Abstract
Today’s Internet services rely heavily on text-based passwords for user authentication. The pervasiveness of these services coupled with the difficulty of remembering large numbers of secure passwords tempts users to reuse passwords at multiple sites. In this paper, we investigate for the first time how an attacker can leverage a known password from one site to more easily guess that user’s password at other sites. We study several hundred thousand leaked passwords from eleven web sites and conduct a user survey on password reuse; we estimate that 43-51% of users reuse the same password across multiple sites. We further identify a few simple tricks users often employ to transform a basic password between sites which can be used by an attacker to make password guessing vastly easier. We develop the first cross-site password-guessing algorithm, which is able to guess 30% of transformed passwords within 100 attempts compared to just 14% for a standard password-guessing algorithm without cross-site password knowledge.
Original language | English (US) |
---|---|
DOIs | |
State | Published - 2014 |
Event | 21st Annual Network and Distributed System Security Symposium, NDSS 2014 - San Diego, United States Duration: Feb 23 2014 → Feb 26 2014 |
Conference
Conference | 21st Annual Network and Distributed System Security Symposium, NDSS 2014 |
---|---|
Country/Territory | United States |
City | San Diego |
Period | 2/23/14 → 2/26/14 |
ASJC Scopus subject areas
- Control and Systems Engineering
- Safety, Risk, Reliability and Quality
- Computer Networks and Communications