Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage. Issue 100 (January 2021)
- Record Type:
- Journal Article
- Title:
- Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage. Issue 100 (January 2021)
- Main Title:
- Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage
- Authors:
- Harsha, Benjamin
Morton, Robert
Blocki, Jeremiah
Springer, John
Dark, Melissa - Abstract:
- Abstract: This work examines the issue of password length leakage via encrypted traffic i.e., bicycle attacks. We aim to quantify both the prevalence of password length leakage bugs as well as the potential harm to users. We discuss several ways in which an eavesdropping attacker could link this password length with a particular user account e.g., a targeted campaign against a smaller group of users or via DNS hijacking for larger scale campaigns. We next use a decision-theoretic model to quantify the extent to which password length leakage might help an attacker to crack user passwords. In our analysis, we consider three different levels of password attackers: hacker, criminal and nation-state. In all cases, we find that such an attacker who knows the length of each user password gains a significant advantage over one without knowing the password length. As part of this analysis, we also release a new differentially private password frequency dataset from the 2016 LinkedIn breach using a differentially private algorithm of Blocki et al. (NDSS 2016) to protect user accounts. We advocate for a new W3C standard on how password fields are handled which would effectively eliminate most instances of password length leakage.
- Is Part Of:
- Computers & security. Issue 100(2021)
- Journal:
- Computers & security
- Issue:
- Issue 100(2021)
- Issue Display:
- Volume 100, Issue 100 (2021)
- Year:
- 2021
- Volume:
- 100
- Issue:
- 100
- Issue Sort Value:
- 2021-0100-0100-0000
- Page Start:
- Page End:
- Publication Date:
- 2021-01
- Subjects:
- Bicycle attacks -- Password length leakage
Computer security -- Periodicals
Electronic data processing departments -- Security measures -- Periodicals
005.805 - Journal URLs:
- http://www.sciencedirect.com/science/journal/01674048 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.cose.2020.102068 ↗
- Languages:
- English
- ISSNs:
- 0167-4048
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3394.781000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 15358.xml