A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild: A Study of Websites Password Management in the Wild

Simone Raponi, Roberto Di Pietro

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, the adoption of a poor password management system by a website makes useless even the most robust password chosen by its users. In this paper, we first provide an analysis of currently adopted password recovery mechanisms. Later, we model an attacker with a set of different capabilities, and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa’s top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication—and hence are excluded from our study—, while out of the remaining 278 we focused on 174—since 104 demanded information we could not produce. Of these 174, almost 25% have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to have a relevant impact on the EU industrial ecosystem.

Original languageEnglish (US)
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
EditorsCristina Alcaraz, Sokratis K. Katsikas, Sokratis K. Katsikas
PublisherSpringer Verlagservice@springer.de
Pages37-53
Number of pages17
ISBN (Print)9783030011406
DOIs
StatePublished - 2018
Externally publishedYes
Event14th International Workshop on Security and Trust Management, STM 2018 - Barcelona, Spain
Duration: Sep 6 2018Sep 7 2018

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11091 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference14th International Workshop on Security and Trust Management, STM 2018
Country/TerritorySpain
CityBarcelona
Period09/6/1809/7/18

Keywords

  • Authentication mechanism
  • Password recovery
  • Security

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'A Spark Is Enough in a Straw World: A Study of Websites Password Management in the Wild: A Study of Websites Password Management in the Wild'. Together they form a unique fingerprint.

Cite this