Communications of the ACM
Risks of the passport single signon protocol
Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking
Password security: a case history
Communications of the ACM
UNIX Password Security - Ten Years Later
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Password Memorability and Security: Empirical Results
IEEE Security and Privacy
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Protecting Users Against Phishing Attacks with AntiPhish
COMPSAC '05 Proceedings of the 29th Annual International Computer Software and Applications Conference - Volume 01
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Cache Cookies for Browser Authentication (Extended Abstract)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Protecting people from phishing: the design and evaluation of an embedded training email system
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Cantina: a content-based approach to detecting phishing web sites
Proceedings of the 16th international conference on World Wide Web
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
On user choice in graphical password schemes
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
A usability study and critique of two password managers
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Password rescue: a new approach to phishing prevention
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
Proceedings of the 3rd symposium on Usable privacy and security
A framework for detection and measurement of phishing attacks
Proceedings of the 2007 ACM workshop on Recurring malcode
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
On the Effectiveness of Techniques to Detect Phishing Sites
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Anti-Phishing in Offense and Defense
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Cybercrime 2.0: when the cloud turns dark
Communications of the ACM - A Direct Path to Dependable Software
Passwords: If We're So Smart, Why Are We Still Using Them?
Financial Cryptography and Data Security
SessionMagnifier: a simple approach to secure and convenient kiosk browsing
Proceedings of the 11th international conference on Ubiquitous computing
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Of passwords and people: measuring the effect of password-composition policies
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Mitigating cross-site form history spamming attacks with domain-based ranking
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
A Research Agenda Acknowledging the Persistence of Passwords
IEEE Security and Privacy
Proceedings of the third ACM conference on Data and application security and privacy
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
| Hi-index | 0.00 |
Modern Web browsers do not provide sufficient protection to prevent users from submitting their online passwords to inappropriate websites. As a result, users may accidentally reveal their passwords for high-security websites to inappropriate low-security websites or even phishing websites. In this paper, we address this limitation of modern browsers by proposing LoginInspector, a profiling-based warning mechanism. The key idea of LoginInspector is to continuously monitor a user's login actions and securely store hashed domain-specific successful login information to an in-browser database. Later on, whenever the user attempts to log into a website that does not have the corresponding successful login record, LoginInspector will warn and enable the user to make an informed decision on whether to really send this login information to the website. LoginInspector can also report users' insecure password practices to system administrators so that targeted training and technical assistance can be provided to vulnerable users. We implemented LoginInspector as a Firefox browser extension and evaluated it on 30 popular legitimate websites, 30 sample phishing websites, and one new phishing scam discovered by M86 Security Labs. Our evaluation and analysis indicate that LoginInspector is a secure and useful mechanism that can be easily integrated into modern Web browsers to complement their existing protection mechanisms. Security system administrators in our university commented that such a tool could be very helpful for them to strengthen campus IT security.