StopGuessing: Using Guessed Passwords to Thwart Online Guessing

Practitioners who seek to defend password-protected resources from online guessing attacks will find a shortage of tooling and techniques to help them. Little research suggests anything beyond blocking or throttling traffic from IP addresses sending suspicious traffic; counting failed authentication requests, or some variant, is often the sole feature used to determine suspicion. In this paper we show that several other features can greatly help distinguishing benign and attack traffic. First, we increase the penalties for clients responsible for fail events involving passwords frequently-guessed by attackers. Second, we reduce the threshold (and thus protect better) for accounts with weak passwords. Third, we detect, and are more forgiving of, login failures caused by users mistyping their passwords. Most importantly, we achieve all of these goals without needing any marker that indicates weak accounts, changing the format in which passwords are stored (i.e. we do not store passwords plaintext or in any recoverable form), or storing any information that might be harmful if leaked. We present an open-source implementation of this system and demonstrate its improvement over simpler blocking strategies in various simulated scenarios.

[1]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[2]  Stuart E. Schechter,et al.  Popularity Is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks , 2010, HotSec.

[3]  Udi Manber,et al.  A simple scheme to make passwords based on one-way functions much harder to crack , 1996, Comput. Secur..

[4]  Paul C. van Oorschot,et al.  Revisiting Defenses against Large-Scale Online Password Guessing Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[5]  Stuart E. Schechter,et al.  Distinguishing Attacks from Legitimate Authentication Traffic at Scale , 2019, NDSS.

[6]  Pedro M. Domingos A few useful things to know about machine learning , 2012, Commun. ACM.

[7]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[8]  Sacha Brostoff,et al.  “Ten strikes and you're out”: Increasing the number of login attempts can improve password usability , 2003 .

[9]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory, Part I , 1968 .

[10]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[11]  Lorrie Faith Cranor,et al.  Telepathwords: Preventing Weak Passwords by Reading Users' Minds , 2014, USENIX Security Symposium.

[12]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[13]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[14]  Lujo Bauer,et al.  Of passwords and people: measuring the effect of password-composition policies , 2011, CHI.

[15]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[16]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[17]  Jeanna Neefe Matthews,et al.  A Study of Passwords and Methods Used in Brute-Force SSH Attacks , 2008 .

[18]  Paul C. van Oorschot,et al.  An Administrator's Guide to Internet Password Research , 2014, LISA.

[19]  Divyakant Agrawal,et al.  Efficient Computation of Frequent and Top-k Elements in Data Streams , 2005, ICDT.

[20]  Sakshi Jain,et al.  Who Are You? A Statistical Approach to Measuring User Authenticity , 2016, NDSS.

[21]  David Mazières,et al.  The Advanced Computing Systems Association a Future-adaptable Password Scheme a Future-adaptable Password Scheme , 2022 .

[22]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[23]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[24]  Paul C. van Oorschot,et al.  On countering online dictionary attacks with login histories and humans-in-the-loop , 2006, TSEC.

[25]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.