Paper 2023/989

Detection of Password Reuse and Credential Stuffing: A Server-side Approach

Sai Sandilya Konduru, Shiv Nadar Institution of Eminence
Sweta Mishra, Shiv Nadar Institution of Eminence
Abstract

Considering password-based authentication technique, password memorability is a real challenge on users. Hence, password reuse across different web applications is a common trend among users which makes websites vulnerable to credential stuffing attack. A solution as password manager helps the users to create random passwords for different websites on the user machine. However, it has practical challenges. Password database breach detection is another related and challenging task. Among recent developments for breach detection, honeyword-based approach is much appreciated by the research community. However, honeyword generation itself is a challenging part of the solution. In this work, we propose i) Password Reuse Detection (PRD) protocol for detecting password reuse using a secure two party private set intersection; ii) Breach Detection (BD) protocol that detects credential stuffing attacks using two party private set inclusion protocol based on random oblivious transfer. Both the proposals are designed for the authentication servers of the respective applications and need communication between multiple websites following the work by wang et al. Through analysis we show that our PRD protocol is around 2.8 times faster, and space efficient than existing works for 5000 honeywords. Our near to real-time BD protcol is around 2 times faster than existing works.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Password reuseBreach detectionCredential stuffingPrivate set intersectionPassword hashingHoneywords.
Contact author(s)
ks585 @ snu edu in
sweta mishra @ snu edu in
History
2023-06-26: approved
2023-06-25: received
See all versions
Short URL
https://ia.cr/2023/989
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/989,
      author = {Sai Sandilya Konduru and Sweta Mishra},
      title = {Detection of Password Reuse and Credential Stuffing: A Server-side Approach},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/989},
      year = {2023},
      url = {https://eprint.iacr.org/2023/989}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.