Protecting Password Databases using Trusted Hardware

Peer reviewe

Towards more Secure and Efficient Password Databases

Password databases form one of the backbones of nowadays web applications. Every web application needs to store its users’ credentials (email and password) in an efficient way, and in popular applications (Google, Facebook, Twitter, etc.) these databases can grow to store millions of user credentials simultaneously. However, despite their critical nature and susceptibility to targeted attacks, the techniques used for securing password databases are still very rudimentary, opening the way to devastating attacks. Just in the year of 2016, and as far as publicly disclosed, there were more than 500 million passwords stolen in internet hacking attacks. To solve this problem we commit to study several schemes like property-preserving encryption schemes (e.g. deterministic encryption), encrypted data-structures that support operations (e.g. searchable encryption), partially homomorphic encryption schemes, and commodity trusted hardware (e.g. TPM and Intel SGX). In this thesis we propose to make a summary of the most efficient and secure techniques for password database management systems that exist today and recreating them to accommodate a new and simple universal API. We also propose SSPM(Simple Secure Password Management), a new password database scheme that simultaneously improves efficiency and security of current solutions existing in literature. SSPM is based on Searchable Symmetric Encryption techniques, more specifically ciphered data structures, that allow efficient queries with the minimum leak of access patterns. SSPM adapts these structures to work with the necessary operation of password database schemes preserving the security guarantees. Furthermore, SSPM explores the use of trusted hardware to minimize the revelation of access patterns during the execution of operations and protecting the storage of cryptographic keys. Experimental results with real password databases shows us that SSPM has a similar performance compared with the solutions used today in the industry, while simultaneous increasing the offered security conditions

Using Probabilistic Context-Free Grammar to Create Password Guessing Models

This paper will discuss two versions of probabilistic context-free grammar password-guessing models. The first model focuses on using English semantics to break down passwords and identify patterns. The second model identifies repeating chunks in passwords and uses this information to create possible passwords. Then, we will show the performance of each model on leaked password databases, and finally discuss the observations made on these tests

PassViz: A Visualisation System for Analysing Leaked Passwords

Passwords remain the most widely used form of user authentication, despite advancements in other methods. However, their limitations, such as susceptibility to attacks, especially weak passwords defined by human users, are well-documented. The existence of weak human-defined passwords has led to repeated password leaks from websites, many of which are of large scale. While such password leaks are unfortunate security incidents, they provide security researchers and practitioners with good opportunities to learn valuable insights from such leaked passwords, in order to identify ways to improve password policies and other security controls on passwords. Researchers have proposed different data visualisation techniques to help analyse leaked passwords. However, many approaches rely solely on frequency analysis, with limited exploration of distance-based graphs. This paper reports PassViz, a novel method that combines the edit distance with the t-SNE (t-distributed stochastic neighbour embedding) dimensionality reduction algorithm for visualising and analysing leaked passwords in a 2-D space. We implemented PassViz as an easy-to-use command-line tool for visualising large-scale password databases, and also as a graphical user interface (GUI) to support interactive visual analytics of small password databases. Using the "000webhost" leaked database as an example, we show how PassViz can be used to visually analyse different aspects of leaked passwords and to facilitate the discovery of previously unknown password patterns. Overall, our approach empowers researchers and practitioners to gain valuable insights and improve password security through effective data visualisation and analysis

@Egan Newsletter

New Library Catalog Coming!; New Bookshelf; RefWorks; Staff Profile: Beatrice Franklin; Changes to the Egan Website; Coming Jan 1st: Capital City Libraries’ New Catalog

Forensically-Sound Analysis of Security Risks of using Local Password Managers

Password managers have been developed to address the human challenges associated with password security, i.e., to solve usability issues in a secure way. They offer, e.g., features to create strong passwords, to manage the increasing number of passwords a typical user has, and to auto-fill passwords, sparing users the hassle of not only remembering but also typing them. Previous studies have focused mainly on the security analysis of cloud-based and browser-based password managers; security of local password managers remains mostly under-explored. This paper takes a forensic approach and reports on a case study of three popular local password managers: KeePass (v2.28), Password Safe (v3.35.1) and RoboForm (v7.9.12). Results revealed that either the master password or the content of the password database could be found unencrypted in Temp folders, Page files or Recycle bin, even after the applications had been closed. Therefore, an attacker or malware with temporary access to the computer on which the password managers were running may be able to steal sensitive information, even though these password managers are meant to keep the databases encrypted and protected at all times

Password Cracking Based on Special Keyboard Patterns

[[abstract]]Passwords are still the most commonly used mechanism for user authentication. However, they are vulnerable to dictionary attacks. In order to guard against such attacks, administrative policies force the use of complex rules to create passwords. One commonly used "trick" is to use keyboard patterns, i.e., key patterns on a keyboard, to create passwords that conform to the complex rules. This paper proposes an efficient and effective method to attack passwords generated from some special keyboard patterns. We create a framework to formally describe the commonly used keyboard patterns of adjacent keys and parallel keys, called AP patterns, to generate password databases. Our simulation results show that the password space generated using AP patterns is about 244.47 times smaller than that generated for a brute-force attack. We also design a hybrid password cracking system consisting of different attacking methods to verify the effectiveness. Our results show that the number of passwords cracked increases up to 114% on average than without applying AP patterns.[[incitationindex]]SCI[[incitationindex]]EI[[booktype]]紙