A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies
Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging t...
Gespeichert in:
| Hauptverfasser: | , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Raponi, Simone Di Pietro, Roberto |
| description | Single-factor password-based authentication is generally the norm to access
on-line Web-sites. While single-factor authentication is well known to be a
weak form of authentication, a further concern arises when considering the
possibility for an attacker to recover the user passwords by leveraging the
loopholes in the password recovery mechanisms. Indeed, the adoption by a
Web-site of a poor password management system makes useless even the most
robust password chosen by the registered users. In this paper, building on the
results of our previous work, we study the possible attacks to on-line password
recovery systems analyzing the mechanisms implemented by some of the most
popular Web-sites. In detail, we provide several contributions: (i) we revise
and detail the attacker model; (ii) we provide an updated analysis with respect
to a preliminary study we carried out in December 2017; (iii) we perform a
brand new analysis of the current top 200 Alexa's Web-sites of five major EU
countries; and, (iv) we propose \sol, a working open-source module that could
be adopted by any Web-site to provide registered users with a password recovery
mechanism to prevent mail service provider-level attacks. Overall, it is
striking to notice how the analyzed Web-sites have made little (if any) effort
to become compliant with the GDPR regulation, showing that the objective to
have basic user protection mechanisms in place---despite the fines threatened
by GDPR---is still far, mainly because of sub-standard security management
practices. Finally, it is worth noting that while this study has been focused
on EU registered Web-sites, the proposed solution has, instead, general
applicability. |
| doi_str_mv | 10.48550/arxiv.1911.08565 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1911_08565</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1911_08565</sourcerecordid><originalsourceid>FETCH-LOGICAL-a675-23dfbc163fffe7510977dd3aadcfbfb977958c87cad6ea5802eebb2d899e94383</originalsourceid><addsrcrecordid>eNotj0FLwzAYhnPxINMf4Mkc9dDaNEubeBtj6qCiuIF4Kl_yfRmBLZWmm-7fW6en933h4YWHsStR5FOtVHEH_Xc45MIIkRdaVeqcfcx408VNGPYYImz5aixH3kX-TjZLYaDEXyGlr65H_gwRNrSjOPCbEG9X5PZ9GI73fHEISNERh4j8bSQwULpgZx62iS7_c8LWD4v1_ClrXh6X81mTQVWrrJTorROV9N5TrURh6hpRAqDz1ttxGaWdrh1gRaB0URJZW6I2hsxUajlh13-3J7f2sw876I_tr2N7cpQ_WEVNkw</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies</title><source>arXiv.org</source><creator>Raponi, Simone ; Di Pietro, Roberto</creator><creatorcontrib>Raponi, Simone ; Di Pietro, Roberto</creatorcontrib><description>Single-factor password-based authentication is generally the norm to access
on-line Web-sites. While single-factor authentication is well known to be a
weak form of authentication, a further concern arises when considering the
possibility for an attacker to recover the user passwords by leveraging the
loopholes in the password recovery mechanisms. Indeed, the adoption by a
Web-site of a poor password management system makes useless even the most
robust password chosen by the registered users. In this paper, building on the
results of our previous work, we study the possible attacks to on-line password
recovery systems analyzing the mechanisms implemented by some of the most
popular Web-sites. In detail, we provide several contributions: (i) we revise
and detail the attacker model; (ii) we provide an updated analysis with respect
to a preliminary study we carried out in December 2017; (iii) we perform a
brand new analysis of the current top 200 Alexa's Web-sites of five major EU
countries; and, (iv) we propose \sol, a working open-source module that could
be adopted by any Web-site to provide registered users with a password recovery
mechanism to prevent mail service provider-level attacks. Overall, it is
striking to notice how the analyzed Web-sites have made little (if any) effort
to become compliant with the GDPR regulation, showing that the objective to
have basic user protection mechanisms in place---despite the fines threatened
by GDPR---is still far, mainly because of sub-standard security management
practices. Finally, it is worth noting that while this study has been focused
on EU registered Web-sites, the proposed solution has, instead, general
applicability.</description><identifier>DOI: 10.48550/arxiv.1911.08565</identifier><language>eng</language><subject>Computer Science - Computers and Society ; Computer Science - Cryptography and Security</subject><creationdate>2019-11</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,780,885</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1911.08565$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1911.08565$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Raponi, Simone</creatorcontrib><creatorcontrib>Di Pietro, Roberto</creatorcontrib><title>A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies</title><description>Single-factor password-based authentication is generally the norm to access
on-line Web-sites. While single-factor authentication is well known to be a
weak form of authentication, a further concern arises when considering the
possibility for an attacker to recover the user passwords by leveraging the
loopholes in the password recovery mechanisms. Indeed, the adoption by a
Web-site of a poor password management system makes useless even the most
robust password chosen by the registered users. In this paper, building on the
results of our previous work, we study the possible attacks to on-line password
recovery systems analyzing the mechanisms implemented by some of the most
popular Web-sites. In detail, we provide several contributions: (i) we revise
and detail the attacker model; (ii) we provide an updated analysis with respect
to a preliminary study we carried out in December 2017; (iii) we perform a
brand new analysis of the current top 200 Alexa's Web-sites of five major EU
countries; and, (iv) we propose \sol, a working open-source module that could
be adopted by any Web-site to provide registered users with a password recovery
mechanism to prevent mail service provider-level attacks. Overall, it is
striking to notice how the analyzed Web-sites have made little (if any) effort
to become compliant with the GDPR regulation, showing that the objective to
have basic user protection mechanisms in place---despite the fines threatened
by GDPR---is still far, mainly because of sub-standard security management
practices. Finally, it is worth noting that while this study has been focused
on EU registered Web-sites, the proposed solution has, instead, general
applicability.</description><subject>Computer Science - Computers and Society</subject><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj0FLwzAYhnPxINMf4Mkc9dDaNEubeBtj6qCiuIF4Kl_yfRmBLZWmm-7fW6en933h4YWHsStR5FOtVHEH_Xc45MIIkRdaVeqcfcx408VNGPYYImz5aixH3kX-TjZLYaDEXyGlr65H_gwRNrSjOPCbEG9X5PZ9GI73fHEISNERh4j8bSQwULpgZx62iS7_c8LWD4v1_ClrXh6X81mTQVWrrJTorROV9N5TrURh6hpRAqDz1ttxGaWdrh1gRaB0URJZW6I2hsxUajlh13-3J7f2sw876I_tr2N7cpQ_WEVNkw</recordid><startdate>20191117</startdate><enddate>20191117</enddate><creator>Raponi, Simone</creator><creator>Di Pietro, Roberto</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20191117</creationdate><title>A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies</title><author>Raponi, Simone ; Di Pietro, Roberto</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a675-23dfbc163fffe7510977dd3aadcfbfb977958c87cad6ea5802eebb2d899e94383</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Computer Science - Computers and Society</topic><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Raponi, Simone</creatorcontrib><creatorcontrib>Di Pietro, Roberto</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Raponi, Simone</au><au>Di Pietro, Roberto</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies</atitle><date>2019-11-17</date><risdate>2019</risdate><abstract>Single-factor password-based authentication is generally the norm to access
on-line Web-sites. While single-factor authentication is well known to be a
weak form of authentication, a further concern arises when considering the
possibility for an attacker to recover the user passwords by leveraging the
loopholes in the password recovery mechanisms. Indeed, the adoption by a
Web-site of a poor password management system makes useless even the most
robust password chosen by the registered users. In this paper, building on the
results of our previous work, we study the possible attacks to on-line password
recovery systems analyzing the mechanisms implemented by some of the most
popular Web-sites. In detail, we provide several contributions: (i) we revise
and detail the attacker model; (ii) we provide an updated analysis with respect
to a preliminary study we carried out in December 2017; (iii) we perform a
brand new analysis of the current top 200 Alexa's Web-sites of five major EU
countries; and, (iv) we propose \sol, a working open-source module that could
be adopted by any Web-site to provide registered users with a password recovery
mechanism to prevent mail service provider-level attacks. Overall, it is
striking to notice how the analyzed Web-sites have made little (if any) effort
to become compliant with the GDPR regulation, showing that the objective to
have basic user protection mechanisms in place---despite the fines threatened
by GDPR---is still far, mainly because of sub-standard security management
practices. Finally, it is worth noting that while this study has been focused
on EU registered Web-sites, the proposed solution has, instead, general
applicability.</abstract><doi>10.48550/arxiv.1911.08565</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.1911.08565 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_1911_08565 |
| source | arXiv.org |
| subjects | Computer Science - Computers and Society Computer Science - Cryptography and Security |
| title | A Longitudinal Study on Web-sites Password Management (in)Security: Evidence and Remedies |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T02%3A37%3A30IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Longitudinal%20Study%20on%20Web-sites%20Password%20Management%20(in)Security:%20Evidence%20and%20Remedies&rft.au=Raponi,%20Simone&rft.date=2019-11-17&rft_id=info:doi/10.48550/arxiv.1911.08565&rft_dat=%3Carxiv_GOX%3E1911_08565%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |