Billions of passwords are compromised in the last few years and are available online. Attackers are using these leaked passwords to compromise user accounts on other not-yet-leaked web services. Because many users reuse their passwords across different web services, such attacks are the most imminent threat to users’ account security nowadays. We are building new tools to understand how dangerous leaked credentials can be to account for security and how to protect user accounts from such attacks.
I will first talk about a new password guessing technique that can guess 14% of user passwords in less than a thousand guesses given one of their other passwords. I will also talk about two different defense mechanisms to proactively detect vulnerable accounts and to encourage users to pick different passwords from the ones already leaked. I will end with some general advice and some open questions on password security.
Discovery Building, Orchard View Room