SAuth: protecting user accounts from password database leaks

Authors:
Georgios Kontaxis;Elias Athanasopoulos;Georgios Portokalidis;Angelos D. Keromytis
Affiliations:
Columbia University, New York, NY, USA;Columbia University, New York, NY, USA;Stevens Institute of Technology, Hoboken, NJ, USA;Columbia University, New York, NY, USA
Venue:
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Year:
2013

Citing 31
Cited 0

Foundations of statistical natural language processing

Foundations of statistical natural language processing
How to share a secret

Communications of the ACM
The battle against phishing: Dynamic Security Skins

SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Do security toolbars actually prevent phishing attacks?

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Password management strategies for online accounts

SOUPS '06 Proceedings of the second symposium on Usable privacy and security
OpenID 2.0: a platform for user-centric identity management

Proceedings of the second ACM workshop on Digital identity management
A large-scale study of web password habits

Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Stronger password authentication using browser extensions

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A future-adaptive password scheme

ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Beamauth: two-factor web authentication with a bookmark

Proceedings of the 14th ACM conference on Computer and communications security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Password Cracking Using Probabilistic Context-Free Grammars

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Characterizing user behavior in online social networks

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Parallel browsing behavior on the web

Proceedings of the 21st ACM conference on Hypertext and hypermedia
Encountering stronger password requirements: user attitudes and behaviors

Proceedings of the Sixth Symposium on Usable Privacy and Security
The security of modern password expiration: an algorithmic framework and empirical analysis

Proceedings of the 17th ACM conference on Computer and communications security
Kamouflage: loss-resistant password management

ESORICS'10 Proceedings of the 15th European conference on Research in computer security
BotSwindler: tamper resistant injection of believable decoys in VM-based hosts for crimeware detection

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
A billion keys, but few locks: the crisis of web single sign-on

Proceedings of the 2010 workshop on New security paradigms
Using Fingerprint Authentication to Reduce System Security: An Empirical Study

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Password-protected secret sharing

Proceedings of the 18th ACM conference on Computer and communications security
Password exhaustion: predicting the end of password usefulness

ICISS'06 Proceedings of the Second international conference on Information Systems Security
Perfectly secure password protocols in the bounded retrieval model

TCC'06 Proceedings of the Third conference on Theory of Cryptography
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Graphical passwords: Learning from the first twelve years

ACM Computing Surveys (CSUR)
Practical yet universally composable two-server password-authenticated secret sharing

Proceedings of the 2012 ACM conference on Computer and communications security
Rethinking passwords

Communications of the ACM
Statistical metrics for individual password strength

SP'12 Proceedings of the 20th international conference on Security Protocols

Quantified Score

Hi-index	0.00

Visualization

Abstract

Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms. In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.