All your browser-saved passwords could belong to us: A security analysis and a cloud-based new design

CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy

Volumn , Issue , 2013, Pages 333-340

  Zhao, Rui ^a   Yue, Chuan ^a  

^a University of Colorado at Colorado Springs   (United States)

Author keywords

Cloud; Password manager; Phishing; Security; Web browser

Indexed keywords

BUILT-IN FEATURE; PASSWORD MANAGERS; PHISHING; RATIONAL DESIGN; SECURITY; SECURITY ANALYSIS; SECURITY VULNERABILITIES; STRONG PASSWORD;

AVAILABILITY; CLOUDS; DESIGN; DIGITAL STORAGE; MANAGEMENT; MANAGERS; WEB BROWSERS; WEBSITES;

AUTHENTICATION;

EID: 84874835434     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2435349.2435397     Document Type: Conference Paper

References (41)

1. Advanced Encryption Standard (AES). In NIST FIPS 197, 2001.
2. The CCM Mode for Authentication and Confidentiality. In NIST SP 800-38C, 2004.
3. Information Security Handbook: A Guide for Managers. In NIST SP 800-100, 2007.
4. Electronic Authentication Guideline. In NIST SP 800-63-1, 2011.
5. A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40-46, 1999.
6. M. Bishop and D. V. Klein. Improving system security via proactive password checking. Computers & Security, 14(3):233-249, 1995.
7. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proc. of IEEE S&P, 2012.
8. K. D. Bowers, A. Juels, and A. Oprea. Hail: a high-availability and integrity layer for cloud storage. In Proc. of CCS, 2009.
9. X. Boyen. Halting password puzzles: hard-to-break encryption from human-memorable keys. In Proc. of USENIX Security Symposium, 2007.
10. S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In Proc. of USENIX Security Symposium, 2006.
11. D. Davis, F. Monrose, and M. K. Reiter. On user choice in graphical password schemes. In Proc. of USENIX Security Symposium, 2004.
12. D. C. Feldmeier and P. R. Karn. Unix password security - ten years later. In Proc. of CRYPTO, 1989.
13. D. Florêncio and C. Herley. A large-scale study of web password habits. In Proc. of WWW, 2007.
14. J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: Cold boot attacks on encryption keys. In Proc. of USENIX Security Symposium, 2008.
15. J. A. Halderman, B. Waters, and E. W. Felten. A convenient method for securely managing passwords. In Proc. of WWW, 2005.
16. C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1):28-36, 2012.
17. C. Herley, P. C. van Oorschot, and A. S. Patrick. Passwords: If we're so smart, why are we still using them? In Proc. of FC, 2009.
18. F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su. Back to the future: A framework for automatic malware removal and system repair. In Proc. of ACSAC, 2006.
19. M. Jakobsson and S. Myers. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience, ISBN 0-471-78245-9, 2006.
20. B. Kaliski. RFC 2898, PKCS5: Password-Based Cryptography Specification Version 2.0, 1999.
21. P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proc. of IEEE S&P, 2012.
22. S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman. Of passwords and people: Measuring the effect of password-composition policies. In Proc. of CHI, 2011.
23. D. P. Kormann and A. D. Rubin. Risks of the passport single signon protocol. Comput. Networks, 33(1-6):51-58, 2000.
24. R. Morris and K. Thompson. Password security: a case history. Commun. ACM, 22(11):594-597, 1979.
25. R. A. Popa, J. Lorch, D. Molnar, H. J. Wang, and L. Zhuang. Enabling security in cloud storage slas with cloudproof. In Proc. of USENIX ATC, 2011.
26. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proc. of USENIX Security Symposium, 2008.
27. Rachna Dhamija and J.D.Tygar and Marti Hearst. Why phishing works. In Proc. of CHI, 2006.
28. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proc. of USENIX Security Symposium, 2005.
29. E. Stark, M. Hamburg, and D. Boneh. Symmetric cryptography in javascript. In Proc. of ACSAC, 2009.
30. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. A. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proc. of CCS, 2009.
31. S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks: the crisis of web single sign-on. In Proc. of NSPW, pages 61-72, 2010.
32. J. Thorpe and P. van Oorschot. Human-seeded attacks and exploiting hot-spots in graphical passwords. In Proc. of USENIX Security Symposium, 2007.
33. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. of NDSS, 2006.
34. M. Wu, R. C. Miller, and G. Little. Web wallet: preventing phishing attacks by revealing user intentions. In Proc. of SOUPS, pages 102-113, 2006.
35. T. Wu. The secure remote password protocol. In Proc. of NDSS, 1998.
36. J. Yan, A. Blackwell, R. Anderson, and A. Grant. Password memorability and security: Empirical results. IEEE Security and Privacy, 2(5):25-31, 2004.
37. J. J. Yan. A note on proactive password checking. In Proc. of NSPW, pages 127-135, 2001.
38. K.-P. Yee and K. Sitaker. Passpet: convenient password management and phishing protection. In Proc. of SOUPS, pages 32-43, 2006.
39. C. Yue. Preventing the Revealing of Online Passwords to Inappropriate Websites with LoginInspector. In Proc. of USENIX LISA, 2012.
40. C. Yue and H. Wang. BogusBiter: A Transparent Protection Against Phishing Attacks. ACM Transactions on Internet Technology, 10(2):1-31, 2010.
41. Firefox Sync Service. https://wiki.mozilla.org/Services/Sync.