DeepAI AI Chat
Log In Sign Up

Might I Get Pwned: A Second Generation Password Breach Alerting Service

09/29/2021
by   Bijeeta Pal, et al.
0

Credential stuffing attacks use stolen passwords to log into victim accounts. To defend against these attacks, recently deployed compromised credential checking (C3) services provide APIs that help users and companies check whether a username, password pair is exposed. These services however only check if the exact password is leaked, and therefore do not mitigate credential tweaking attacks in which the adversary guesses variants of a user's leaked passwords. We initiate work on C3 APIs that protect users from credential tweaking attacks. The core underlying challenge is how to identify passwords that are similar to their leaked passwords while preserving honest clients' privacy and also preventing malicious clients from extracting breach data from the service. We formalize the problem and explore a variety of ways to measure password similarity that balance efficacy, performance, and security. Based on this exploration, we design "Might I Get Pwned" (MIGP), a new kind of breach alerting service. Our simulations show that MIGP reduces the efficacy of state-of-the-art 10-guess credential tweaking attacks by 81 user privacy and limits potential exposure of sensitive breach entries. We show that the protocol is fast, with response time close to existing C3 services, and suitable for real-world deployment.

READ FULL TEXT

page 1

page 2

page 3

page 4

05/31/2019

Protocols for Checking Compromised Credentials

To prevent credential stuffing attacks, industry best practice now proac...
05/01/2020

Practical Traffic Analysis Attacks on Secure Messaging Applications

Instant Messaging (IM) applications like Telegram, Signal, and WhatsApp ...
04/26/2018

NEXUS: Using Geo-fencing Services without revealing your Location

While becoming more and more present in our every day lives, services th...
05/17/2022

How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy

This paper presents a timing attack on the FIDO2 (Fast IDentity Online) ...
11/24/2018

Biscotti: A Ledger for Private and Secure Peer-to-Peer Machine Learning

Centralized solutions for privacy-preserving multi-party ML are becoming...
03/19/2019

Umbrella: Enabling ISPs to Offer Readily Deployable and Privacy-Preserving DDoS Prevention Services

Defending against distributed denial of service (DDoS) attacks in the In...