WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY18, - - PowerPoint PPT Presentation

will any password do exploring rate limiting on the web
SMART_READER_LITE
LIVE PREVIEW

WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY18, - - PowerPoint PPT Presentation

Oct 05, 2023 293 likes •472 views

RUHR-UNIVERSITT BOCHUM WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Drmuth MOTIVATION Rate-limiting do not not more than reuse 8

slide-1
SLIDE 1

WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

RUHR-UNIVERSITÄT BOCHUM

slide-2
SLIDE 2

2

MOTIVATION

at least 8 characters

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

upper case, lower case, numbers, special characters change

  • nce a

month do not reuse not more than 8 characters

Rate-limiting “… the verifier shall limit attempts on a single account to no more than 100.” (NIST Special Publication 800-63B) Research Question Do real-world websites take appropriate measures to prevent unauthorized accesses to their users’ accounts?

slide-3
SLIDE 3

3

STUDY PROCEDURE

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Final valid attempt

  • Correct credentials
  • From same Tor session

Tor network

  • Hide identity
  • Circumvent IP blocking

Number of attempts

  • Usability: min. 10
  • NIST: max. 100
  • First impression
  • No resource wasting
slide-4
SLIDE 4

4

WEBSITES

Existing Accounts

  • History & Value

Don’t be evil

  • Our own accounts

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

slide-5
SLIDE 5

5

PASSWORDS

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Manual Verification

  • “8 or more characters”
  • “12345678” not allowed

Composition Policies

  • Remove non-compliant

passwords

  • Bad practice still in use

Baseline

  • Pwned Passwords v2
  • 500 million breached

passwords

slide-6
SLIDE 6

6

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-7
SLIDE 7

7

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-8
SLIDE 8

8

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-9
SLIDE 9

9

ACCOUNT LOCKOUT

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-10
SLIDE 10

10

ACCOUNT LOCKOUT

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-11
SLIDE 11

11

SUCCESSFUL LOGIN

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-12
SLIDE 12

12

SUCCESSFUL LOGIN

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-13
SLIDE 13

13

BLOCKING

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-14
SLIDE 14

14

BLOCKING

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-15
SLIDE 15

15

CAPTCHA

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-16
SLIDE 16

16

NOTIFICATIONS

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service Guesses Time (Min.) Login CAPTCHA Lockout Blocking 2nd Step Notification 1 Google 25 10

  • 3

Facebook 25 4

  • 7

Yahoo 25 5

  • Email Code

Suspicious 12 Twitter 25 4

  • Phone No.

Sign-in, Suspicious 30 Netflix 25 7

  • 84

Amazon 25 15

  • Email Code
  • 89

Dropbox 25 19

  • Sign-in

285 IKEA 7 2

  • Account Locked

664 Grammarly 13 6

  • 992

Plex 25 7

  • 1220

Uber 25 9

  • SMS Code
  • 4333

Trainline 25 3

slide-17
SLIDE 17

17

TAKEAWAY

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

No rate-limiting detected

  • No protection
  • n provider side
  • Leave account security

solely to users

  • Not recommendable

Trade-off usability

  • Smaller websites

lock down accounts

  • Requires user effort

to regain access Combine mechanisms

  • Large services

take most effort

  • CAPTCHA, Blocking,

multiple steps, security notficiations