How to End Password Reuse on the Web

Abstract: We present a framework by which websites can coordinate to make it difficult for users to set similar passwords at these websites, in an effort to break the culture of password reuse on the web today. Though the design of such a framework is fraught with risks to users' security and privacy, we show that these risks can be effectively mitigated through careful scoping of the goals for such a framework and through principled design. At the core of our framework is a private set-membership-test protocol that ena… Show more

“…Our design assumes that different sites can ascertain a common identifier a for the same user's accounts at their sites, at least as well as an attacker could. In practice, this would typically be the email address (or some canonical version thereof, see [46]) registered by the user for account identification or password reset purposes.…”

“…Chen et al [8] proposed a PSI protocol with reduced communication, but at the expense of leveraging fully homomorphic encryption. And, interestingly, these unbalanced PSI protocols, as well as private membership tests (e.g., [34,38,46,47]), are all designed for the case where the target has the smaller set and the monitor has the larger one, which is the opposite of our use case. Among other PSI protocols that require no more than one round of interaction, that of Davidson and Cid [12] almost meets the requirements of our framework on the monitor side: its monitor's computation complexity and response message size are manageable and, more importantly, constant in the target's set size.…”

Using Amnesia to Detect Credential Database Breaches

“…Our design assumes that different sites can ascertain a common identifier a for the same user's accounts at their sites, at least as well as an attacker could. In practice, this would typically be the email address (or some canonical version thereof, see [46]) registered by the user for account identification or password reset purposes.…”

“…Chen et al [8] proposed a PSI protocol with reduced communication, but at the expense of leveraging fully homomorphic encryption. And, interestingly, these unbalanced PSI protocols, as well as private membership tests (e.g., [34,38,46,47]), are all designed for the case where the target has the smaller set and the monitor has the larger one, which is the opposite of our use case. Among other PSI protocols that require no more than one round of interaction, that of Davidson and Cid [12] almost meets the requirements of our framework on the monitor side: its monitor's computation complexity and response message size are manageable and, more importantly, constant in the target's set size.…”

Using Amnesia to Detect Credential Database Breaches

Quantifying User Password Exposure to Third-Party CDNs

Analysis of Password Protected Documents Using Statistical Approaches on High Performance Computing