The Weakest Link: On Breaking the Association between Usernames and Passwords in Authentication Systems

SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography Pub Date : 2022-01-01 DOI:10.5220/0011276900003283

Eva Anastasiadi, E. Athanasopoulos, E. Markatos

{"title":"The Weakest Link: On Breaking the Association between Usernames and Passwords in Authentication Systems","authors":"Eva Anastasiadi, E. Athanasopoulos, E. Markatos","doi":"10.5220/0011276900003283","DOIUrl":null,"url":null,"abstract":": Over the last decade, we have seen a signiﬁcant number of data breaches affecting hundreds of millions of users. Leaked password ﬁles / Databases that contain passwords in plaintext allow attackers to get immediate access to the credentials of all the accounts stored in those ﬁles. Nowadays most systems keep passwords in a hashed salted form, but using brute force techniques attackers are still able to crack a large percentage of those passwords. In this work, we present a novel approach to protect users’ credentials from such leaks. We propose a new architecture for the password ﬁle that makes use of multiple servers. The approach is able to defend even against attackers that manage to compromise all servers - as long as they do not do it at the same time. Our prototype implementation and preliminary evaluation in the authentication system of WordPress suggests that this approach is not only easy to incorporate into existing systems, but it also has minimal overhead.","PeriodicalId":74779,"journal":{"name":"SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography","volume":"43 1","pages":"560-567"},"PeriodicalIF":0.0000,"publicationDate":"2022-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5220/0011276900003283","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

: Over the last decade, we have seen a signiﬁcant number of data breaches affecting hundreds of millions of users. Leaked password ﬁles / Databases that contain passwords in plaintext allow attackers to get immediate access to the credentials of all the accounts stored in those ﬁles. Nowadays most systems keep passwords in a hashed salted form, but using brute force techniques attackers are still able to crack a large percentage of those passwords. In this work, we present a novel approach to protect users’ credentials from such leaks. We propose a new architecture for the password ﬁle that makes use of multiple servers. The approach is able to defend even against attackers that manage to compromise all servers - as long as they do not do it at the same time. Our prototype implementation and preliminary evaluation in the authentication system of WordPress suggests that this approach is not only easy to incorporate into existing systems, but it also has minimal overhead.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

最薄弱环节:破解认证系统中用户名和密码的关联

在过去的十年中，我们看到了影响数亿用户的大量数据泄露事件。包含明文密码的泄露密码文件/数据库允许攻击者立即访问存储在这些文件中的所有帐户的凭据。如今，大多数系统将密码保存在散列盐形式中，但使用暴力破解技术攻击者仍然能够破解这些密码的很大一部分。在这项工作中，我们提出了一种新的方法来保护用户的凭据免受此类泄漏。我们提出了一种利用多服务器的密码文件新架构。这种方法甚至能够防御那些设法破坏所有服务器的攻击者——只要他们不是同时这样做。我们在WordPress身份验证系统中的原型实现和初步评估表明，这种方法不仅易于合并到现有系统中，而且开销最小。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

SECRYPT ... : proceedings of the International Conference on Security and Cryptography. International Conference on Security and Cryptography

自引率

0.00%

发文量