UNC Researchers Pitch Framework to Fight Password Reuse

The reuse of passwords across multiple online sites continues to pose a security problem even at a time when the choice of password managers is expanding.

Password reuse can open up the user to credential-stuffing attacks that can compromise their multiple accounts, as well as cost service providers money, downtime and brand reputation.

According to a 2017 survey by Keeper Security, more than 80% of people reuse their passwords on more than one site, while a study survey by Digital Guardian put the number at 61%.

And the risk doesn't only sit with the user.

A Ponemon Institute survey of 569 IT security pros found that credential-stuffing attacks cost businesses an average of $6 million a year in downtime, detection, remediation and customer churn.

(Source: FreeGraphicToday via Pixabay)

Sites are fueling the issue by forcing users to create passwords that not only are more complex but are more difficult to remember. (See Personal Security Begets Enterprise Security.)

Rethinking passwords
The issue of password reuse is a subset of a larger argument being made by such vendors as Microsoft that are trying to move the industry away from passwords altogether in favor of multi-factor authentication and biometric technologies like facial and voice recognition and fingerprint scanning. (See Microsoft's 4-Step Plan for Eliminating Passwords.)

"This is quite a big challenge from a security perspective," Rishi Bhargava, co-founder of Demisto, wrote in an email to Security Now. "The issue is that if one of the websites is breached and the passwords are stolen, then the same password can be used on other sites. The challenge is more acute for smaller sites that probably don't use the right technologies or are security aware. From a technology perspective, the website never needs to have the real user password, ever. They can keep an encrypted version of the password and therefore, even if it is stolen, it is useless to the attacker. However, some of the smaller sites are not doing these basic things, and hence, they are at greater risk."

To address the problem, a researchers at the University of North Carolina's Department of Computer Science are proposing a framework that involves websites working together to keep users from using the same password.

Through the plan, participating websites would be able to see if a user is proposing a password that is the same or similar to one used at another site. So, if Facebook is a participant, it would be alerted if a Google user is proposing the same password for that site and the user can be told to come up with another password.

The researchers, Ke Coby Wang and Michael Reiter, admit there are challenges that would need to be overcome, including expected pushback by users and concerns about users' privacy and security, but they say users can adapt and that any risks can be reduced through the framework’s design.

"We are under no illusions that our design, were it deployed, will be met with anything but contempt (at least temporarily) by the many users who currently reuse passwords at multiple websites," they wrote in their report. "In this respect, the usability implications of our proposal are not unlike increasingly stringent password requirements, to which users have nevertheless resigned."

A different approach
Included in the framework is what Wang and Reiter call a "private set-membership test protocol" that enables one site to determine, when someone is setting a password for it, whether the users has used the password at another site, "but wither neither side disclosing to the other the password(s) it employs in the protocol."

The server at the site where the password is being made can ping other sites whether the person has used the same password with them, and response is only "yes" or "no." On top the protocol are techniques that they said mitigate the leakage that comes with such a test. In addition, the identities of the sites involved are hidden from each other.

The framework's protocol includes an encryption method that enables sites to determine the usability of a password without having to decrypt it, further protecting the user's privacy and security.

"These mechanisms are consistent with common user experience today, and so our framework should be unobtrusive to users who do not reuse similar passwords across websites (e.g., due to having adopted a password manager)," Wang and Reiter wrote. "Through a working implementation of our framework and optimization of its parameters based on insights of how passwords tend to be reused, we show that our design can meet the scalability challenges facing such a service."

Questions remain
While the proposal is interesting, it doesn't address other security measures that could be used, such as two- and multi-factor authentication, according to some IT security professionals.

"Someone is proposing that two companies that have personal information on millions and millions of people should share information about their password?" Mike Banic, vice president of marketing at Vectra, wrote in an email to Security Now, adding:

"It isn't the security of the password that is critical or even whether it is re-used. It is the use of two-factor authentication that will provide better protection of someone's identity and personally identifiable information (PII). If you have an Office 365 account, you can use their two-factor authentication on dozens of third-party applications. While people will argue about the importance of strong passwords, I go back to the importance of two-factor authentication because, just like I can't get people to use their turn signals, you can't get them to stop using weak passwords."

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Others noted that it would force people to use password managers, which the researchers said is one of the goals.

Demisto's Bhargava called the framework a "fantastic theoretical proposal," but said a better route for enforcing the use of password managers would be to have "the password manager in browsers by default create a new password for each new site."

Joseph Carson, chief security scientist at Thycotic, also said the proposal could run afoul in the European Union, which is on the verge of launching its General Data Protection Regulation (GDPR). A password hash is considered PII, which means EU citizens would need to consent to sharing the password hash with other Internet services. In addition, sharing the hash between services could lead to man-in-the-middle attacks, Carson said in an email to Security Now.

"A stronger proposal would be to make internet services adopt better password and privileged access integration where, when creating or generating a password, the user has the option to use a password manager," he wrote. "Today, it is a choice, but I believe internet services companies could do a better job at making easy and seamless integration with password managers to reduce cyber fatigue."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.