A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies

11/17/2019
by   Simone Raponi, et al.
0

Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose , a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place—despite the fines threatened by GDPR—is still far, mainly because of sub-standard security management practices. Finally, it is worth noting that while this study has been focused on EU registered Web-sites, the proposed solution has, instead, general applicability.

READ FULL TEXT
research
11/17/2019

Web-sites password management (in)security: Evidence and remedies

Single-factor password-based authentication is generally the norm to acc...
research
02/14/2022

Work in progress: Identifying Two-Factor Authentication Support in Banking Sites

Two-factor authentication (2FA) offers several security benefits that se...
research
03/01/2019

Characterizing Activity on the Deep and Dark Web

The deep and darkweb (d2web) refers to limited access web sites that req...
research
11/11/2021

Classification of URL bitstreams using Bag of Bytes

Protecting users from accessing malicious web sites is one of the import...
research
01/20/2018

Web password recovery --- a necessary evil?

Web password recovery, enabling a user who forgets their password to re-...
research
04/28/2020

A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web

In late 2017, a sudden proliferation of malicious JavaScript was reporte...
research
04/09/2020

The Web is Still Small After More Than a Decade

Understanding web co-location is essential for various reasons. For inst...

Please sign up or login with your details

Forgot password? Click here to reset