Who Are You? A Statistical Approach to Measuring User Authenticity

Jain, Sakshi; Freeman, Martin; Biggio, Battista; Duermuth, Markus; Giacinto, Giorgio

doi:10.14722/ndss.2016.23240

Cited by 88 publications

(139 citation statements)

References 31 publications

Supporting

Mentioning

136

Contrasting

Order By: Relevance

“…Furthermore, we recommend that organizations take additional measures to mitigate the affect of an authentication server breach. Solutions might include mechanisms detect password breaches through the use of honey accounts or honey passwords [76], multi-factor authentication and fraud detection/correction algorithms to prevent suspicious/harmful behavior [91].…”

Section: Discussionmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10 5 hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker -if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

show abstract

Section: Discussionmentioning

confidence: 99%

On the Economics of Offline Password Cracking

Blocki

Harsha

Zhou

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…Limited number of login attempts. Most PIN systems enforce suspicious login detection and lockout [23], and thus the number of PINs an attacker may try in an online attack is limited. A successful online attack is defined as an attacker hitting the correct PIN within the number of allowed attempts.…”

Section: Online Attacksmentioning

confidence: 99%

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

Liu

Deng

et al. 2019

Computers & Security

View full text Add to dashboard Cite

This paper proposes the first user-independent inter-keystroke timing attacks on PINs. Our attack method is based on an interkeystroke timing dictionary built from a human cognitive model whose parameters can be determined by a small amount of training data on any users. Our attacks can thus be potentially launched in a large scale in real-world settings. We investigate inter-keystroke timing attacks in different online attack settings and evaluate their performance on PINs at different strength levels. Our experimental results show that the proposed attack performs significantly better than random guessing attacks. We further demonstrate that our attacks pose a serious threat to real-world applications and propose various ways to mitigate the threat.

show abstract

“…The limitations and effectiveness of these features were not estimated. Freeman et al [11] presented the, to the best of our knowledge, first publicly known RBA algorithm using IP address and user agent as features. Steinegger et al [26] presented another RBA implementation, with browser fingerprint, failed login attempts and IP based geolocation as features.…”

Section: Related Workmentioning

confidence: 99%

“…the low threshold and falls into the medium risk category, the service typically requests additional authentication factors from the user (e.g. verification of email address or phone number [17,24,11]), requires to solve a CAPTCHA [24], or informs the user about suspicious activities [13]. If the risk score is deemed high, the service can decide to block access altogether, but this event is rare, as it will not allow legitimate users mistakenly classified as a high risk to recover.…”

Section: Introductionmentioning

confidence: 99%

ICT Systems Security and Privacy Protection

2019

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Risk-based authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional implicit features during password entry such as device or geolocation information, and requests additional authentication factors if a certain risk level is detected. RBA is recommended by the NIST digital identity guidelines, is used by several large online services, and offers protection against security risks such as password database leaks, credential stuffing, insecure passwords and large-scale guessing attacks. Despite its relevance, the procedures used by RBA-instrumented online services are currently not disclosed. Consequently, there is little scientific research about RBA, slowing down progress and deeper understanding, making it harder for end users to understand the security provided by the services they use and trust, and hindering the widespread adoption of RBA. In this paper, with a series of studies on eight popular online services, we (i) analyze which features and combinations/classifiers are used and are useful in practical instances, (ii) develop a framework and a methodology to measure RBA in the wild, and (iii) survey and discuss the differences in the user interface for RBA. Following this, our work provides a first deeper understanding of practical RBA deployments and helps fostering further research in this direction.

show abstract

Who Are You? A Statistical Approach to Measuring User Authenticity

Cited by 88 publications

References 31 publications

On the Economics of Offline Password Cracking

On the Economics of Offline Password Cracking

When Human cognitive modeling meets PINs: User-independent inter-keystroke timing attacks

ICT Systems Security and Privacy Protection

Contact Info

Product

Resources

About