of Northern New Jersey by by Demographic Target Tweens and adolescents have low awareness regarding the need for

434 views • 17 slides
Problem Analysis Session SWERC judges November 30, 2017 SWERC judges Problem Analysis Session

Problem Analysis Session SWERC judges November 30, 2017 SWERC judges Problem Analysis Session

Problem Analysis Session SWERC judges November 30, 2017 SWERC judges Problem Analysis Session November 30, 2017 1 / 31 A - Cakey McCakeFace SWERC judges Problem Analysis Session November 30, 2017 2 / 31 A - Cakey McCakeFace Algorithm

510 views • 31 slides
Chan Joshi UCLA Making Big Science Small : Moving Toward a TeV Accelerator Using Plasmas Work

Chan Joshi UCLA Making Big Science Small : Moving Toward a TeV Accelerator Using Plasmas Work

Electron Acceleration in a Plasma Wakefield Accelerator E200 Collaboration @ FACET, SLAC Chan Joshi UCLA Making Big Science Small : Moving Toward a TeV Accelerator Using Plasmas Work Supported by DOE Compact and Cheaper High-Energy Colliders

389 views • 19 slides
What does it take to do reproducible computational science? What stands in our way? Bill

What does it take to do reproducible computational science? What stands in our way? Bill

December 10, 2012 What does it take to do reproducible computational science? What stands in our way? Bill Rider Computational Shock and Multiphysics, Department Sandia Na5onal Laboratories Sandia

838 views • 49 slides
Learning to Navigate at City Scale Raia Hadsell Senior Research Scientist [BBH Brazil for

Learning to Navigate at City Scale Raia Hadsell Senior Research Scientist [BBH Brazil for

Learning to Navigate at City Scale Raia Hadsell Senior Research Scientist [BBH Brazil for Renault / Art: Pedro Utzeri] Navigation Where am I going? Where am I? Where did I start? How distant is A from B? What is the shortest path from A

462 views • 34 slides
Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true

Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true

Herodotus and the Persian Wars Herodotus and the Persian Wars Herodotus is the first true historian known in Western Civilization he lived during the Classical Age of Greece (the fifth century BCE) Herodotus and the Persian Wars

439 views • 28 slides

More recommend