View Proposal

---

Proposer

Mike Just

Title

Avoiding the dreaded password stuffing

Goal

To build and test a secure password checking service that implements a variety of checking methods

Description

Password (or more generally, credential) stuffing is a cyber attack in which an attacker takes a user's password that was compromised from one site to break into another account belonging to the same user. Such attacks are possible since users often re-use their passwords at multiple sites. One way to prevent such attacks is to check whether a password has been compromised. Such a service would take a password (and user ID) as input, and search for the password on various compromised password lists. If the password is present on a list, then it is known to be compromised and should no longer be used. The risk with such "password checking services" is that they need to be trusted, else they might themselves be a nefarious "password harvesting service" that is stealing user passwords. To avoid have to trust the checking service, rather than providing the full password "in the clear", other information can be provided, such as a partial hash of the password. Your task is to design and implement a password checking service, and test the service using a variety of methods and databases according to different metrics such as security, efficiency, etc. Some related papers here (the 2nd relates to Google's password checkup service): Li, L., Pal, B., Ali, J., Sullivan, N., Chatterjee, R. and Ristenpart, T., 2019, November. Protocols for checking compromised credentials. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 1387-1403). Thomas, K., Pullman, J., Yeo, K., Raghunathan, A., Kelley, P.G., Invernizzi, L., Benko, B., Pietraszek, T., Patel, S., Boneh, D. and Bursztein, E., 2019. Protecting accounts from credential stuffing with password breach alerting. In 28th USENIX Security Symposium (USENIX Security 19) (pp. 1556-1571).

Resources

Background

You should be comfortable with some maths and computing various probabilities related to security and cryptography.

Url

Difficulty Level

Moderate

Ethical Approval

None

Number Of Students

1

Supervisor

Mike Just

Keywords

authentication, cryptography, cyber security, passwords

Degrees

Bachelor of Science in Computer Science
Master of Engineering in Software Engineering
Master of Science in Computer Science for Cyber Security
Master of Science in Computing (2 Years)
Master of Science in Information Technology (Software Systems)
Master of Science in Network Security
Master of Science in Software Engineering
Bachelor of Science in Computing Science
Bachelor of Engineering in Robotics
Bachelor of Science in Computer Science (Cyber Security)
Master of Science in Robotics with Industrial Application