Revisiting Defenses Against Large Scale Online Password Guessing Attacks

    40 Votes

Online guessing attacks are commonly observed against web applications and SSH logins. Automated Turing Tests-Limits the number of guesses from a single machine. Focus on reducing user annoyance by challenging users with fewer Automated Turing Tests(ATT) and subjecting bot logins to more ATTs. Introduces a new protocol called password guessing resistant protocol. PGRP make use of both cookies and IP address. In this presentation, we will discuss about Defenses Against Large Scale Online Password Guessing Attacks.

Decision Function For Requesting Automated Turing Tests
The decision to challenge the user with an ATT depends on two factors:
  • Whether the user has authenticated successfully from the same machine previously.
  • The total number of failed login attempts for a specific user account.

 

If user name and password pair is valid, the user wont be asked to answer an ATT challenge if valid cookie is received and IP address is in white list. If user name and password pair is invalid, Password Guessing Resistant Protocol shows messages in case of incorrect {username,password} pair and incorrect answer to the ATT challenge. Offending ip addresses are not blacklisted beacause, List may consume considerable memory and Legitimate users from blacklisted IP address could be blocked.

Security analysis

Security analysis is done based on following queries.

  • What is the expected number of passwords that an adversary can eliminate from the password space without answering any ATT challenge ?
  • What is the expected number of ATT challenges an adversary must answer to correctly guess a password ?
  • What is the probability of a confirmed correct guess for an adversary unwilling to answer any ATT ?
  • What is the probability of a confirmed correct guess for an adversary willing to answer ATTs ?
  • PGRP provides improved security over PS and VS protocols. Identical security with Strawmann protocol.

Limitations

Regrading security limitations are passwords are eliminated from the password space of Cardinality N, password space elimination by a adversary with a valid cookie and Cookie theft.

Regrading usability limitations are probability of incorrect password from a known machine, Failed login attempts to force ATT's for legitimate users, ATT's for a correct password from a unknown machine and drawbacks with cookies for multiple browsers and machines.

Attachments:
Download this file (REVISITING DEFENSES AGAINST LARGE SCALE ONLINE PASSWORD GUESSING ATTACKS.ppt)Revisiting Defenses Against Large Scale Online Password Guessing Attacks[PPT Presentation]987 Kb