Results 1 - 10
of
11
The quest to replace passwords: A framework for comparative evaluation of web authentication schemes
"... Abstract—We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including ..."
Abstract
-
Cited by 88 (13 self)
- Add to MetaCart
(Show Context)
Abstract—We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals. Keywords-authentication; computer security; human computer interaction; security and usability; deployability; economics; software engineering. I.
The Password Thicket: technical and market failures in human authentication on the web
- 9TH WORKSHOP ON THE ECONOMICS OF INFO SECURITY (WEIS 2010)
, 2010
"... We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news ..."
Abstract
-
Cited by 37 (10 self)
- Add to MetaCart
We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace,
such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within
individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based
authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with moresecure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication.
Characterizing Insecure JavaScript Practices on the Web
"... JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure enginee ..."
Abstract
-
Cited by 34 (3 self)
- Add to MetaCart
(Show Context)
JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browserbased attacks. In this paper, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4 % of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4 % of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.
Off-Path TCP Sequence Number Inference Attack – How Firewall Middleboxes Reduce Security
- In Proc. of IEEE Security and Privacy
, 2012
"... Abstract—In this paper, we report a newly discovered “offpath TCP sequence number inference ” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only perm ..."
Abstract
-
Cited by 15 (3 self)
- Add to MetaCart
(Show Context)
Abstract—In this paper, we report a newly discovered “offpath TCP sequence number inference ” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks — at least 31.5 % of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily. I.
A WORLD WITH MANY AUTHENTICATION SCHEMES
, 2012
"... Usability and security challenges with standard text passwords have led researchers and professionals to consider alternative authentication schemes. This thesis explores the various challenges inherent in supporting a practical reality of authentication scheme diversity. We address these challenges ..."
Abstract
-
Cited by 5 (1 self)
- Add to MetaCart
(Show Context)
Usability and security challenges with standard text passwords have led researchers and professionals to consider alternative authentication schemes. This thesis explores the various challenges inherent in supporting a practical reality of authentication scheme diversity. We address these challenges by proposing the following solutions aimed at providing users with a usable and secure authentication experience through alternative schemes. We developed a framework for developers, researchers, professionals, and users to identify and compare the user-centred features that may be supported by authentication schemes. We also performed empirical studies on two novel authentication schemes. We demonstrate that our text-based password scheme, Persuasive Text Passwords, can influence users to create more secure passwords that are memorable. We also show that our gaze-based graphical password scheme, Cued Gaze-Points, is usable and may offer resistance against shoulder-surfing attacks at the cost of reduced resistance against password guessing attacks. Furthermore, we built and user tested four different tutorial formats to determine which is most effective at teaching
A Longitudinal Study on e-Bank Trust
"... Abstract. The study has two main objectives: to analyse the evolution of trust perceptions over time and to confirm demographic differences accounted in other studies. Results indicate significant differences in customer-perceived trust in internet banking over time: perceived trust, as well as all ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. The study has two main objectives: to analyse the evolution of trust perceptions over time and to confirm demographic differences accounted in other studies. Results indicate significant differences in customer-perceived trust in internet banking over time: perceived trust, as well as all observed variables (privacy, security, confidentiality, accurateness and completeness) and constructs (trust, trust in the medium and trust in the information) decreased significantly during the 4 year period (2003)(2004)(2005)(2006)(2007). A usage and demographic pattern was found among users with low trust perceptions: men, less frequent users (those using the service less frequently than once a week) and participants with over 3 years of use of Internet banking services.
7 A Measurement Study of Insecure JavaScript Practices on the Web
"... JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engine ..."
Abstract
- Add to MetaCart
JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.
Web Authentication Schemes [FULL LENGTH TECHNICAL REPORT]
, 2012
"... Number 817 ..."
(Show Context)
Discover, Analyze, and Validate Attacks With Introspective Side Channels
, 2012
"... my family, and many other important people in my life. ..."
(Show Context)
Affiliated to SPPU University
"... Affiliated to SPPU University, Web applications are useful for various online services. These web applications are becoming ubiquitous in our daily lives. They are used for multiple purposes such as e-commerce, financial services, emails, healthcare services and many other captious services. But the ..."
Abstract
- Add to MetaCart
(Show Context)
Affiliated to SPPU University, Web applications are useful for various online services. These web applications are becoming ubiquitous in our daily lives. They are used for multiple purposes such as e-commerce, financial services, emails, healthcare services and many other captious services. But the presence of vulnerabilities in the web application may become a serious cause for the security of the web application. A web appli-cation may contain different types of vulnerabilities. According to OWASP TOP 10 vulnerability report, Cross-site Scripting (XSS) is among top 5 vulnerabilities. So this research work aims to im-plement effective solution for the prevention of cross-site scripting vulnerabilities. In this paper, we implemented a novel client-side XSS sanitizer that prevents web applications from XSS attacks. Our sanitizer is able to detect cross-site scripting vulnerabilities at the client-side. It strengthens web browser, because modern web browser do not provide any specific notification, alert or indication of security holes or vulnerabilities and their presence in the web application.
