Contact Project Developer Ashish D. Tiwari [astiwz@gmail.com]
Download Synopsis Abstract

Shadow Attacks based on Password Reuses: A Quantitative Empirical Analysis

we provide a large-scale, empirical, and quantitative measurement of web password reuses, especially ISPR, and shed light on the severity of such threat in the real world.
C#.NET VB.NET ASP.NET BE-Engineering(CO/IT) ME-Engineering(CO/IT) BCS MCS BCA MCA MCM BSC Computer/IT MSC Computer/IT Diploma (CO/IT) IEEE-2016 Security
Abstract-Synopsis-Documentation

Shadow Attacks based on Password Reuses: A Quantitative Empirical Analysis


Abstract

With the proliferation of websites, the security level of password-protected accounts is no longer purely determined by individual ones. Users may register multiple accounts on the same site or across multiple sites, and these passwords from the same users are likely to be the same or similar. As a result, an adversary can compromise the account of a user on a web forum, and then guess the accounts of the same user in sensitive accounts, e.g., online banking services, whose accounts could have the same or even stronger passwords. We name this attack as the shadow attack on passwords. To understand the situation, we examined the state of- the-art Intra-Site Password Reuses (ISPR) and Cross-Site Password Reuses (CSPR) based on the leaked passwords from the biggest Internet user group. With a collection of about 70 million real-world web passwords across four large websites in China, we obtained around 4.6 million distinct users who have multiple accounts on the same site or across different sites. We found that for the users with multiple accounts in a single website reused their passwords and for the users with multiple accounts on multiple websites reused their passwords across websites. For the users that have multiple accounts but different passwords, the set of passwords of the same user exhibits patterns that can help password guessing: a leaked weak password reveals partial information of a strong one, which degrades the strength of the strong one. Given the aforementioned findings, we conducted an experiment and achieved an improvement of guessing success rate with John the Ripper guessing tool. To the best of our knowledge, we are the first to provide a large-scale, empirical, and quantitative measurement of web password reuses, especially ISPR, and shed light on the severity of such threat in the real world.

Existing System

Existing password schemes, many voices have called for password replacement or enhancement. Described many ancillary means to replace the current password-based authentication mechanism. Existing that a user should group their accounts when he or she has many different passwords


Proposed System

Proposed that a user should reuse their passwords in similar accounts, because they argue that it is impossible for a user to remember so many passwords, and input them in correct user interfaces. They proposed that each attack method has its strength in cracking passwords of certain strength. They also pointed out that the probability of guessing a correct password will decrease exponentially as the search space grows up, which is consistent with our experiment results. Proposed that a user should group their accounts when he or she has many different passwords





Comment is Only Available for registered users! Create Account or Login Now!