Who Is Reusing Stolen Passwords? An Empirical Study on Stolen Passwords and Countermeasures

摘要

The combination of login passwords is still the most used identification and authentication method used on internet. Although if number of studies and articles pointed out the extreme weakness of using such authentication methods, almost every website is asking for a string password to create an account. Strong Password policies were created to reduce the risk of guessing or cracking a password string using traditional password crackers, but what is the benefit of such strong password construction if the whole credentials database is stolen and leaked? Every day hundreds of websites are breached and the content of their credential databases are exposed to the entire word. Millions of online accounts are then accessed illegally by various people with different level of damage impact. Who are these people? What is their purpose? How to prevent them from replaying stolen passwords? In this paper, we conduct an empirical study about the people who are reusing the stolen passwords found on internet or on the dark web. We deployed a fake Banking website in a honeypot mode, then we shared fake 3300 logins and passwords to the websites traditionally used for this purpose, finally we recorded their activities and made statistics. We also proposed a solution to reduce the attempts for replaying stolen passwords, and we measured the impact of this solution.