TY - JOUR
T1 - A Longitudinal Study on Web-Sites Password Management (in)Security
T2 - Evidence and Remedies
AU - Raponi, Simone
AU - Pietro, Roberto Di
N1 - Funding Information:
This work was supported in part by the Qatar National Library (QNL), Doha, Qatar, and in part by the Qatar National Research Fund (QNRF), a member of Qatar Foundation, under Award NPRP 11S-0109-180242, Award UREP 23-065-1-014, and Award NPRP X-063-1-014.
Funding Information:
The authors would like to thank the anonymous reviewers for their suggestions, that helped to improve the quality of the manuscript. The publication of this article was funded by the Qatar National Library (QNL), Doha, Qatar and awards NPRP 11S-0109-180242, UREP 23-065-1-014, and NPRP X-063-1-014 from the Qatar National Research Fund (QNRF), member of Qatar Foundation. The information and views set out in this publication are those of the authors and do not necessarily reflect the official opinion of QNL and QNRF.
Publisher Copyright:
© 2013 IEEE.
PY - 2020
Y1 - 2020
N2 - Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by the GDPR-is still far, mainly because of sub-standard security management practices. Finally, it is worth noting that while this study has been focused on EU registered Web-sites, the proposed solution has, instead, general applicability.
AB - Single-factor password-based authentication is generally the norm to access on-line Web-sites. While single-factor authentication is well known to be a weak form of authentication, a further concern arises when considering the possibility for an attacker to recover the user passwords by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption by a Web-site of a poor password management system makes useless even the most robust password chosen by the registered users. In this paper, building on the results of our previous work, we study the possible attacks to on-line password recovery systems analyzing the mechanisms implemented by some of the most popular Web-sites. In detail, we provide several contributions: (i) we revise and detail the attacker model; (ii) we provide an updated analysis with respect to a preliminary study we carried out in December 2017; (iii) we perform a brand new analysis of the current top 200 Alexa's Web-sites of five major EU countries; and, (iv) we propose Maildust, a working open-source module that could be adopted by any Web-site to provide registered users with a password recovery mechanism to prevent mail service provider-level attacks. Overall, it is striking to notice how the analyzed Web-sites have made little (if any) effort to become compliant with the GDPR regulation, showing that the objective to have basic user protection mechanisms in place-despite the fines threatened by the GDPR-is still far, mainly because of sub-standard security management practices. Finally, it is worth noting that while this study has been focused on EU registered Web-sites, the proposed solution has, instead, general applicability.
KW - authentication
KW - Password recovery
KW - security and privacy on the Web
UR - http://www.scopus.com/inward/record.url?scp=85082524616&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2020.2981207
DO - 10.1109/ACCESS.2020.2981207
M3 - Article
AN - SCOPUS:85082524616
SN - 2169-3536
VL - 8
SP - 52075
EP - 52090
JO - IEEE Access
JF - IEEE Access
M1 - 9037276
ER -