No icon

Shadow Attacks based on Password Reuses: A Quantitative Empirical Analysis

Shadow Attacks based on Password Reuses: A Quantitative Empirical Analysis


With the proliferation of websites, the security level of password-protected accounts is no longer purely determined by individual ones. Users may register multiple accounts on the same site or across multiple sites, and these passwords from the same users are likely to be the same or similar. As a result, an adversary can compromise the account of a user on a web forum, then guess the accounts of the same user in sensitive accounts, e.g., online banking services, whose accounts could have the same or even stronger passwords. We name this attack as the shadow attack on passwords. To understand the situation, we examined the stateof- the-art Intra-Site Password Reuses (ISPR) and Cross-Site Password Reuses (CSPR) based on the leaked passwords from the biggest Internet user group (i.e., 668 million members in China). With a collection of about 70 million real-world web passwords across four large websites in China, we obtained around 4.6 million distinct users who have multiple accounts on the same site or across different sites. We found that for the users with multiple accounts in a single website, 59:72% reused their passwords and for the users with multiple accounts on multiple websites, 33:16 _ 8:91% reused their passwords across websites. For the users that have multiple accounts but different passwords, the set of passwords of the same user exhibits patterns that can help password guessing: a leaked weak password reveals partial information of a strong one, which degrades the strength of the strong one. Given the aforementioned findings, we conducted an experiment and achieved a 39.38% improvement of guessing success rate with John the Ripper guessing tool. To the best of our knowledge, we are the first to provide a large-scale, empirical, and quantitative measurement of web password reuses, especially ISPR, and shed light on the severity of such threat in the real world.

Existing System:

The wide adoption of password-based authentication is the result of its low cost and simplicity: a user can enter his or her passwords anywhere by a keyboard or a touch screen without any other extra devices. The popularity of passwords and the proliferation of websites, however, lead to a concern on password reuses between accounts on different websites or even on the same websites. Moreover, the recent numerous high-profile password leakage events did not make the password situation better, and we ask the questions: What do password reuses mean to accounts between websites and even the ones within the same websites? What is the implication of a compromised website or account to others? How easy are shadow attacks, i.e., an adversary compromises an account utilizing the passwords of other accounts that are either on the same site or from other sites? To find out the answers, in this paper we analyze password reuses and shadow attacks empirically.


Proposed System:

A user should have stronger security concerns to protect their accounts, especially some high-valued accounts, from the threat of ISPR and CSPR. For example, they should not reuse their passwords of some forum sites in their online banking accounts.

Especially, some easy patterns, such as prefix, should not be applied yet. The two behaviors are both dangerous for the high-profit accounts. When a webmaster wants to measure the strength of passwords, he or she should consider the threat of ISPR and CSPR. That is, when a similar website leaks their passwords, the relevant accounts should be notified and their passwords should be reset.

The strength meters of passwords should also be designed partially based on the threat of these password reuses rather than passwords themselves.  A password manager could be a good helper to manage a large number of passwords, although some threats or vulnerabilities still exist. In  addition, multiple factors should be popular in the nearly future. Then the dynamic combination method of authentication factors might offer more user-friendly experiences.

Comment As:

Comment (0)