A New Targeted Password Guessing Model

TarGuess-I is a leading targeted password guessing model using users\u27 personally identifiable information(PII) proposed at ACM CCS 2016 by Wang et al. Owing to its superior guessing performance, TarGuess-I has attracted widespread attention in password security. Yet, TarGuess-I fails to capture popular passwords and special strings in passwords correctly. Thus we propose TarGuess-I$^+$: an improved password guessing model, which is capable of identifying popular passwords by generating top-300 most popular passwords from similar websites and grasping special strings by extracting continuous characters from user-generated PII. We conduct a series of experiments on 6 real-world leaked datasets and the results show that our improved model outperforms TarGuess-I by 9.07\% on average with 1000 guesses, which proves the effectiveness of our improvements

Lost and not Found: An Investigation of Recovery Methods for Multi-Factor Authentication

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. To the best of our knowledge, we are the first to first-hand investigate the security and user experience of deployed Multi-Factor Authentication recovery procedures. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated

Cyber Security of Multi-Locational Work in Modern Organisation

Multi-locational work has become an integral part of working life in recent decades, and during the Covid-19 pandemic, it has continued to increase. The probability of certain cyber security risks has increased with this change. Based on the literature, this thesis presents the key cyber security risks in multi-locational work. The risks were categorized in four levels according to who is primarily responsible of the risk. The categories being primarily employee’s responsibility, shared responsibility between the employee and the organisation, primarily organisation’s responsibility and abstract responsibility. The risk analysis matrix was chosen to illustrate the level of risk as it considers both severity and probability of the risks. The empirical part of the study was conducted as a case study focusing on cyber security in a modern Finnish organisation, and both interview and questionnaire were used. Risk analysis matrix was then used to identify the level of risk in the organisation. Based on the risk analysis, priority proposals for action were targeted at those risks that are intolerable or significant. The risk assessment matrix was found to be a practical tool for assessing a company's cyber security risk. Once the level of risk has been identified, measures can be taken in the most appropriate way for the company, prioritizing the risks requiring immediate action or other necessary measures

An Empirical Assessment of the Use of Password Workarounds and the Cybersecurity Risk of Data Breaches

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks, and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. The increased use of IS as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as ‘password workarounds’ or ‘shadow security.’ These deviant password behaviors can put individuals and organizations at risk, resulting in data privacy. This study, engaging 303 IS users and 27 Subject Matter Experts (SMEs), focused on designing, developing, and empirically validating Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT)—a model supported on perceived cybersecurity risks from Password Workarounds (PWWA) techniques and their usage frequency. A panel of SMEs validated the PWWA list from existing literature with recommended adjustments. Additionally, the perception level of the cybersecurity risks of each technique was measured from the 27 SMEs and 303 IS users. They also provided their self-reported and reported on coworkers\u27 engagement frequencies related to the PWWA list. Noteworthy, significant differences were found between SMEs and IS users in their aggregated perceptions of cybersecurity risks of the PWWAs, with IS users perceiving higher risks. Engagement patterns varied between the groups, as well as factors like years of IS experience, gender, and job level had significant differences among groups. The PaWoCyRiT was developed to provide insights into password-related risks and behaviors

“We’ve Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments

Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts’ associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work

Federated Detection of Cross-Site Credential Vulnerabilities and Attacks

Among the most prominent threats to web accounts today are cross-site credential attacks. A good example is the theft of a user’s password at one website—e.g., by a breach of that website’s credential database—and subsequent use of the stolen password to gain access to the same user’s accounts at other websites. These attacks, termed credential stuffing, are effective due to the fact that people tend to reuse passwords or their guessable variants across their accounts. Credential stuffing has become a primary cause of account takeovers, allowing the attacker to drain accounts of stored value, credit card numbers, and other personal information. Moreover, preventing, detecting, and cleaning up compromised accounts and the value thus stolen is a significant cost for service providers. Aside from direct harm imposed on users’ accounts, credential stuffing can also weaken other account defenses, e.g., the honeyword scheme to detect logins with passwords leaked from compromised databases. This dissertation aims to deal with these cross-site credential vulnerabilities and attacks by developing technical approaches to allow websites together to detect and mitigate these threats effectively and securely. In this dissertation, we propose (i) a framework by which websites can coordinate to make it difficult for users to reuse the same or similar passwords across different websites; (ii) a framework by which websites can coordinate to effectively detect active credential stuffing on individual user accounts; (iii) a framework, Amnesia, that uses decoy passwords to detect credential database breaches by detecting the local entry and remote stuffing of decoy passwords without relying on any secret state; and (iv) two efficient private set operation protocols to support the three proposed frameworks for achieving their security and practicality goals.Doctor of Philosoph