tailieunhanh - Do Strong Web Passwords Accomplish Anything?

Web applications must consider the possibility of mali- cious attackers that craft arbitrary messages, and counter this threat through server-side mechanisms. However, to date, Web application development has focused only on methodologies and tools for server-side security enforcement (for instance, see [11, 13]). At most, non-malicious Web clients have been assumed to enforce a rudimentary “same origin” security policy [22]. Web clients are not even informed of simple Web appli- cation invariants, such as “no scripts in the email mes- sage portion of a page”, since clients are not trusted to enforce security policies. This focus on centralized server-side security mecha- nisms is shortsighted: server-side enforcement has diffi- culties constraining even simple client behavior | Do Strong Web Passwords Accomplish Anything Dinei Florencio Cormac Herley Microsoft Research One Microsoft Way Redmond WA USA dinei@ Baris Coskun ECE Department Polytechnic University Brooklyn NY USA baris@ ABSTRACT We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However we find that relatively weak passwords about 20 bits or so are sufficient to make brute-force attacks on a single account unrealistic so long as a three strikes type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID s rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts. 1. INTRODUCTION Passwords have become the dominant means of access control to online services. With this success has come an enormous variety of attacks each login page represents an opportunity for an attacker who is just a short sequence of characters away from someone else s email banking medical or social networking accounts. Why Choose Strong Passwords Users are frequently reminded of the risks the popular press often reports on the dangers of financial fraud and identity theft and most financial institutions have security sections on their web-sites which offer advice on detecting fraud and good password practices. As to password practices traditionally users have have been advised to . see 3 Choose strong passwords Change their passwords frequently Never write their

• Tổ chức sự kiện
• dismissed
• resulting
• decision making processes
• perspectives as possible
• Reaching decisions
• trade off between
• answer and simply
• elusive
• however