Tackling Credential Abuse Together

Overview

Despite long-ago predictions (e.g., see Bill Gates, 2004) that other user-authentication technologies would replace passwords, passwords remain not only pervasive but have flourished as the dominant form of account protection, especially at websites such as retailers that require a low-friction user experience. This talk will describe our research on methods to tackle three key ingredients of account takeovers for password-protected accounts today: (i) site database breaches, which is the largest source of stolen passwords for internet sites; (ii) the tendency of users to reuse the same or similar passwords across sites; and (iii) credential stuffing, in which attackers submit breached credentials for one site in login attempts for the same accounts at another. A central theme of our research is that these factors are most effectively addressed by coordinating across websites, in contrast to today’s practice of each site defending alone. We describ e algorithms to drive this coordination, demonstrate the efficacy and security of our proposals through conservative analyses, and demonstrate the scalability of our designs through working implementations. This research was performed jointly with Ke Coby Wang.

Flier image

Go here to register for the event