论文信息 - Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures

Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures

The combination of login passwords is still the most used identification and authentication method used on internet. Although if number of studies and articles pointed out the extreme weakness of using such authentication methods, almost every website is asking for a string password to create an account. Strong Password policies were created to reduce the risk of guessing or cracking a password string using traditional password crackers, but what is the benefit of such strong password construction if the whole credentials database is stolen and leaked? Every day hundreds of websites are breached and the content of their credential databases are exposed to the entire word. Millions of online accounts are then accessed illegally by various people with different level of damage impact. Who are these people? What is their purpose? How to prevent them from replaying stolen passwords? In this paper, we conduct an empirical study about the people who are reusing the stolen passwords found on internet or on the dark web. We deployed a fake Banking website in a honeypot mode, then we shared fake 3300 logins and passwords to the websites traditionally used for this purpose, finally we recorded their activities and made statistics. We also proposed a solution to reduce the attempts for replaying stolen passwords, and we measured the impact of this solution.

Slim Trabelsi | Chedy Missaoui | Ibrahim Abdelkader | Safa Bachouch

[1] Paul C. van Oorschot,et al. A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[2] Gianluca Stringhini,et al. What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild , 2016, Internet Measurement Conference.

[3] Luigi Catuogno,et al. A honeypot system with honeyword-driven fake interactive sessions , 2015, 2015 International Conference on High Performance Computing & Simulation (HPCS).

[4] Mitsuaki Akiyama,et al. Active Credential Leakage for Observing Web-Based Attack Cycle , 2013, RAID.

[5] Angelos D. Keromytis,et al. SAuth: protecting user accounts from password database leaks , 2013, CCS.

[6] Hung-Min Sun,et al. oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[7] Vern Paxson,et al. Data Breaches, Phishing, or Malware?: Understanding the Risks of Stolen Credentials , 2017, CCS.

[8] Nikita Borisov,et al. The Tangled Web of Password Reuse , 2014, NDSS.

[9] Helmut Schneider,et al. The domino effect of password reuse , 2004, CACM.

[10] William R. Claycomb,et al. Insider Threats to Cloud Computing: Directions for New Research Challenges , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.