The Cost of Having Been Pwned: A Security Service Provider's Perspective

Gergely Biczók; Máté Horváth; Szilveszter Szebeni; István Lám; Levente Buttyán

The Cost of Having Been Pwned: A Security Service Provider's Perspective

Gergely Biczók, Máté Horváth, Szilveszter Szebeni, István Lám, Levente Buttyán

Published: 01 Jan 2020, Last Modified: 01 Oct 2024ETAA@ESORICS 2020EveryoneRevisionsBibTeXCC BY-SA 4.0

Abstract: Account information from major online providers are getting exposed regularly; this gives rise to PWND services, providing a smart means to check whether a password or username/password tuple has already been leaked, rendering them “pwned” and therefore risky to use. However, state-of-the-art PWND mechanisms leak some information themselves. In this paper, we investigate how this minimal leaked information can speed up password cracking attacks of a powerful adversary, when the PWND mechanism is implemented on-premise by a service provider as an additional security measure during registration or password change. We analyze the costs and practicality of these attacks, and investigate simple mitigation techniques. We show that implementing a PWND mechanism can be beneficial, especially for security-focused service providers, but proper care needs to be taken. We also discuss behavioral factors to consider when deploying PWND services.

Loading