View article

Might I get pwned: A second generation compromised credential checking service

Authors

Bijeeta Pal, Mazharul Islam, Marina Sanusi Bohuk, Nick Sullivan, Luke Valenta, Tara Whalen, Christopher Wood, Thomas Ristenpart, Rahul Chatterjee

Publication date

2022

Conference

31st USENIX Security Symposium (USENIX Security 22)

Pages

1831-1848

Description

Credential stuffing attacks use stolen passwords to log into victim accounts. To defend against these attacks, recently deployed compromised credential checking (C3) services provide APIs that help users and companies check whether a username, password pair is exposed. These services however only check if the exact password is leaked, and therefore do not mitigate credential tweaking attacks—attempts to compromise a user account with variants of a user's leaked passwords. Recent work has shown credential tweaking attacks can compromise accounts quite effectively even when the credential stuffing countermeasures are in place.

Total citations

Cited by 20

2022202320243 13 4

Scholar articles

Might I get pwned: A second generation compromised credential checking service

B Pal, M Islam, MS Bohuk, N Sullivan, L Valenta… - 31st USENIX Security Symposium (USENIX Security …, 2022

Might I Get Pwned: A second generation password breach alerting service*

B Pal, M Islam, T Ristenpart, R Chatterjee - USENIX Security, 2022

Cited by 3 Related articles