Arseny Kurnikov
Andrew Paverd
Mohammad Mannan
ABSTRACT
Although passwords are by far the most widely-used user authentication mechanism on the web, their security is threatened by password phishing and password database breaches. SafeKeeper is a system for protecting web passwords against very strong adversaries, including sophisticated phishers and compromised servers. Compared to other approaches, one of the key differentiating aspects of SafeKeeper is that it provides web users with verifiable assurance that their passwords are being protected. In this paper, we demonstrate precisely how SafeKeeper can be used to protect web passwords in real-world systems. We first explain two important deployability aspects: i) how SafeKeeper can be integrated into the popular WordPress platform, and ii) how ordinary web users can use Intel SGX remote attestation to verify that SafeKeeper is running on a particular server. We then describe three demonstrations to illustrate the use of SafeKeeper: i) showing the user experience when visiting a legitimate website; ii) showing the encryption of the password in transit via live packet-capture; and iii) showing how SafeKeeper performs in the presence of phishing.
- A. Biryukov, D. Dinu, and D. Khovratovich. 2016. Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications IEEE European Symposium on Security and Privacy.Google Scholar
- J. Blocki and A. Datta. 2016. CASH: A Cost Asymmetric Secure Hash Algorithm for Optimal Password Protection IEEE Computer Security Foundations Symposium.Google Scholar
- Hristo Bojinov, Elie Bursztein, Xavier Boyen, and Dan Boneh. 2010. Kamouflage: Loss-Resistant Password Management. In European Symposium on Research in Computer Security. Google ScholarDigital Library
- Joseph Bonneau. 2012. The Science of Guessing: Analyzing an Anonymized Corpus of 70 million Passwords IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Rahul Chatterjee, Joseph Bonneau, Ari Juels, and Thomas Ristenpart. 2015. Cracking-Resistant Password Vaults using Natural Language Encoders IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- HTTrack Website Copier. 2017. (2017). https://www.httrack.com/Google Scholar
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The Tangled Web of Password Reuse. In Network and Distributed Systems Symposium.Google Scholar
- Intel Corporation. 2017. Software Guard Extensions (Intel SGX). (2017). https://software.intel.com/en-us/sgxGoogle Scholar
- Klaudia Krawiecka, Arseny Kurnikov, Andrew Paverd, Mohammad Mannan, and N. Asokan. 2018. SafeKeeper: Protecting Web Passwords using Trusted Execution Environments The Web Conference (WWW). Google ScholarDigital Library
- PHP-CPP: A CGoogle Scholar
- library for developing PHP extensions. 2017. (2017). http://www.php-cpp.com/Google Scholar
- PHPass: Portable PHP password hashing framework. 2017. (2017). http://www.openwall.com/phpass/Google Scholar
- PhishTank.com. 2017. Statistics about phishing activity and PhishTank usage. (2017). https://www.phishtank.com/stats.phpGoogle Scholar
- Stanford PwdHash. 2017. (2017). https://pwdhash.github.io/websiteGoogle Scholar
- Have I Been Pwned. 2017. (2017). https://haveibeenpwned.com/pwnedwebsitesGoogle Scholar
- K. Thomas, F. Li, A. Zand, J. Barrett, J. Ranieri, L. Invernizzi, Y. Markov, O. Comanescu, V. Eranti, A. Moscicki, D. Margolis, V. Paxson, and E. Bursztein. 2017. Data Breaches, Phishing, or Malware: Understanding the Risks of Stolen Credentials ACM SIGSAC Conference on Computer and Communications Security. Google ScholarDigital Library
Index Terms
- Using SafeKeeper to Protect Web Passwords
Recommendations
SafeKeeper: Protecting Web Passwords using Trusted Execution Environments
WWW '18: Proceedings of the 2018 World Wide Web ConferencePasswords are by far the most widely-used mechanism for authenticating users on the web, out-performing all competing solutions in terms of deployability (e.g. cost and compatibility). However, two critical security concerns are phishing and theft of ...
Passwords decay, words endure: secure and re-usable multiple password mnemonics
SAC '07: Proceedings of the 2007 ACM symposium on Applied computingResearch on password authentication systems has repeatedly shown that people choose weak passwords because of the difficulty of remembering random passwords. Moreover, users with multiple passwords for unrelated activities tend to choose almost similar ...
System-Assigned Passwords: The Disadvantages of the Strict Password Management Policies
After Morris and Thompson wrote the first paper on password security in 1979, strict password policies have been enforced to make sure users follow the rules on passwords. Many such policies require users to select and use a system-generated password. The ...
Comments