research-article

SAuth: protecting user accounts from password database leaks

Authors:

Georgios Kontaxis,

Elias Athanasopoulos,

Georgios Portokalidis,

Angelos D. KeromytisAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 187 - 198

https://doi.org/10.1145/2508859.2516746

Published: 04 November 2013 Publication History

Abstract

Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms.

In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.

References

[1]

CloudCracker :: Online Hash Cracker. https://www.cloudcracker.com.

[2]

BrowserID. https://github.com/mozilla/id-specs/blob/prod/browserid/index.md.

[3]

Directory of web sites storing passwords in plain text. http://plaintextoffenders.com.

[4]

E-mail discussion at Debian about the wiki.debian.org security breach. https://lwn.net/Articles/531727/.

[5]

Gmail account security in Iran. http://googleonlinesecurity.blogspot.com/2011/09/gmail-account-security-in-iran.html.

[6]

Google Accounts Authentication and Authorization. https://developers.google.com/accounts/docs/GettingStarted.

[7]

Google Declares War on the Password. http://www.wired.com/wiredenterprise/2013/01/google-password/all/.

[8]

Hacker Posts 6.4 Million LinkedIn Passwords. http://www.technewsdaily.com/7839-linked-passwords-hack.html.

[9]

How apple and amazon security flaws led to my epic hacking. http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.

[10]

How to Safely Store a Password. http://codahale.com/how-to-safely-store-a-password/.

[11]

HTTP 1.1. http://tools.ietf.org/html/rfc2616.

[12]

IEEE data breach: 100K passwords leak in plain text. http://www.neowin.net/news/ieee-data-breach-100k-passwords-leak-in-plain-text.

[13]

LinkedIn cleartext passwords. http://dazzlepod.com/linkedin/.

[14]

New 25 GPU Monster Devours Passwords In Seconds. http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/.

[15]

PayPal Leads Industry Effort to Move Beyond Passwords. https://www.thepaypalblog.com/2013/02/paypal-leads-industry-effort-to-move-beyond-passwords/.

[16]

Sony Hacked Again, 1 Million Passwords Exposed. http://www.informationweek.com/security/attacks/sony-hacked-again-1-million-passwords-ex/229900111.

[17]

The Domino Effect of the Password Leak at Gawker. http://voices.yahoo.com/the-domino-effect-password-leak-gawker-10566853.html.

[18]

The OAuth 2.0 Authorization Framework. http://www.ietf.org/rfc/rfc6749.txt.

[19]

TLS 1.2. https://tools.ietf.org/html/rfc5246.

[20]

Twitter detects and shuts down password data hack in progress. http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password- data-hack-in-progress/.

[21]

URI. http://www.ietf.org/rfc/rfc2396.txt.

[22]

B. Adida. Beamauth: Two-factor web authentication with a bookmark. In Proceedings of the 14th ACM conference on Computer and Communications Security, 2007.

Digital Library

[23]

A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu. Password-protected secret sharing. In Proceedings of the 18th ACM conference on Computer and Communications Security, 2011.

Digital Library

[24]

F. Benevenuto, T. Rodrigues, M. Cha, and V. Almeida. Characterizing user behavior in online social networks. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, 2009.

Digital Library

[25]

R. Biddle, S. Chiasson, and P. Van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44(4), Sept. 2012.

Digital Library

[26]

K. Blashki and S. Nichol. Game geek's goss: Linguistic creativity in young males within an online university forum (94//3 933k'5 9055oneone). Australian Journal of Emerging Technologies and Society, 3(2), 2005.

[27]

H. Bojinov, E. Bursztein, D. Boneh, and X. Boyen. Kamouflage: Loss-resistant password management. In Proceedings of the 15th European Symposium On Research In Computer Security, September 2010.

Digital Library

[28]

J. Bonneau. Statistical metrics for individual password strength. In Proceedings of the 20th international conference on Security Protocols. Springer, 2012.

Digital Library

[29]

J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[30]

B. M. Bowen, V. P. Kemerlis, P. V. Prabhu, A. D. Keromytis, and S. J. Stolfo. A system for generating and injecting indistinguishable network decoys. Journal of Computer Security, 20(2--3), 2012.

[31]

B. M. Bowen, P. Prabhu, V. P. Kemerlis, S. Sidiroglou, A. D. Keromytis, and S. J. Stolfo. BotSwindler: tamper resistant injection of believable decoys in VM-based hosts for crimeware detection. In Proceedings of the 13th international conference on Recent Advances in Intrusion Detection, 2010.

Digital Library

[32]

W. E. Burr, D. F. Dodson, and W. T. Polk. Electronic authentication guideline. US Department of Commerce, Technology Administration, National Institute of Standards and Technology, 2004.

[33]

J. Camenisch, A. Lysyanskaya, and G. Neven. Practical yet universally composable two-server password-authenticated secret sharing. In Proceedings of the 2012 ACM conference on Computer and Communications Security. ACM, 2012.

Digital Library

[34]

W. Cheswick. Rethinking passwords. Communications of the ACM, 56(2), 2013.

Digital Library

[35]

L. S. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, P. McDaniel, and T. Jaeger. Password exhaustion: predicting the end of password usefulness. In Proceedings of the 2nd international conference on Information Systems Security. Springer-Verlag, 2006.

Digital Library

[36]

G. D. Crescenzo, R. J. Lipton, and S. Walfish. Perfectly secure password protocols in the bounded retrieval model. In Theory of Cryptography Conference. Springer, 2006.

Digital Library

[37]

A. Dey and S. Weis. Pseudoid: Enhancing privacy in federated login. In Hot Topics in Privacy Enhancing Technologies, 2010.

[38]

R. Dhamija and A. Perrig. Deja vu: a user study using images for authentication. In Proceedings of the 9th USENIX Security Symposium, 2000.

Digital Library

[39]

R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the Symposium on Usable Privacy and Security, 2005.

Digital Library

[40]

D. Florencio and C. Herley. A large-scale study of web password habits. In Proceedings of the international conference on World Wide Web. ACM, 2007.

Digital Library

[41]

S. Gaw and E. W. Felten. Password management strategies for online accounts. In Proceedings of the Symposium on Usable Privacy and Security, 2006.

Digital Library

[42]

J. Huang and R. W. White. Parallel browsing behavior on the web. In Proceedings of the 21st ACM conference on Hypertext and Hypermedia, 2010.

Digital Library

[43]

A. Juels and R. L. Rivest. Honeywords: Making password-cracking detectable, 2013.

[44]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[45]

C. D. Manning and H. Schütze. Foundations of statistical natural language processing. MIT, 1999.

Digital Library

[46]

M. Miculan and C. Urban. Formal analysis of facebook connect single sign-on authentication protocol. In Proceedings of the 37th International Conference on Current Trends in Theory and Practice of Computer Science. Springer, 2011.

[47]

C. Percival. Stronger key derivation via sequential memory-hard functions. http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-00.

[48]

N. Provos and D. Mazières. A future-adaptive password scheme. In Proceedings of the USENIX Annual Technical Conference, 1999.

Digital Library

[49]

D. Recordon and D. Reed. Openid 2.0: a platform for user-centric identity management. In Proceedings of the ACM workshop on Digital Identity Management, 2006.

Digital Library

[50]

B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium, 2005.

Digital Library

[51]

S. Schechter, A. J. B. Brush, and S. Egelman. It's no secret. Measuring the security and reliability of authentication via secret questions. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.

Digital Library

[52]

A. Shamir. How to share a secret. Communications of the ACM, 22(11), 1979.

Digital Library

[53]

R. Shay, S. Komanduri, P. G. Kelley, P. G. Leon, M. L. Mazurek, L. Bauer, N. Christin, and L. F. Cranor. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Symposium on Usable Privacy and Security, 2010.

Digital Library

[54]

S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks: the crisis of web single sign-on. In Proceedings of the New Security Paradigms Workshop. ACM, 2010.

Digital Library

[55]

R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[56]

M. Weir, S. Aggarwal, B. d. Medeiros, and B. Glodek. Password cracking using probabilistic context-free grammars. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.

Digital Library

[57]

H. Wimberly and L. M. Liebrock. Using fingerprint authentication to reduce system security: An empirical study. In Proceedings of the 32nd IEEE Symposium on Security and Privacy, 2011.

Digital Library

[58]

M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2006.

Digital Library

[59]

Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and Communications Security.

Digital Library

Cited By

Pan LQiu RZhang CYang M(2024)Building a Secure Cross-Device Communication Channel for Smart Devices Based on App Accounts2024 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR61664.2024.10679353(360-366)Online publication date: 2-Sep-2024
https://doi.org/10.1109/CSR61664.2024.10679353
Zhao QJiang BZhang YWang HMao YZhong S(2024)Unbalanced private set intersection with linear communication complexityScience China Information Sciences10.1007/s11432-022-3717-967:3Online publication date: 5-Feb-2024
https://doi.org/10.1007/s11432-022-3717-9
Chakraborty NShojafar MChen ZLeung VLi JZulkernine M(2023)NESec: A Modified-UI Honeyword Generation Strategy for Mitigating Targeted Guessing Attacks2023 7th Cyber Security in Networking Conference (CSNet)10.1109/CSNet59123.2023.10339786(226-232)Online publication date: 16-Oct-2023
https://doi.org/10.1109/CSNet59123.2023.10339786
Show More Cited By

Index Terms

SAuth: protecting user accounts from password database leaks
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

On the Security of Some Password Authentication Protocols

In an internet environment, such as UNIX, a remote user has to obtain the access right from a server before doing any job. The procedure of obtaining acess right is called a user authentication protocol. User authentication via user memorable password ...
Cryptanalysis and the improvement of Kim et al.'s password authentication schemes
ICISS'07: Proceedings of the 3rd international conference on Information systems security

In 1999, Yang and Shieh proposed two authentication schemes with smart cards, one is timestamp-based password authentication scheme and other is nonce-based password authentication scheme. In 2002, Chan and Cheng pointed out that Yang and Shieh's ...
Cryptanalysis and the Improvement of Kim et al.’s Password Authentication Schemes
Information Systems Security
Abstract
In 1999, Yang and Shieh proposed two authentication schemes with smart cards, one is timestamp-based password authentication scheme and other is nonce-based password authentication scheme. In 2002, Chan and Cheng pointed out that Yang and Shieh’s ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
999
Total Downloads

Downloads (Last 12 months)33
Downloads (Last 6 weeks)4

Reflects downloads up to 23 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pan LQiu RZhang CYang M(2024)Building a Secure Cross-Device Communication Channel for Smart Devices Based on App Accounts2024 IEEE International Conference on Cyber Security and Resilience (CSR)10.1109/CSR61664.2024.10679353(360-366)Online publication date: 2-Sep-2024
https://doi.org/10.1109/CSR61664.2024.10679353
Zhao QJiang BZhang YWang HMao YZhong S(2024)Unbalanced private set intersection with linear communication complexityScience China Information Sciences10.1007/s11432-022-3717-967:3Online publication date: 5-Feb-2024
https://doi.org/10.1007/s11432-022-3717-9
Chakraborty NShojafar MChen ZLeung VLi JZulkernine M(2023)NESec: A Modified-UI Honeyword Generation Strategy for Mitigating Targeted Guessing Attacks2023 7th Cyber Security in Networking Conference (CSNet)10.1109/CSNet59123.2023.10339786(226-232)Online publication date: 16-Oct-2023
https://doi.org/10.1109/CSNet59123.2023.10339786
Chakraborty NYamout YZulkernine M(2023)The Tables Have Turned: GPT-3 Distinguishing Passwords from Honeywords2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10288643(1-5)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10288643
Hong KLee B(2022)A Deep Learning-Based Password Security Evaluation ModelApplied Sciences10.3390/app1205240412:5(2404)Online publication date: 25-Feb-2022
https://doi.org/10.3390/app12052404
Chakraborty NLi JLeung VMondal SPan YLuo CMukherjee M(2022)Honeyword-based Authentication Techniques for Protecting Passwords: A SurveyACM Computing Surveys10.1145/355243155:8(1-37)Online publication date: 28-Dec-2022
https://dl.acm.org/doi/10.1145/3552431
Dionysiou AAthanasopoulos E(2022)Lethe: Practical Data Breach Detection with Zero Persistent Secret State2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00022(223-235)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00022
Wang KReiter M(2022)Using Amnesia to Detect Credential Database BreachesCyber Deception10.1007/978-3-031-16613-6_9(183-215)Online publication date: 7-Oct-2022
https://doi.org/10.1007/978-3-031-16613-6_9
Dionysiou AVassiliades VAthanasopoulos ECao JHo Au MLin ZYung M(2021)HoneyGen: Generating Honeywords Using Representation LearningProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3453092(265-279)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3453092
Shi CSun H(2021)HoneyHash: Honeyword Generation Based on Transformed HashesSecure IT Systems10.1007/978-3-030-70852-8_10(161-173)Online publication date: 3-Mar-2021
https://doi.org/10.1007/978-3-030-70852-8_10
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents