Jeremiah Blocki and Wuwei Zhang, Purdue University
Large-scale online password guessing attacks are wide-spread and continuously qualified as one of the top cyber-security risks. The common method for mitigating the risk of online cracking is to lock out the user after a fixed number (k) of consecutive incorrect login attempts within a fixed period of time (e.g., 24 hours). Selecting the value of k induces a classic security-usability tradeoff. When k is too large a hacker can (quickly) break into a significant fraction of user accounts, but when k is too low we will start to annoy honest users by locking them out after a few mistakes. Motivated by the observation that honest user mistakes typically look quite different than the password guesses of an online attacker, we introduce the notion of a password distribution aware lockout mechanism to reduce user annoyance while minimizing user risk. As the name suggests, our system is designed to be aware of the frequency and popularity of the password used for login attacks while standard throttling mechanisms (e.g., k-strikes) are oblivious to the password distribution. In particular, we maintain an "hit count" for each user which is based on (estimates of) the cumulative probability of all login attempts for that particular account. A user will only be locked out when this hit count is too high. To minimize user risk we use a differentially private CountSketch to estimate the frequency of each password and to update the "hit count" after an incorrect login attempt. To empirically evaluate our new lockout policy we generate a synthetic dataset to model honest user logins in the presence of an online attacker. The result of our analysis on this synthetic dataset strongly support our hypothesis that distribution aware lockout mechanisms can simultaneously reduce both user annoyance and risk.
@inproceedings{blocki-19-dalock,
author = {Blocki, Jeremiah and Zhang, Wuwei},
title = {{DALock: Password Distribution Aware Throttling}},
booktitle = {Who Are You?! Adventures in Authentication Workshop},
year = {2019},
series = {WAY~'19},
pages = {1--6},
address = {Santa Clara, California, USA},
month = aug,
publisher = {}
} % No publisher