145 research outputs found
Towards more Secure and Efficient Password Databases
Password databases form one of the backbones of nowadays web applications.
Every web application needs to store its users’ credentials (email and password) in
an efficient way, and in popular applications (Google, Facebook, Twitter, etc.) these
databases can grow to store millions of user credentials simultaneously. However,
despite their critical nature and susceptibility to targeted attacks, the techniques
used for securing password databases are still very rudimentary, opening the way to
devastating attacks. Just in the year of 2016, and as far as publicly disclosed, there
were more than 500 million passwords stolen in internet hacking attacks.
To solve this problem we commit to study several schemes like property-preserving
encryption schemes (e.g. deterministic encryption), encrypted data-structures that
support operations (e.g. searchable encryption), partially homomorphic encryption
schemes, and commodity trusted hardware (e.g. TPM and Intel SGX).
In this thesis we propose to make a summary of the most efficient and secure techniques
for password database management systems that exist today and recreating
them to accommodate a new and simple universal API.
We also propose SSPM(Simple Secure Password Management), a new password
database scheme that simultaneously improves efficiency and security of current
solutions existing in literature. SSPM is based on Searchable Symmetric Encryption
techniques, more specifically ciphered data structures, that allow efficient queries
with the minimum leak of access patterns. SSPM adapts these structures to work
with the necessary operation of password database schemes preserving the security
guarantees.
Furthermore, SSPM explores the use of trusted hardware to minimize the revelation
of access patterns during the execution of operations and protecting the storage
of cryptographic keys. Experimental results with real password databases shows us
that SSPM has a similar performance compared with the solutions used today in
the industry, while simultaneous increasing the offered security conditions
Using Probabilistic Context-Free Grammar to Create Password Guessing Models
This paper will discuss two versions of probabilistic context-free grammar password-guessing models. The first model focuses on using English semantics to break down passwords and identify patterns. The second model identifies repeating chunks in passwords and uses this information to create possible passwords. Then, we will show the performance of each model on leaked password databases, and finally discuss the observations made on these tests
PassViz: A Visualisation System for Analysing Leaked Passwords
Passwords remain the most widely used form of user authentication, despite
advancements in other methods. However, their limitations, such as
susceptibility to attacks, especially weak passwords defined by human users,
are well-documented. The existence of weak human-defined passwords has led to
repeated password leaks from websites, many of which are of large scale. While
such password leaks are unfortunate security incidents, they provide security
researchers and practitioners with good opportunities to learn valuable
insights from such leaked passwords, in order to identify ways to improve
password policies and other security controls on passwords. Researchers have
proposed different data visualisation techniques to help analyse leaked
passwords. However, many approaches rely solely on frequency analysis, with
limited exploration of distance-based graphs. This paper reports PassViz, a
novel method that combines the edit distance with the t-SNE (t-distributed
stochastic neighbour embedding) dimensionality reduction algorithm for
visualising and analysing leaked passwords in a 2-D space. We implemented
PassViz as an easy-to-use command-line tool for visualising large-scale
password databases, and also as a graphical user interface (GUI) to support
interactive visual analytics of small password databases. Using the
"000webhost" leaked database as an example, we show how PassViz can be used to
visually analyse different aspects of leaked passwords and to facilitate the
discovery of previously unknown password patterns. Overall, our approach
empowers researchers and practitioners to gain valuable insights and improve
password security through effective data visualisation and analysis
@Egan Newsletter
New Library Catalog Coming!; New Bookshelf; RefWorks; Staff Profile: Beatrice Franklin; Changes to the Egan Website; Coming Jan 1st: Capital City Libraries’ New Catalog
Forensically-Sound Analysis of Security Risks of using Local Password Managers
Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times
Password Cracking Based on Special Keyboard Patterns
[[abstract]]Passwords are still the most commonly used mechanism for user authentication. However, they are vulnerable to dictionary attacks. In order to guard against such attacks, administrative policies force the use of complex rules to create passwords. One commonly used "trick" is to use keyboard patterns, i.e., key patterns on a keyboard, to create passwords that conform to the complex rules. This paper proposes an efficient and effective method to attack passwords generated from some special keyboard patterns. We create a framework to formally describe the commonly used keyboard patterns of adjacent keys and parallel keys, called AP patterns, to generate password databases. Our simulation results show that the password space generated using AP patterns is about 244.47 times smaller than that generated for a brute-force attack. We also design a hybrid password cracking system consisting of different attacking methods to verify the effectiveness. Our results show that the number of passwords cracked increases up to 114% on average than without applying AP patterns.[[incitationindex]]SCI[[incitationindex]]EI[[booktype]]紙
- …