SaTC: CORE: Small: Understanding, Analyzing, and Improving Password Authentication Practices across the Web

SaTC：核心：小：理解、分析和改进整个 Web 的密码身份验证实践

• 批准号: 2055549
• 负责人: Frank Li
• 金额: $ 50万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-06-01 至 2025-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2055549&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Understanding; Analyzing

For decades, passwords have served as a cornerstone of online authentication, and will likely remain so for the foreseeable future. As a consequence, the security of the web ecosystem, its billions of users, and the global economy are critically dependent on how websites manage password authentication. Yet each year, attackers successfully hijack millions of online accounts, highlighting a salient need to improve real-world password authentication. Towards this end, prior research has explored understanding and improving user password behavior, but to date, there has been limited consideration for how websites and their operators actually handle password authentication. Taking a website-centric perspective, this project will systematically investigate the password authentication practices employed by websites to identify root causes of insecure methods. Drawing on the insights gained, this project will also develop innovative technical and non-technical approaches for improving the practices actually adopted by website operators. Ultimately, this research will help advance online authentication security across the web, by impacting the way web-site operators manage password related security. This could possibly lead to better security standards (e.g., web standards or password standards). Research outcomes will be widely disseminated and integrated into open-source tools that website developers and administrators can directly use.To achieve these goals, this project will pursue three interconnected thrusts. The first thrust will develop web crawling and analysis techniques to measure website password authentication practices at scale and evaluate their implications, providing new visibility into the state of online authentication security throughout the web ecosystem. The second thrust will employ user studies and experiments with website operators to establish a socio-technical understanding of why insecure practices manifest in reality, considering human, organizational, policy, legal, and technical factors. Finally, the third thrust will build on the insights gained from the other two thrusts and develop practical technical and non-technical solutions for improving how website operators manage password authentication. These solutions will include hardened designs and implementations of existing authentication mechanisms, tools that reduce the barriers to adopting secure practices, and methods of raising operator awareness of poor practices. Together, these complementary thrusts serve as a comprehensive effort to improve web authentication in practice.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

几十年来，密码一直是在线身份验证的基石，并且在可预见的未来很可能仍然如此。因此，网络生态系统、其数十亿用户以及全球经济的安全在很大程度上取决于网站如何管理密码身份验证。然而，每年，攻击者都会成功劫持数百万个在线帐户，这凸显了改进现实世界密码身份验证的迫切需要。为此，之前的研究已经探索了理解和改善用户密码行为，但迄今为止，对网站及其运营商如何实际处理密码身份验证的考虑有限。 该项目将从以网站为中心的角度，系统地调查网站采用的密码身份验证实践，以找出不安全方法的根本原因。根据所获得的见解，该项目还将开发创新的技术和非技术方法，以改进网站运营商实际采用的做法。最终，这项研究将通过影响网站运营商管理密码相关安全的方式来帮助提高整个网络的在线身份验证安全性。这可能会导致更好的安全标准（例如网络标准或密码标准）。研究成果将被广泛传播并集成到网站开发人员和管理员可以直接使用的开源工具中。为了实现这些目标，该项目将追求三个相互关联的主旨。第一个重点将开发网络爬行和分析技术，以大规模测量网站密码身份验证实践并评估其影响，从而为整个网络生态系统的在线身份验证安全状态提供新的可见性。 第二个重点将利用用户研究和网站运营商的实验，考虑人、组织、政策、法律和技术因素，从社会技术角度理解为什么不安全的做法在现实中表现出来。 最后，第三个重点将建立在从其他两个重点获得的见解的基础上，开发实用的技术和非技术解决方案，以改进网站运营商管理密码身份验证的方式。这些解决方案将包括现有身份验证机制的强化设计和实施、减少采用安全实践障碍的工具以及提高操作员对不良实践认识的方法。 这些互补的推动力共同构成了在实践中改进网络身份验证的全面努力。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Don't Forget the Stuffing! Revisiting the Security Impact of Typo-Tolerant Password Authentication

• DOI: 10.1145/3460120.3484791
• 发表时间: 2021-11
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Sena Sahin;Frank H. Li