Back to Home

Gossamer: Securely Measuring Password-based Logins

We provide the first framework for safely measuring information about passwords, a process for asesssing the risk of individual password-based measurements, and a measurement study on 34M login requests obtained from two universities.

Why log information about passwords?

Passwords are still the main method of online authentication, despite the threats of credential theft and stuffing. Industry practitioners have been moving toward relying not on an exact password match, but also other information to differentiate benign from malicious behavior. Tian et al. showed promising results using password-derived informatio to help decide which login requests were more suspicious than others, but they tested on simulated data rather than real login data. This leads us to the next question...

Are there existing datasets with password-derived information?

Not that we have found. Some studies used the password hash to compare against other submitted passwords and logged frequency information based on that (Bonneau et al. 2012). Another study (Mazurek et al. 2013) investigated the password strength of passwords that had been stored in a legacy reversibly encrypted state. But we have not seen datasets with more complex password-derived measurements; and even if they do exist, getting access to such datasets may be an issue.

How can we choose which password-derived measurements are safe to log?

Care must be taken to choose measurements that will not leak too much information about the actual password; otherwise, a potential attacker could use that information to speed up their guessing attack. In this paper, we propose a new method for assessing this speedup and choosing meaurements with a bounded attacker speedup.

How can we safely log the password-derived measurements?

Passwords are highly sensitive and must be dealt with carefully. In this paper, we design a framework for instrumenting an online web login server and recording password-derived measurements using four main design principles:
  • Safe-on-reboot (Miklas et al. 2009)
  • Periodic deletion
  • Least privilege access
  • Bounded leakage logging

What kind of insights can we gain from looking at passwords?

Through our measurement study of over 34M login requests, we made observations on the usability and security of password-based logins. Among other observations, we found that:
  • Typos are more common than previously reported.
  • Breached credential use is a huge issue.
  • Two-factor authentication impedes usability for end users.

How can Gossamer be used in the future?

We are in the process of open sourcing Gossamer so that other groups can extend it with additional measurements and use it in their studies of passwords. We hope that the insight enabled by Gossamer can aid in designing better login policies and developing more effective countermeasures.

Paper       Slides (.pptx)      Slides (.pdf)

GitHub

https://github.com/mgsanusi/gossamer

Cite

@inproceedings{bohuk2022,
	title={Gossamer: Securely Measuring Password-based Logins},
	author={Bohuk, Marina Sanusi and Islam, Mazharul and Ahmad, Suleman and Swift, Mike and Ristenpart, Thomas and Chatterjee, Rahul},
	booktitle = {31th {USENIX} Security Symposium ({USENIX} Security '22)},
	publisher = {{USENIX} Association},
	year={2022},
	month   = {August},
	url = {https://www.cs.cornell.edu/~marina/Gossamer.pdf},
}


Last updated: Wed Jul 20 02:57:00 EDT 2022