Protecting accounts from credential stuffing with password breach alertingProtecting accounts from credential stuffing with password breach alerting
  1. publications
  2. security

Protecting accounts from credential stuffing with password breach alerting

Available Media

Publication (Pdf)

ConferenceProceedings of the USENIX Security Symposium
AuthorsKurt Thomas , Jennifer Pullman , Kevin Yeo ,
Award Distinguished paper award
Citation

Bibtex Citation

@inproceedings{ THOMAS2019PROTECTING,title = {Protecting accounts from credential stuffing with password breach alerting},author = {"Kurt, Thomas" and "Jennifer, Pullman" and "Kevin, Yeo" and "Ananth, Raghunathan" and "Patrick, Gage Kelley" and "Luca, Invernizzi" and "Borbala, Benko" and "Tadek, Pietraszek" and "Sarvar, Patel" and "Dan, Boneh" and "Elie, Bursztein"},booktitle = {Proceedings of the USENIX Security Symposium},year = {2019},organization = {Usenix}}

Protecting accounts from credential stuffing attacks remains burdensome due to an asymmetry of knowledge: attackers have wide-scale access to billions of stolen usernames and passwords, while users and identity providers remain in the dark as to which accounts require remediation. In this paper, we propose a privacy-preserving protocol whereby a client can query a centralized breach repository to determine whether a specific username and password combination is publicly exposed, but without revealing the information queried. Here, a client can be an end user, a password manager, or an identity provider. To demonstrate the feasibility of our protocol, we implement a cloud service that mediates access to over 4 billion credentials found in breaches and a Chrome extension serving as an initial client. Based on anonymous telemetry from nearly 670,000 users and 21 million logins, we find that 1.5% of logins on the web involve breached credentials. By alerting users to this breach status, 26% of our warnings result in users migrating to a new password, at least as strong as the original. Our study illustrates how secure, democratized access to password breach alerting can help mitigate one dimension of account hijacking.

Recent

newsletter signup slide

Get cutting edge research directly in your inbox.

newsletter signup slide

Get cutting edge research directly in your inbox.