EECS Seminar: Tackling Credential Abuse Together

Abstract: Despite long-ago predictions (e.g., see Bill Gates, 2004) that other user-authentication technologies would replace passwords, passwords remain not only pervasive but have flourished as the dominant form of account protection, especially at websites such as retailers that require a low-friction user experience. This talk will describe our research on methods to tackle three key ingredients of account takeovers for password-protected accounts today: (i) site database breaches, which are the largest source of stolen passwords for internet sites; (ii) the tendency of users to reuse the same or similar passwords across sites; and (iii)  credential stuffing, in which attackers submit breached credentials for one site in login attempts for the same accounts at another. A central theme of our research is that these factors are most effectively addressed by coordinating across websites, in contrast to today's practice of each site defending alone. We describe algorithms to drive this coordination, demonstrate the efficacy and security of our proposals through conservative analyses and demonstrate the scalability of our designs through working implementations.  

This research was performed jointly with Ke Coby Wang.

Bio: Reiter is a James B. Duke Distinguished Professor in the Departments of Computer Science and Electrical & Computer Engineering at Duke University, which he joined in January 2021 following previous positions in industry (culminating as director of secure systems research at Bell Labs, Lucent) and academia (professor of computer science and electrical & computer engineering at Carnegie Mellon, and Distinguished Professor of computer science at UNC-Chapel Hill). His technical contributions lie primarily in computer security and distributed computing and include several that have seen widespread adoption. He was named an ACM fellow in 2008, an IEEE fellow in 2014 and winner of the ACM SIGSAC Outstanding Contributions Award in 2016.