Upload File

ruhr-universitÄt bochum will any password do? …€¦ · rate-limiting on the web way’18,...

  • Home
  • Documents
  • RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
17
WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth RUHR-UNIVERSITÄT BOCHUM

Upload: others

Post on 23-Aug-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

WILL ANY PASSWORD DO? EXPLORING RATE-LIMITING ON THE WEBWAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

RUHR-UNIVERSITÄT BOCHUM

Page 2: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

2

MOTIVATION

at least 8 characters

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

upper case, lower case, numbers,

special characters

change once a month

do not reuse

not more than 8 characters

Rate-limiting

“… the verifier shall limit attempts on a single

account to no more than 100.”

(NIST Special Publication 800-63B)

Research Question

Do real-world websites take appropriate measures

to prevent unauthorized accesses to their users’

accounts?

Page 3: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

3

STUDY PROCEDURE

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Final valid attempt

Correct credentials

From same Tor session

Tor network

Hide identity

Circumvent IP blocking

Number of attempts

Usability: min. 10

NIST: max. 100

First impression

No resource wasting

Page 4: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

4

WEBSITES

Existing Accounts

History & Value

Don’t be evil

Our own accounts

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Page 5: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

5

PASSWORDS

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Manual Verification

“8 or more characters”

“12345678” not allowed

Composition Policies

Remove non-compliant

passwords

Bad practice still in use

Baseline

Pwned Passwords v2

500 million breached

passwords

Page 6: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

6

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 7: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

7

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 8: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

8

RESULTS OVERVIEW

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 9: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

9

ACCOUNT LOCKOUT

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 10: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

10

ACCOUNT LOCKOUT

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 11: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

11

SUCCESSFUL LOGIN

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 12: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

12

SUCCESSFUL LOGIN

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 13: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

13

BLOCKING

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 14: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

14

BLOCKING

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 15: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

15

CAPTCHA

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 16: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

16

NOTIFICATIONS

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Alexa Service GuessesTime

(Min.)Login CAPTCHA Lockout Blocking 2nd Step Notification

1 Google 25 10 o • o • - -

3 Facebook 25 4 o o • o - -

7 Yahoo 25 5 o • o • Email Code Suspicious

12 Twitter 25 4 • o o • Phone No. Sign-in, Suspicious

30 Netflix 25 7 o o • • - -

84 Amazon 25 15 • • o • Email Code -

89 Dropbox 25 19 • • o o - Sign-in

285 IKEA 7 2 o o • o - Account Locked

664 Grammarly 13 6 o o • • - -

992 Plex 25 7 • o o • - -

1220 Uber 25 9 • • o • SMS Code -

4333 Trainline 25 3 • o o o - -

Page 17: RUHR-UNIVERSITÄT BOCHUM WILL ANY PASSWORD DO? …€¦ · RATE-LIMITING ON THE WEB WAY’18, Baltimore, MD, USA, 12 August 2018 Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

17

TAKEAWAY

WILL ANY PASSWORD DO? RATE-LIMITING ON THE WEB

WAY’18, Baltimore, MD, USA, 12 August 2018

Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

No rate-limiting detected

No protection

on provider side

Leave account security

solely to users

Not recommendable

Trade-off usability

Smaller websites

lock down accounts

Requires user effort

to regain access

Combine mechanisms

Large services

take most effort

CAPTCHA, Blocking,

multiple steps,

security notficiations


Olaf Medenbach, Ruhr-Universität Bochum Olaf Medenbach Institut für Geologie, Mineralogie und Geophysik Ruhr-Universität Bochum 44780 Bochum, Germany [email protected]

RUHR-UNIVERSITAT BOCHUM

University of Groningen DNA Block Copolymers Schnitzler, Tobias; … · 2016. 3. 5. · TOBIAS SCHNITZLER AND ANDREAS HERRMANN* Zernike Institute for Advanced Materials, University

Author(s): HANS-ULRICH SCHNITZLER and ELISABETH K ...amason/courses/coursepage...Hans-Ulrich Schnitzler (e-mail: [email protected]) is professor and head of

LEADERSHIP - Startseite: Hochschule Bochum

Fritz, S., Eronen, J., Schnitzler, J., Hof, C., Janis, C

FSE 2016 in Bochum - fse.2015.rump.cr.yp.to€¦ · FSE 2016 in Bochum. FSE 2016 •Dates: 20.-23. March 2016 •Program Chair: Thomas Peyrin fse.rub.de. Bochum in brief • In the

SCHNITZLER-Three Plays.txt

Hospitality Lawyer at The Hotel Developers Conference wiith Gary Golla of SERA

Ihr exone Partner: RiseTEC - Inh. Sebastian Schnitzler Matthias … · 2016-10-04 · Ihr exone Partner: RiseTEC - Inh. Sebastian Schnitzler Matthias-Claudius-Str. 2 40699 Erkrath

P&G CASE STUDY - BY KARTHEEK GOLLA

Preliminary Leinenweberstr. 5 Program · Medizinische Virologie Ruhr-Universität Bochum Universitätsstr . 150 44780 Bochum Germany virologie@ruhr-uni-bochum .de Prof. Dr. Robert

A. Schnitzler - Traumnovelle

Women's Economic Empowerment: A Framework for Conceptualization and Measurement by Anne Marie Golla

CHAPTER 9 INTERACTION DEVICES Ben Carson Rajesh Golla Sunil Dsouza

Ruhr-Universitat Bochum, D-44780 Bochum, Germany · Ruhr-Universitat Bochum, D-44780 Bochum, Germany ABSTRACT ... is shown to be dominated by photon production at R≈ rin the near-field

Slides for Bochum 2007

Immunology - Ruhr University Bochum€¦ · Immunology 03.05.2017, Ruhr-Universität Bochum Marcus Peters, [email protected] Antigenpresentation

GETRÄNKEKARTE - Huqqa bochum

Goethe-School Bochum

Corinna Albert (Bochum) - web.fu-berlin.de

Flyer Bochum Online

113818122 - Golla Family

BlogWell San Francisco Case Study: Kaiser Permanente, presented by Vince Golla

Kartheeek golla mcdonalds.pptx

Arthur Schnitzler

Bochum Accumulation model.pdf

Ruhr University Bochum€¦ · Ruhr University Bochum

Universitätsbibliothek Bochum

Virtual wallet by kartheek golla

John Schnitzler Jr., Endicott, New York - VM · © IBM Corporation 2007 ® 1 Lunch and Learn zSeries Linux Planning: Where to begin? John Schnitzler Jr., Endicott, New York ®

Call Center Standorte - business.metropoleruhr.de · Sykes Enterprises Bochum GmbH & Co. KG; Bessemerstraße 85 44793; Bochum Tekomedia GmbH; Castroper Straße 12 44791; Bochum Unitymedia

Complement System - Ruhr University Bochum … ·

Institut für Theaterwissenschaft – Ruhr-Universität Bochum · 2012. 10. 8. · Institut für Theaterwissenschaft – Ruhr-Universität Bochum

Presentation Styles Balancing Function And Fashion Ben Carson Rajesh Golla Sunil D’souza