Passwords remain the most widely used authentication mechanism, despite being a primary vector for compromise of people's digital assets. Underlying this fact is the billions of login credentials (username and password pairs) that have been exposed due to breaches. These fuel credential stuffing attacks in
which breached credentials are submitted to login services.
In this talk I will describe our work on mitigating credential stuffing and other remote password guessing attacks. Through measurement studies at two large universities and analysis of public breach data, our work provides the most granular understanding to date of remote password guessing attack efficacy. We also explore the potential for more advanced credential tweaking attacks, which learn from breach data variants of breached passwords likely to be selected by users, and show that submitting these as guesses can be
increase attacker success rates.
To combat such threats, we propose password breach alerting protocols that perform a kind of cryptographic private set intersection to help individuals or services determine if a user's password--or a variant of it--appears in some known breach. Our resulting service design, called Might I Get Pwned, was deployed at Cloudflare and is actively used now to help their customers detect breached credentials.
I will discuss works done in collaboration with Suleman Ahmad, Junade Ali, Marina Sanusi Bohuk, Sofı́a Celi, Rahul Chatterjee, Mazharul Islam, Lucy Li, Bijeeta Pal, Nick Sullivan, Michael Swift, Stefano Tessaro, Nirvan
Tyagi, Lukec Valenta, Tara Whalen, and Christopher Wood.
Bio
Thomas Ristenpart is an Associate Professor at Cornell Tech and a member of the Computer Science department at Cornell University. Before joining Cornell Tech in May, 2015, he spent four and a half years as an Assistant Professor at the University of Wisconsin-Madison. He completed his PhD at UC San Diego in 2010. His research spans a wide range of computer security topics, with recent focuses including digital privacy and safety in intimate partner violence, new threats to, and improved opportunities for, cloud computing security, improvements to authentication mechanisms including passwords, confidentiality and privacy in machine learning, and topics in applied and theoretical cryptography. His work is routinely featured in the media and has been recognized by a number of distinguished paper awards, an ACM CCS test-of-time award, an Advocate of New York City award, an NSF CAREER Award, and a Sloan Research Fellowship.