Anuj Gautam,Tarun Kumar Yadav,Kent Seamons,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.2402.06159

2024-02-09

Abstract:Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Cryptography and Security

Raul Gonzalez,Eric Y. Chen,Collin Jackson

DOI: https://doi.org/10.48550/arXiv.1309.1416

2013-09-06

Abstract:To encourage users to use stronger and more secure passwords, modern web browsers offer users password management services, allowing users to save previously entered passwords locally onto their hard drives. We present Lupin, a tool that automatically extracts these saved passwords without the user's knowledge. Lupin allows a network adversary to obtain passwords as long as the login form appears on a non-HTTPS page. Unlike existing password sniffing tools, Lupin can obtain passwords for websites users are not visiting. Furthermore, Lupin can extract passwords embedded in login forms with a destination address served in HTTPS. To determine the number of websites vulnerable to our attack, we crawled the top 45,000 most popular websites from Alexa's top website list and discovered that at least 28% of these sites are vulnerable. To further demonstrate the feasibility of our attack, we tested Lupin under controlled conditions using one of the authors' computers. Lupin was able to extract passwords from 1,000 websites in less than 35 seconds. We suggest techniques for web developers to protect their web applications from attack, and we propose alternative designs for a secure password manager.

Cryptography and Security

Efstratios Chatzoglou,Vyron Kampourakis,Zisis Tsiatsikas,Georgios Karopoulos,Georgios Kambourakis

2024-03-31

Abstract:Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications, and 12 browser-plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue.

Cryptography and Security

Moritz Horsch,Johannes Braun,Dominique Metz,Johannes Buchmann

DOI: https://doi.org/10.48550/arXiv.1704.02883

2017-04-26

Abstract:It is practically impossible for users to memorize a large portfolio of strong and individual passwords for their online accounts. A solution is to generate passwords randomly and store them. Yet, storing passwords instead of memorizing them bears the risk of loss, e.g., in situations where the device on which the passwords are stored is damaged, lost, or stolen. This makes the creation of backups of the passwords indispensable. However, placing such backups at secure locations to protect them as well from loss and unauthorized access and keeping them up-to-date at the same time is an unsolved problem in practice. We present PASCO, a backup solution for passwords that solves this challenge. PASCO backups need not to be updated, even when the user's password portfolio is changed. PASCO backups can be revoked without having physical access to them. This prevents password leakage, even when a user loses control over a backup. Additionally, we show how to extend PASCO to enable a fully controllable emergency access. It allows a user to give someone else access to his passwords in urgent situations. We also present a security evaluation and an implementation of PASCO.

Cryptography and Security

Andrés Fábrega,Armin Namavari,Rachit Agarwal,Ben Nassi,Thomas Ristenpart

2024-08-14

Abstract:This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.

Cryptography and Security

Yu-Tao Liu,Dong Du,Yu-Bin Xia,Hai-Bo Chen,Bin-Yu Zang,Zhenkai Liang

DOI: https://doi.org/10.1007/s11390-018-1810-y

IF: 1.871

2018-01-01

Journal of Computer Science and Technology

Abstract:Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.

Teik Guan Tan,Pawel Szalachowski,Jianying Zhou

DOI: https://doi.org/10.48550/arXiv.2011.06257

2020-11-12

Abstract:The use of passwords and the need to protect passwords are not going away. The majority of websites that require authentication continue to support password authentication. Even high-security applications such as Internet Banking portals, which deploy 2-factor authentication, rely on password authentication as one of the authentication factors. However phishing attacks continue to plague password-based authentication despite aggressive efforts in detection and takedown as well as comprehensive user awareness and training programs. There is currently no foolproof mechanism even for security-conscious websites to prevent users from being directed to fraudulent websites and having their passwords phished. In this paper, we apply a threat analysis on the web password login process, and uncover a design vulnerability in the HTML<inputtype="password"> field. This vulnerability can be exploited for phishing attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four properties that encapsulate the requirements to stop web-based password phishing, and propose a secure protocol to be used with a new credential field that complies with the four properties. We further analyze the proposed protocol through an abuse-case evaluation, discuss various deployment issues, and also perform a test implementation to understand its data and execution overheads

Networking and Internet Architecture,Cryptography and Security

Wang Qiang,Qin Zhiguang

DOI: https://doi.org/10.1109/ICACTE.2010.5579457

2010-01-01

Abstract:Passwords are the most popular authentication mechanism on the Internet. People have to remember many passwords for their many online accounts. However, selecting and keeping track of all the passwords that are required to maintain a person's online identity becomes a cumbersome task. In this paper, we propose a password protocol that allows a user to securely login multiple web accounts using the same password. Our aim is to make web authentication more secure and more convenient. Each online account of a user is protected by a unique password generated from the user's single password using a combination of the password entered by the user, data associated with the web site, and a random string generated by the extension itself from a pass phrase entered by the user. Compromising a user's password at one site does not allow the attacker to login at another site. Our method is secure against dictionary attacks, password phishing, and many other exploits. Working transparently, our method minimizes changes to user experience. It is easy to deploy as it can be implemented as a browser extension and requires no change on web servers. © 2010 IEEE.

Ali Cherry,Konstantinos Barmpis,Siamak F. Shahandashti

2024-07-12

Abstract:Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.

Cryptography and Security

Suyun Borjigin

2024-05-31

Abstract:Credential theft and remote attacks are the most serious threats to user authentication mechanisms. The crux of these problems is that we cannot control such behaviors. However, if a password does not contain user secrets, stealing it is useless. If unauthorized inputs are invalidated, remote attacks can be disabled. Thus, credential secrets and account input fields can be controlled. Rather than encrypting passwords, we design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. Subsequently, the authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks. Thus, the usability-security tradeoff and password reuse issues are resolved; local authentication password storage is no longer necessary. More importantly, the password converter acts as an open hashing algorithm, meaning that its intermediate elements can be used to define a truly unique identity for the login process to implement a novel dual-identity authentication scheme. In particular, the system-managed elements are concealed, inaccessible, and independent of any personal information and therefore can be used to define a perfect unforgeable process identifier to identify unauthorized inputs.

Cryptography and Security,Emerging Technologies,Systems and Control

Qingli Guo,Jing Ye,Bing Li,Yu Hu,Xiaowei Li,Yazhu Lan,Guohe Zhang

DOI: https://doi.org/10.1016/j.vlsi.2018.10.003

IF: 1.345

2019-01-01

Integration

Abstract:Secure passwords need high entropy, but are difficult for users to remember. Password managers minimize the memory burden by storing site passwords locally or generating secure site passwords from a master password through hashing or key stretching. Unfortunately, they are threatened by the single point of failure introduced by the master password which is vulnerable to various attacks such as offline attack and shoulder surfing attack. To handle these issues, this paper proposes the PUFPass, a secure password management mechanism based on software/hardware codesign. By introducing the hardware primitive, Physical Unclonable Function (PUF), into PUFPass, the random physical disorder is exploited to strengthen site passwords. An illustration of PUFPass in the Android operating system is given. PUFPass is evaluated from aspects of both security and preliminary usability. The security of the passwords is evaluated using a compound heuristic algorithm based PUF attack software and an open source password cracking software, respectively. Finally, PUFPass is compared with other password management mechanisms using the Usability-Deployability-Security (UDS) framework. The results show that PUFPass has great advantages in security while maintaining most benefits in usability.

Asmit Nayak,Rishabh Khandelwal,Kassem Fawaz

DOI: https://doi.org/10.48550/arXiv.2308.16321

2023-08-31

Abstract:In this work, we perform a comprehensive analysis of the security of text input fields in web browsers. We find that browsers' coarse-grained permission model violates two security design principles: least privilege and complete mediation. We further uncover two vulnerabilities in input fields, including the alarming discovery of passwords in plaintext within the HTML source code of the web page. To demonstrate the real-world impact of these vulnerabilities, we design a proof-of-concept extension, leveraging techniques from static and dynamic code injection attacks to bypass the web store review process. Our measurements and case studies reveal that these vulnerabilities are prevalent across various websites, with sensitive user information, such as passwords, exposed in the HTML source code of even high-traffic sites like Google and Cloudflare. We find that a significant percentage (12.5\%) of extensions possess the necessary permissions to exploit these vulnerabilities and identify 190 extensions that directly access password fields. Finally, we propose two countermeasures to address these risks: a bolt-on JavaScript package for immediate adoption by website developers allowing them to protect sensitive input fields, and a browser-level solution that alerts users when an extension accesses sensitive input fields. Our research highlights the urgent need for improved security measures to protect sensitive user information online.

Cryptography and Security,Computers and Society

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Pyung Kim,Younho Lee,Youn-Sik Hong,Taekyoung Kwon

DOI: https://doi.org/10.3390/s21020345

2021-01-06

Abstract:To meet password selection criteria of a server, a user occasionally needs to provide multiple choices of password candidates to an on-line password meter, but such user-chosen candidates tend to be derived from the user's previous passwords-the meter may have a high chance to acquire information about a user's passwords employed for various purposes. A third party password metering service may worsen this threat. In this paper, we first explore a new on-line password meter concept that does not necessitate the exposure of user's passwords for evaluating user-chosen password candidates in the server side. Our basic idea is straightforward; to adapt fully homomorphic encryption (FHE) schemes to build such a system but its performance achievement is greatly challenging. Optimization techniques are necessary for performance achievement in practice. We employ various performance enhancement techniques and implement the NIST (National Institute of Standards and Technology) metering method as seminal work in this field. Our experiment results demonstrate that the running time of the proposed meter is around 60 s in a conventional desktop server, expecting better performance in high-end hardware, with an FHE scheme in HElib library where parameters support at least 80-bit security. We believe the proposed method can be further explored and used for a password metering in case that password secrecy is very important-the user's password candidates should not be exposed to the meter and also an internal mechanism of password metering should not be disclosed to users and any other third parties.

Ming Xu,Weili Han

DOI: https://doi.org/10.1155/2019/5184643

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:Textual passwords are still dominating the authentication of remote file sharing and website logins, although researchers recently showed several vulnerabilities about this authentication mechanism. When a user creates or changes a password, a website usually leverages a password strength meter (PSM for short) to show the strength of the password. When the password is evaluated as a weak one, the user may replace the password with a stronger or securer one. However, the user is usually confused when the password, especially a frequently used password, is shown as a weak one. We argue that an explainable password strength meter addon, which could show the reasons of weak, may help users to more effectively create a secure password. Unfortunately, we find few sites in Alexa global top 100 showing these details. Motivated to help users with an explainable PSM, this paper proposes an addon to PSMs providing feedbacks in the form of pattern passwords explaining why a password is weak. This PSM addon can detect twelve types of patterns, which cover a very large proportion among 70 million of leaked real passwords from high-profile websites. According to our evaluation and user study, our PSM addon, which leverages textual pattern passwords, can effectively detect these popular patterns and effectively help users create securer passwords.

Sean Oesch,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.1908.03296

2019-08-09

Cryptography and Security

Abstract:Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle--password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.

Ruti Gafni,Tal Pavel,Raz Margolin,Ben Weiss

DOI: https://doi.org/10.36965/ojakm.2017.5(1)27-41

2017-05-04

Online Journal of Applied Knowledge Management

Abstract:Passwords are the standard means of registration and access to Websites, information systems, online services and various social networks. Databases are increasingly breached and social engineering is employed to obtain usernames and passwords for online fraud, therefore, there is a need to secure existing passwords, and to create ones that will be more crack-resistant. This study addresses the issue of personal data, which users enter on social networks, and incorporate in passwords, as well as how tracking and identifying this data assists hackers in cracking these passwords. The study focuses on Facebook, conducting an online anonymous questionnaire among 195 respondents, and an experiment among a voluntary response sample of 72 participants, in which passwords were tried to been deciphered by a custom dictionary attack. The findings confirm a link between the use of accessible online personal data and success rates of password deciphering. The findings underscore the grave threat to users’ information security - not only as a result of their voluntary exposure of personal data on social networks, but also due to the integration of this data into their passwords. The study argues the need to emphasize users' awareness to their password strength, with this vulnerability in mind.

Simone Raponi,Roberto Di Pietro

DOI: https://doi.org/10.48550/arXiv.1804.07016

2018-04-25

Abstract:The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, if a website adopts a poor password management system, this choice makes useless even the most robust password chosen by its users. In this paper, we first provide a survey of currently adopted password recovery mechanisms. Later, we model an attacker with different capabilities and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa's top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication -- and hence are excluded by our study -- while out of the remaining 278 we focused on 174, since 104 demanded a complex registration procedure. Of these 174, almost 25% of the them have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we propose some effective countermeasures and we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to also have a relevant impact on the EU industrial ecosystem.

Cryptography and Security

Xingjie Yu,Zhan Wang,Yingjiu Li,Liang Li,Wen Tao Zhu,Li Song

DOI: https://doi.org/10.1016/j.cose.2017.05.006

IF: 5.105

2017-01-01

Computers & Security

Abstract:The passwords for authenticating users are susceptible to shoulder-surfing attacks in which attackers learn users' passwords through direct observations without any technical support. A straightforward solution to defend against such attacks is to change passwords periodically or even constantly, making the previously observed passwords useless. However, this may lead to a situation in which users run out of strong passwords they can remember, or they are forced to choose passwords that are weak, correlated, or difficult to memorize. To achieve both security and usability in user authentication, we propose EvoPass, the first evolvable graphical password authentication system. EvoPass transforms a set of user-selected pass images to pass sketches as user credentials. Users are required to identify their pass sketches from a set of challenge images for user authentication. Particularly, EvoPass improves password strength gradually over time through continually degrading pass sketches without annoying users to reselect pass images. The evolving feature makes it difficult for observational adversaries to identify the pass sketches, even though part of pass sketches may have been exposed to adversaries previously. We introduce two metrics, Information Retention Rate (IRR) and Password Diversity Score (PDS) to guide the process of generating pass sketches and a set of challenge images. Our experimental analysis reveals that applying reasonable IRR and PDS in EvoPass can remarkably improve the resistance to shoulder-surfing attacks without negatively affecting user experience. We also implement a prototype of EvoPass on Android platform with reasonable IRR and PDS applied. Our experimental results on the prototype further demonstrate that EvoPass could work efficiently and achieve a desired usability.

Sanam Ghorbani Lyastani,Michael Schilling,Sascha Fahl,Sven Bugiel,Michael Backes

DOI: https://doi.org/10.48550/arXiv.1712.08940

2017-12-24

Abstract:Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.

Cryptography and Security