TY - GEN
T1 - A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild
T2 - 14th International Workshop on Security and Trust Management, STM 2018
AU - Raponi, Simone
AU - Di Pietro, Roberto
N1 - Generated from Scopus record by KAUST IRTS on 2023-09-20
PY - 2018
Y1 - 2018
N2 - The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption of a poor password management system by a website makes useless even the most robust password chosen by its users. In this paper, we first provide an analysis of currently adopted password recovery mechanisms. Later, we model an attacker with a set of different capabilities, and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa’s top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication—and hence are excluded from our study—, while out of the remaining 278 we focused on 174—since 104 demanded information we could not produce. Of these 174, almost 25% have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to have a relevant impact on the EU industrial ecosystem.
AB - The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption of a poor password management system by a website makes useless even the most robust password chosen by its users. In this paper, we first provide an analysis of currently adopted password recovery mechanisms. Later, we model an attacker with a set of different capabilities, and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa’s top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication—and hence are excluded from our study—, while out of the remaining 278 we focused on 174—since 104 demanded information we could not produce. Of these 174, almost 25% have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to have a relevant impact on the EU industrial ecosystem.
KW - Authentication mechanism
KW - Password recovery
KW - Security
UR - http://link.springer.com/10.1007/978-3-030-01141-3_3
UR - http://www.scopus.com/inward/record.url?scp=85054879779&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-01141-3_3
DO - 10.1007/978-3-030-01141-3_3
M3 - Conference contribution
AN - SCOPUS:85054879779
SN - 9783030011406
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 37
EP - 53
BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A2 - Alcaraz, Cristina
A2 - Katsikas, Sokratis K.
A2 - Katsikas, Sokratis K.
PB - Springer [email protected]
Y2 - 6 September 2018 through 7 September 2018
ER -