Morning Keynote by Dr. Kun Sun
Title: On Enhancing Security of Password-based Authentication
Password remains the dominant authentication scheme for more than 30 years, and it cannot be totally replaced in the foreseeable future. However, password authentication has been long plagued to have many security and usability drawbacks, mainly due to human memory limitations. We present two research projects that focus on the security of password authentication and its ecosystem. First, we observe that personal information plays an important role when a user creates a password. Enlightened by this, we conduct a study on how users create their passwords using their personal information based on a leaked password dataset. Then, we develop a novel password cracker, named personal-PCFG, that leverages personal information for password cracking. Second, we investigate an overlooked aspect in the password lifecycle – the password recovery procedure. We study the possibility of mounting an email-based account recovery attack. We examine the account authentication and recovery protocols in 239 traffic-heavy websites, confirming that most of them use emails for account recovery. We further scrutinize the security policy of major email service providers and show that a significant portion of them take no or marginal effort to protect user email accounts. Finally, we propose a lightweight email security enhancement called Secure Email Account Recovery (SEAR) to defend against account recovery attacks as an extra layer of protection to account recovery emails.