Compromised Credentials Research

How to recognize compromised credentials and how to defend against credential stuffing attacks? These selected security research papers give answers …

Protocols for Checking Compromised Credentials

“To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches.”

For this paper, Cornell Tech and Cloudflare researchers analyzed existing compromised credential checking (C3) services and formulated a formal description including operational requirements, and relevant threat models. The cherry on the cake are “two protocols that provide stronger protection for users’ passwords” that according to the authors are still practical to deploy.

Read the Paper (PDF)

Protecting accounts from credential stuffing with password breach alerting

This paper by Google and Stanford researchers describes how Googles password breach alerting functions under the hood, what constrains and hard requirements it adheres to and which cryptographic protocols are being leveraged.

“Our protocol relies on a combination of computationally expensive hashing, k-anonymity, and private set intersection. Our approach improves on existing protocols by taking into account both an adversarial client and server, while also minimizing the chance of false positives.”

Read the Paper (PDF)

Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials

Using billions of breached credentials, researchers from Google, Berkeley and the International Computer Science Institute “explore to what degree the stolen passwords […] enable an attacker to obtain a victim’s valid email credentials — and thus complete control of their online identity due to transitive trust”. They also provide helpful risk signals to mitigate the risk of hijacking.

Although the study is from 2017, the findings about password reuse and presented mitigation approaches, like blocking login attempts that fail to match a user’s historical login behavior or device profile, are still relevant today!

Read the Paper (PDF)