Bicycle Attacks Considered Harmful: Quantifying the Damage of Widespread Password Length Leakage

02/04/2020
by   Benjamin Harsha, et al.
0

We examine the issue of password length leakage via encrypted traffic i.e., bicycle attacks. We aim to quantify both the prevalence of password length leakage bugs as well as the potential harm to users. In an observational study, we find that most of the Alexa top 100 rates sites are vulnerable to bicycle attacks meaning that an eavesdropping attacker can infer the exact length of a password based on the length the encrypted packet containing the password. We discuss several ways in which an eavesdropping attacker could link this password length with a particular user account e.g., a targeted campaign against a smaller group of users or via DNS hijacking for larger scale campaigns. We next use a decision-theoretic model to quantify the extent to which password length leakage might help an attacker to crack user passwords. In our analysis, we consider three different levels of password attackers: hacker, criminal and nation-state. In all cases, we find that such an attacker who knows the length of each user password gains a significant advantage over one without knowing the password length. As part of this analysis, we also release a new differentially private password frequency dataset from the 2016 LinkedIn breach using a differentially private algorithm of Blocki et al. (NDSS 2016) to protect user accounts. The LinkedIn frequency corpus is based on over 170 million passwords making it the largest frequency corpus publicly available to password researchers. While the defense against bicycle attacks is straightforward (i.e., ensure that passwords are always padded before encryption), we discuss several practical challenges organizations may face when attempting to patch this vulnerability. We advocate for a new W3C standard on how password fields are handled which would effectively eliminate most instances of password length leakage.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
04/11/2019

Information Leakage in Encrypted Deduplication via Frequency Analysis: Attacks and Defenses

Encrypted deduplication combines encryption and deduplication to simulta...
research
12/16/2021

Construction of Differentially Private Summaries over Fully Homomorphic Encryption

Cloud computing has garnered attention as a platform of query processing...
research
08/08/2023

Accurate, Explainable, and Private Models: Providing Recourse While Minimizing Training Data Leakage

Machine learning models are increasingly utilized across impactful domai...
research
06/08/2018

Reducing Metadata Leakage from Encrypted Files and Communication with PURBs

Most encrypted data formats, such as PGP, leak substantial metadata in t...
research
10/02/2019

Detecting and Characterizing Lateral Phishing at Scale

We present the first large-scale characterization of lateral phishing at...
research
02/18/2021

Obfuscated Access and Search Patterns in Searchable Encryption

Searchable Symmetric Encryption (SSE) allows a data owner to securely ou...
research
04/16/2019

Re: What's Up Johnny? -- Covert Content Attacks on Email End-to-End Encryption

We show practical attacks against OpenPGP and S/MIME encryption and digi...

Please sign up or login with your details

Forgot password? Click here to reset