nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures

verfasst von : Chedy Missaoui, Safa Bachouch, Ibrahim Abdelkader, Slim Trabelsi

Erschienen in: Cyberspace Safety and Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The combination of login passwords is still the most used identification and authentication method used on internet. Although if number of studies and articles pointed out the extreme weakness of using such authentication methods, almost every website is asking for a string password to create an account. Strong Password policies were created to reduce the risk of guessing or cracking a password string using traditional password crackers, but what is the benefit of such strong password construction if the whole credentials database is stolen and leaked? Every day hundreds of websites are breached and the content of their credential databases are exposed to the entire word. Millions of online accounts are then accessed illegally by various people with different level of damage impact. Who are these people? What is their purpose? How to prevent them from replaying stolen passwords? In this paper, we conduct an empirical study about the people who are reusing the stolen passwords found on internet or on the dark web. We deployed a fake Banking website in a honeypot mode, then we shared fake 3300 logins and passwords to the websites traditionally used for this purpose, finally we recorded their activities and made statistics. We also proposed a solution to reduce the attempts for replaying stolen passwords, and we measured the impact of this solution.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel A Survey of Keylogger and Screenlogger Attacks in the Banking Sector and Countermeasures to Them

http://breachlevelindex.com.

https://www.w3schools.com/sql/sql_injection.asp.

https://www.scmagazine.com/russian-researchers-leak-default-passwords-packaged-to-icsscada-software/article/527829/.

https://www.nytimes.com/2002/07/26/nyregion/princeton-pries-into-web-site-for-yale-applicants.html.

http://www.businessinsider.fr/us/hacker-selling-credentials-government-sites-2016-7.

https://thehackernews.com/2018/01/leakedsource-operator-charged.html.

https://haveibeenpwned.com/.

https://www.group-ib.com/blog/polygon.

Catuogno, L., Castiglione, A., Palmieri, F.: A honeypot system with honeyword-driven fake interactive sessions. In: 2015 International Conference on High Performance Computing and Simulation (HPCS), pp. 187–194. IEEE, July 2015

Database of 1.4 Billion Credentials Found on Dark Web. https://www.securityweek.com/database-14-billion-credentials-found-dark-web

How Apple and Amazon Security Flaws Le to My Epic Hacking. https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

LinkedIn Lost 167 Million Account Credentials in Data Breach. http://fortune.com/2016/05/18/linkedin-data-breach-email-password/

Passwords for 32M Twitter accounts may have been hacked and leaked. https://techcrunch.com/2016/06/08/twitter-hack/

Password Leak Lists Contain 20 Percent of Microsoft Login Credentials. https://www.forbes.com/sites/adriankingsleyhughes/2012/07/16/hackers-have-20-percent-of-microsoft-login-credentials/#54cb833c7e0d

63% of Data Breaches Result From Weak or Stolen Passwords. http://info.idagent.com/blog/63-of-data-breaches-result-from-weak-or-stolen-passwords

Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)CrossRef

Mozilla: data stolen from hacked bug database was used to attack Firefox. https://arstechnica.com/information-technology/2015/09/mozilla-data-stolen-from-hacked-bug-database-was-used-to-attack-firefox/?utm_content=buffer1c53c&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

10.

2017 state of authentication report. https://fidoalliance.org/wp-content/uploads/The-State-of-Authentication-Report.pdf

11.

Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012)CrossRef

12.

Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26

13.

Akiyama, M., Yagi, T., Aoki, K., Hariu, T., Kadobayashi, Y.: Active credential leakage for observing web-based attack cycle. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 223–243. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41284-4_12CrossRef

14.

Claycomb, W.R., Nicoll, A.: Insider threats to cloud computing: directions for new research challenges. In: 2012 IEEE 36th Annual Computer Software and Applications Conference (COMPSAC), pp. 387–394. IEEE (2012)

15.

Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1421–1434. ACM (2017)

16.

Onaolapo, J., Mariconti, E., Stringhini, G.: What happens after you are pwnd: understanding the use of leaked webmail credentials in the wild. In: Proceedings of the 2016 Internet Measurement Conference, pp. 65–79. ACM (2016)

17.

Sun, H.M., Chen, Y.H., Lin, Y.H.: oPass: a user authentication protocol resistant to password stealing and password reuse attacks. IEEE Trans. Inf. Forensics Secur. 7(2), 651–663CrossRef

18.

Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 187–198. ACM (2013)

Titel: Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures
verfasst von: Chedy Missaoui
Safa Bachouch
Ibrahim Abdelkader
Slim Trabelsi
Verlag: Springer International Publishing
Buch: Cyberspace Safety and Security
Print ISBN: 978-3-030-01688-3

Electronic ISBN: 978-3-030-01689-0

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-030-01689-0_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"