Distribution-Aware Password Throttling Mechanisms
Primary Investigator:
Jeremiah Blocki
Alina Nesen, Jeremiah Blocki
Abstract
Large-scale online password guessing attacks are wide-spread and continuously qualified as one of the top cyber-security risks. The common method for mitigating the risk of online cracking is to lock out the user after a fixed number ) of consecutive incorrect login attempts within a fixed period of time (e.g., 24 hours). Selecting the value of k induces a classic security-usability tradeoff. When k is too large a hacker can(quickly) break into a significant fraction of user accounts, but when k is too low we will start to annoy honest users by locking them out after a few mistakes. Motivated by the observation that honest user mistakes typically look quite different than the password guesses of an online attacker, we introduce the notion of a password distribution aware lockout mechanism to reduce user annoyance while minimizing user risk. As the name suggests, our system is designed to be aware of the frequency and popularity of the password used for login attacks while
standard throttling mechanisms (e.g., k-strikes) are oblivious to the password distribution. In particular, we maintain a “hit count” for each user which is based on (estimates of) the cumulative probability of all login attempts for that particular account. A user will only be locked out when this hit count is too high. To minimize user risk we use a differentially private CountSketch to estimate the frequency of each password and to update the “hit count” after an incorrect login attempt.
To empirically evaluate our new lockout policy we generate a synthetic dataset to model honest user logins in the presence of an online attacker. The results of our analysis on this synthetic dataset strongly support our hypothesis that distribution aware lockout mechanisms can reduce user annoyance and risk.