A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies
<p>Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by lev...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Published: |
2020
|
| Subjects: | |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1864513561674383360 |
|---|---|
| author | Simone Raponi (14158911) |
| author2 | Roberto Di Pietro (16875987) |
| author2_role | author |
| author_facet | Simone Raponi (14158911) Roberto Di Pietro (16875987) |
| author_role | author |
| dc.creator.none.fl_str_mv | Simone Raponi (14158911) Roberto Di Pietro (16875987) |
| dc.date.none.fl_str_mv | 2020-03-16T00:00:00Z |
| dc.identifier.none.fl_str_mv | 10.1109/access.2020.2981207 |
| dc.relation.none.fl_str_mv | https://figshare.com/articles/journal_contribution/A_Longitudinal_Study_on_Web-Sites_Password_Management_in_Security_Evidence_and_Remedies/24025236 |
| dc.rights.none.fl_str_mv | CC BY 4.0 info:eu-repo/semantics/openAccess |
| dc.subject.none.fl_str_mv | Information and computing sciences Cybersecurity and privacy Password Electronic mail Authentication Web sites Authorization Password recovery Security and privacy on the Web |
| dc.title.none.fl_str_mv | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| dc.type.none.fl_str_mv | Text Journal contribution info:eu-repo/semantics/publishedVersion text contribution to journal |
| description | <p>Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by the GDPR-is still far, mainly because of sub-standard security management practices. Finally, it is worth noting that while this study has been focused on EU registered Web-sites, the proposed solution has, instead, general applicability.</p><h2>Other Information</h2><p>Published in: IEEE Access<br>License: <a href="https://creativecommons.org/licenses/by/4.0/legalcode" target="_blank">https://creativecommons.org/licenses/by/4.0/</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1109/access.2020.2981207" target="_blank">https://dx.doi.org/10.1109/access.2020.2981207</a></p> |
| eu_rights_str_mv | openAccess |
| id | Manara2_5fc5fca8fdef792c3e2014d025c8a851 |
| identifier_str_mv | 10.1109/access.2020.2981207 |
| network_acronym_str | Manara2 |
| network_name_str | Manara2 |
| oai_identifier_str | oai:figshare.com:article/24025236 |
| publishDate | 2020 |
| repository.mail.fl_str_mv | |
| repository.name.fl_str_mv | |
| repository_id_str | |
| rights_invalid_str_mv | CC BY 4.0 |
| spelling | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and RemediesSimone Raponi (14158911)Roberto Di Pietro (16875987)Information and computing sciencesCybersecurity and privacyPasswordElectronic mailAuthenticationWeb sitesAuthorizationPassword recoverySecurity and privacy on the Web<p>Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by the GDPR-is still far, mainly because of sub-standard security management practices. Finally, it is worth noting that while this study has been focused on EU registered Web-sites, the proposed solution has, instead, general applicability.</p><h2>Other Information</h2><p>Published in: IEEE Access<br>License: <a href="https://creativecommons.org/licenses/by/4.0/legalcode" target="_blank">https://creativecommons.org/licenses/by/4.0/</a><br>See article on publisher's website: <a href="https://dx.doi.org/10.1109/access.2020.2981207" target="_blank">https://dx.doi.org/10.1109/access.2020.2981207</a></p>2020-03-16T00:00:00ZTextJournal contributioninfo:eu-repo/semantics/publishedVersiontextcontribution to journal10.1109/access.2020.2981207https://figshare.com/articles/journal_contribution/A_Longitudinal_Study_on_Web-Sites_Password_Management_in_Security_Evidence_and_Remedies/24025236CC BY 4.0info:eu-repo/semantics/openAccessoai:figshare.com:article/240252362020-03-16T00:00:00Z |
| spellingShingle | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies Simone Raponi (14158911) Information and computing sciences Cybersecurity and privacy Password Electronic mail Authentication Web sites Authorization Password recovery Security and privacy on the Web |
| status_str | publishedVersion |
| title | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| title_full | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| title_fullStr | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| title_full_unstemmed | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| title_short | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| title_sort | A Longitudinal Study on Web-Sites Password Management (in)Security: Evidence and Remedies |
| topic | Information and computing sciences Cybersecurity and privacy Password Electronic mail Authentication Web sites Authorization Password recovery Security and privacy on the Web |