Abstract
Credential leaks still happen with regular frequency, and show evidence that, despite decades of warnings, password hashing is still not correctly implemented in practice. The common practice today, inherited from previous but obsolete constraints, is to transmit the password in cleartext to the server, where it is hashed and stored. We investigate the advantages and drawbacks of the alternative of hashing client-side, and show that it is present today exclusively on Chinese websites. We also look at ways to implement it on a large scale in the near future.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
MD5 would not work as it would be easy for an adversary with the leaked database to create an attack: instead of finding the original password, they would only need to find an MD5 collision for it.
- 3.
Cryptojacking corresponds to the hidden execution of code inside a browser to mine cryptocurrencies while the user is visiting a website.
- 4.
The only way for it to be visible is if it unduly increases delays by asking too many rounds of hashing on a low-powered device, but this is a matter of parameter optimisation where wide margins could be taken by default to avoid this issue.
- 5.
For example, to be sure the password is not sent in cleartext, one would need to make sure that the password field is accessed exactly once as input to the hash function, otherwise any reversible function could be used before transmitting, dodging accusations of cleartext sending. Similarly, the website could trigger some expensive computation without using it to fool resource monitors.
References
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M.L., Stransky, C.: How internet resources might be helping you develop faster but less securely. IEEE Secur. Priv. 15(2), 50–60 (2017). https://doi.org/10.1109/MSP.2017.24
Acar, Y., Fahl, S., Mazurek, M.L.: You are not your developer, either: a research agenda for usable security and privacy research beyond end users. In: IEEE Cybersecurity Development – SecDev, pp. 38, November 2016. https://doi.org/10.1109/SecDev.2016.013
Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers? In: Proceedings of EuroUSEC. eprint on Enlighten: Publications (2016)
Amazon Alexa: 500 global sites (2019). http://alexa.com/topsites/
Baskerville, R., Rowe, F., Wolff, F.C.: Functionality vs. security in is: tradeoff or equilibrium. In: International Conference on Information Systems, pp. 1210–1229 (2012)
Baskerville, R., Spagnoletti, P., Kim, J.: Incident-centered information security: managing a strategic balance between prevention and response. Inf. Manage. 51(1), 138–151 (2014)
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: IEEE European Symposium on Security and Privacy - EuroS&P, pp. 292–302. IEEE (2016)
Center, C.I.N.I.: 18th statistical survey report on the internet development in China. Technical report CINIC (2006)
Cimpanu, C.: Extended validation (EV) certificates abused to create insanely believable phishing sites (2017). https://web.archive.org/web/20181012025730/www.bleepingcomputer.com/news/security/extended-validation-ev-certificates-abused-to-create-insanely-believable-phishing-sites/
Dürmuth, M., Kranz, T.: On password guessing with GPUs and FPGAs. In: Mjølsnes, S.F. (ed.) PASSWORDS 2014. LNCS, vol. 9393, pp. 19–38. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24192-0_2
Eskandari, S., Leoutsarakos, A., Mursch, T., Clark, J.: A first look at browser-based cryptojacking. In: 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 58–66. IEEE (2018)
Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring HTTPS adoption on the web. In: 26th USENIX Security Symposium (USENIX Security 17), pp. 1323–1338 (2017)
Florêncio, D., Herley, C., van Oorschot, P.C.: An administrator’s guide to internet password research. In: LISA, vol. 14, pp. 35–52 (2014)
Ge, C., Xu, L., Qiu, W., Huang, Z., Guo, J., Liu, G., Gong, Z.: Optimized password recovery for SHA-512 on GPUs. In: IEEE International Conference on Computational Science and Engineering - CSE - and Embedded and Ubiquitous Computing - EUC, vol. 2, pp. 226–229. IEEE (2017)
Goodin, D.: Once seen as bulletproof, 11 million+ ashley madison passwords already cracked (2015). https://web.archive.org/web/20180803014106/arstechnica.com/information-technology/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
Green, M.: Let’s talk about pake (2018). https://web.archive.org/web/20190426024348/blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
Hales, T.C.: The NSA back door to NIST. Not. AMS 61(2), 190–192 (2013)
Hannay, P., Baatard, G.: The 2011 IDN homograph attack mitigation survey. In: Proceedings of the International Conference on Security and Management (SAM 2012) (2012)
Hatzivasilis, G., Papaefstathiou, I., Manifavas, C.: Password hashing competition-survey and benchmark. IACR Cryptol. ePrint Arch. 2015, 265 (2015)
Holgers, T., Watson, D.E., Gribble, S.D.: Cutting through the confusion: a measurement study of homograph attacks. In: USENIX Annual Technical Conference, General Track, pp. 261–266 (2006)
Independent Security Evaluators: Password managers: Under the hood of secrets management. Technical report, ISE (2019). https://web.archive.org/web/20190301171335/www.securityevaluators.com/casestudies/password-manager-hacking/
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004). https://doi.org/10.1145/975817.975820
Jaeger, D., Pelchen, C., Graupner, H., Cheng, F., Meinel, C.: Analysis of publicly leaked credentials and the long story of password (re-)use. In: Proceedings of the International Conference on Passwords (2016)
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part III. LNCS, vol. 10822, pp. 456–486. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_15
Karyda, M., Mitrou, L.: Data breach notification: issues and challenges for security management. In: Mediterranean Conference on Information Systems (2016)
Khandelwal, S.: Facebook caught asking some users passwords for their email accounts (2019). https://web.archive.org/web/20190404071339/amp.thehackernews.com/thn/2019/04/facebook-email-password.html
Kisa, K., Tatli, E.: Analysis of http security headers in turkey. Int. J. Inf. Secur. Sci. 5(4), 96–105 (2016)
Komanduri, S., et al.: Of passwords and people: Measuring the effect of password-composition policies. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2011, pp. 2595–2604. ACM, New York (2011). https://doi.org/10.1145/1978942.1979321
Kranch, M., Bonneau, J.: Upgrading https in mid-air. In: Proceedings of the 2015 Network and Distributed System Security Symposium, NDSS (2015)
Krebs, B.: Twitter to all users: Change your password now! (2018). https://web.archive.org/web/20190402093127/krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/
Krebs, B.: Facebook stored hundreds of millions of user passwords in plain text for years (2019). https://web.archive.org/web/20190322091235/krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Kumar, H., Kumar, S., Joseph, R., Kumar, D., Singh, S.K.S., Kumar, P.: Rainbow table to crack password using md5 hashing algorithm. In: IEEE Conference on Information and Communication Technologies - ICT, pp. 433–439. IEEE (2013)
MartinKauppi, L.B., He, Q.: Performance Evaluation and Comparison of Standard Cryptographic Algorithms and Chinese Cryptographic Algorithms. Master’s thesis (2019)
Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, CCS 2013, pp. 173–186. ACM, New York (2013). https://doi.org/10.1145/2508859.2516726
McElroy, T., Hannay, P., Baatard, G.: The 2017 IDN homograph attack mitigation survey. In: Proceedings of the 15th Australian Information Security Management Conference (2017)
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979). https://doi.org/10.1145/359168.359172
M’Raihi, D., Machani, S., Pei, M., Rydell, J.: RFC6238: TOTP: Time-based one-time password algorithm (2011). https://tools.ietf.org/html/rfc6238
Peng, P., Xu, C., Quinn, L., Hu, H., Viswanath, B., Wang, G.: What happens after you leak your password: Understanding credential sharing on phishing sites. In: AsiaCCS 2019, pp. 181–192, July 2019. https://doi.org/10.1145/3321705.3329818
Schechter, E.: Moving towards a more secure web (2016). https://web.archive.org/web/20190405120627/security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Shape: 2018 credential spill report. Technical report, Shape Security (2018)
Siegrist, J.: Lastpass hacked - identified early and resolved (2015). https://web.archive.org/web/20190412054716/blog.lastpass.com/2015/06/lastpass-security-notice.html/
Sprengers, M.: GPU-based password cracking. Master’s thesis, Radboud University Nijmegen (2011)
State Council of the People’s Republic of China: Regulations on administration of business premises for internet access services, article 23 (2002)
Swaine, M.D.: Chinese views on cybersecurity in foreign relations. China Leadersh. Monit. 42, 1–27 (2013)
Tryfonas, T., Carter, M., Crick, T., Andriotis, P.: Mass surveillance in cyberspace and the lost art of keeping a secret. In: Tryfonas, T. (ed.) HAS 2016. LNCS, vol. 9750, pp. 174–185. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39381-0_16
Vyas, T., Dolanjski, P.: Communicating the dangers of non-secure http (2017). https://web.archive.org/web/20190524003142/, https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
Whittaker, Z.: Github says bug exposed some plaintext passwords (2018). https://web.archive.org/web/20190331110732/www.zdnet.com/article/github-says-bug-exposed-account-passwords/
Wiemer, F., Zimmermann, R.: High-speed implementation of bcrypt password search using special-purpose hardware. In: International Conference on ReConFigurable Computing and FPGAs - ReConFig, pp. 1–6. IEEE (2014)
Wu, T.: The SRP authentication and key exchange system. Technical report, RFC Editor (2000)
Acknowledgements
We’re grateful to participants of the Privacy and Security Workshop, IU Gateway Berlin, for their comments. This work was supported partly by the french PIA project “Lorraine Université d’Excellence”, reference ANR-15-IDEX-04-LUE.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Blanchard, E., Coquand, X., Selker, T. (2021). Moving to Client-Side Hashing for Online Authentication. In: Groß, T., Tryfonas, T. (eds) Socio-Technical Aspects in Security and Trust. STAST 2019. Lecture Notes in Computer Science(), vol 11739. Springer, Cham. https://doi.org/10.1007/978-3-030-55958-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-55958-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55957-1
Online ISBN: 978-3-030-55958-8
eBook Packages: Computer ScienceComputer Science (R0)