Best Practices in Online User Authentication

Okay, so good morning everyone and thanks for being here for the talk. So a basic introduction. So my name is Fatima and I recently graduated from University of Delaware with a master's in computer engineering and then I started working in their technical security group in university. And I mainly deal with IDS IP systems and SEAM in University of Delaware. And so it's, three years now for me in the B site, so I have been attending B sites for the past two years, and now this year I just thought that I'm going to present a talk on what I did in my masters. So this talk is basically on the best practices in online user authentication, and we will go through them pretty

quickly. So that's very interesting. So this slide, I put this slide a couple of hours ago, after my thing is completed, and this is quite fascinating because This article was posted a couple of days ago, like day before yesterday, and for the people who don't know this person, he is Michael Chertoff, he's a former head of Homeland Security, and this is what he has to say day before yesterday, that the password is by far the weakest link in cyber security. And we will be discussing a lot about the password selection mechanism and online user authentication. So I found it quite fascinating that still to the date, this is the actual,

view of what people think that password is the weakest link so far. So that was pretty interesting, so that's why I just put it in my talk. So roadmap for today's talk is we will quickly go through what is user authentication, the motivation of my research, that why we took, or why we looked more into details of user authentication, the common attacks which are basically related to the user authentication process, some of the practices which we surveyed and which we came up with for the good user authentication. Some of my findings when I did a survey on different online service providers, including some cloud service providers and social media. And then I will close the talk with some kind of conclusions and the future of user authentication.

So moving along, so what is basically a user authentication? So we all know in the back of our head that the actual definition, what is user authentication, but from the From a layman perspective, I think that user authentication is if I'm hosting an online service and I have different users and I don't know you by face, then to authenticate you or to prove that you are who you say you are, I will have a mapping of whatever credentials you will provide me to your corresponding account. So it's just basically a mapping of account owners to their corresponding accounts. And if an attacker can spoof it or if an attacker can misuse it, then it's pretty

easy to fool the online service providers that the attacker is the owner of the account. And we will be discussing a lot about the attacks in the upcoming slides.

So, see, user authentication, why we are concerned with user authentication. So basically, that's the basic requirement to establish the identity of the person, who the person is saying who they are corresponding to their accounts. When I started this research and when we started looking into the cybersecurity domain, we were interested in looking into different new cloud service providers, encrypting their cloud storages. So we started looking into the encryption method and then we figured out that no matter how good the encryption is or no matter how good their data storage thing is, they were recent events forced us to look into some other aspects like the hacks which I have listed here, they weren't related to any kind

of encryption or the encryption breach or the people finding the private keys and all that stuff. They were more related to the user authentication process. So we found it very interesting when we looked into the user authentication process of these online service providers that how poor they are. And it was interesting in that

And we were surprised by the methods they were using and that's how our research diverted to the path of finding, exploring more things about user authentication and different services which are using different kind of user authentication methods. So all these hacks are related to, somewhere or other related to the user, poor user authentication. Okay, so,

What are the weakest links of an account? If we talk about how a user can get into the account, we find that there are three basic possibilities or aspects in which a hacker can spoof the identity and get into the account. A good password selection mechanism provided to users by the online service provider is one of the weakest links. The prevention of the bootforce login. I mean if an attacker doesn't want to if an attacker wants to get your password, then the second area of reaching the account is brute force login, and the third way is password recovery. These are the three basic and easiest doors you can provide an attacker to get into your account. So no matter how good the online service provider are with your

data, but these are the three basic steps they need to provide full proof security in. Okay, so we will talk about common attacks. specifically related to the user authentication, and I will quickly go through what brute force attack is. So basically brute force attack is when an attacker is trying to brute, when an attacker is trying a different, exhaustively trying to guess a password of a user account. That's what brute force is. I mean if I have a list of different, if I have a list of user names and I want to quickly guess their account's password or I want to get into the account, I can quickly make a list of all the combinations,

exhaustive lists, either I can make an exhaustive list of all the combinations of the possible passwords for their account, or I can create an intelligent list of passwords in which I can select top 1,000 or top 2,000 compiled lists of passwords which is available on the internet, or I can basically exhaustively brute force the account. So this is a very common attack related to the user authentication, which is very famous, and you might have experience it somewhere in your life with the user accounts you have. So the basic mitigation and the impact if we talk about brute force is people losing their account, people losing their security, and on the service side providers, they will lose their trust on the customer side and they

will lose the market value if the accounts get breached. And the second attack I need to mention here is the denial of service attack. There are different kinds of denial of service attacks, but this is the traditional definition of DOS, but what we will be focusing more on is the denial of service attack related to the user authentication process. We will be talking about logging out of a legit user from accessing the account. So I will be focusing more on the DOS on a particular user. So if I know that your account is dossable, if I know that after five or six failed login attempts, the service provider is going to lock you out of your account, I can intentionally proof-force your account and I

can intentionally lock you out of your account. So that kind of, that I will call a denial of service on the user. So users, the legit users will not be able to access their accounts any longer after the DOS attack.

So we will go through the security basic practices pretty quickly. So as I mentioned before, there are three basic categories in which the online service providers need to focus more on protecting the user's identity is password selection process, the bed login attempts prevention, and the password recovery process. These are the three basic categories we will be talking about and we will be discussing the best practices in these three categories. then I will be discussing the findings of different service providers, what they are using to protect these three categories of online user accounts. Moving along, these are the basic minimum password requirements, which we all know that the minimum length restriction, special character inclusion, number and upper case and lower case inclusion.

These are the minimum password requirements. What does that mean is if I enforce these minimum requirements, it will be really hard for an attacker to come up with an exhaustive list of passwords if we have all these minimum password requirements in place. Like if I have 10 characters and password and special character and number inclusion, it will become more complicated and a time-consuming process for an attacker to come up with all the possible combinations of characters and make a list of exhaustive passwords to guess for an account. So this is really important. The second one which is mentioned here, disallow common string. People don't understand that even if I have the first selection practice in place, I can come up with a stupid password. Like if I don't

want to get into the hassle of creating a complex password and my service provider is asking me for a minimum length special character, I can come up with a stupid password like password1234 with P capital, Ss are replaced by special characters. but still my password is very weak and you can find that password in top 1000 and 2000 list of passwords. So, so along, so that best practice alone won't protect your account from brute forcing, but if you will have the check of disallow common string, which we found in couple of online service providers that they actually, when you are creating an account,

check your password against the top 1000 and top 2000 common passwords and common strings and they will not allow you to use that password for the account creation. So those two practices along will be useful for having users to select a complex password. Account activation check, well this is more on the service side prevention, service side protection. Account activation check is basically when you are trying to make an account services should not allow the account to be created without checking that whether you are a legit person who is creating an account. For example, if I have a bot of 1000, 2000 computers just trying to make any number of accounts with the service, then I can easily exhaustively use

all the resources the service has and the service will have a lot of dummy accounts. So it's kind of like prevention of DOS on the service side. So it is more related to the service side protection. Okay.

So 2FA for login, now this is very important. People know the concept of 2FA which is two factor authentication. Basically two factor authentication is something you have or something you know with the password. So I think the password is something which you know and two factor is something you have. So 2FA, people usually use 2FA on the protection side but we will be talking more about 2FA using in all three categories. So if you have 2FA for login, login, it will be really useful and it will provide you the second layer of authentication even if the bad guy has your password. He has to know what you have, which can be a token or which

can be a code sent to the email.

Again, Capture-Vile account creation, this is more on the service side to protect the service from DOS and a lot of dummy account creation by robots and bots.

I would like to mention that there were a lot of discussions out there which were talking about that CAPTCHA is not a recommended good practice anymore and we should go away with CAPTCHA, we should try something new, methods for slowing down the user from either making a lot of accounts or trying to brute force. But as I will discuss my findings, you will know that industrial trend is still to use CAPTCHA over other slowing down mechanisms. So we'll talk more about CAPTCHA in later slides.

So password strength bar, it is one of the recommended practices because when you have the visualization effect when a user is creating passwords, it will make them to stop at a point and think that, oh, what that red light or green light means, whether my password is strong enough or my password is weak enough. So it is kind of like a best practice. Recommended practice that you should have a password strength bar so that when the user is creating the account, you can show the user that how weak their password is or how strong their password is. And you should not allow users to select a password select a weak password and go along the

way.

Oh no, so there are a couple of online services. For example, if you create an account on Mega Cloud Service, they have the password string bar shown, like a big string bar in front of the password selection bar and whenever you type in a password, it will automatically see whether your password is strong or whether your password is complying with all the requirements they have. And some of the services, Well, they don't have password strength bar, but they have a message popping up whenever you select a password saying, oh, your password is weak or try to select a strong password, something like that. But we recommend to have a strength bar because it's kind of

like gives more visual effect of, okay, green wins, blue, red wins bad, something like that. It's an interesting question. Why should we follow all the best practices in the password selection category? The answer is very simple, it highly mitigates the risk of successful brute force attack and account compromises. Because it will be harder for an attacker to guess your password if you have a complex password. Oh, and I forgot. So here is some small math, little math which I have done that if you follow all the password selection practices which I have mentioned, then these are the number of combinations If I'm trying to generate an exhaustive list of all the possible combinations of passwords, then it's around 1.4 into 10th power 19 exhaustive

possible combinations. And now again, I remind you that if I am an intelligent hacker and I don't want to go through all the possible combinations, I can come up with a list of intelligent passwords because I know that people don't start their password with special characters or people don't select their passwords with 12345 and something like that. So I can reduce my list to some extent for having an intelligent password list and then I can start with that rather than starting with the complete exhaustive list. So it is kind of like roughly number that if you want to know how many guesses it is required to guess a successful password attempt. And if you do a little bit math more, if you have a

supercomputer and it takes only one millisecond to check one password against one account and if you have only one computer, then 435 million years will be taken to exhaustively guess a password. And again, it is just if you have a list of exhaustive combinations of passwords. And if you have a board of 1,000 computers, just divide that number by 1,000 and it will be approximately 435 years to guess a successful password. Worst case scenario. And current, in future, progresses when we have computers in place and when we have computers that can do password guesses exhaustively, on different accounts, then that number can be reduced. Okay, so we are going to pick on Apple in couple of slides going along. This snippet

was taken from the Wall Street Journal for the hack which happened, I think you guys might have aware of the hack which was happened on iCloud photo breach of famous celebrities which happened in September 2014. and this is what Tim Cook, the CEO of Apple, had to say about the breach, that they were definitely using poor password policies and poor password mechanisms so that people can, celebrities can select passwords like butterfly or password like their favorite pet's name, and it is not hard for an attacker to guess a password like butterfly for the iCloud account. So it was one of the aspect user, Bad password was one of the aspects of Apple, and that's why I'm saying that we are going to pick

Apple on a couple of different categories as well, but this happened recently. So it was pretty shocking that Apple wasn't using good password selection mechanism for protecting their iCloud accounts. Okay, so before moving to the second other password best practices in online authentication, All the best practices which I have mentioned so far, it's not new to you, right? I mean, we all know in the back of our mind that these are the best practices we should follow and blah, blah, blah. It will protect the account and it will protect the brute force. But as a security professionals, we all know that in our head. But the question is, we are not the ones who own

the cloud services, right? The question is, they don't know. The cloud service providers, they They might know, but they are not implementing those. And this is really shocking because the data results are pretty recent. And even though we know that they should be followed, they are definitely not following these best practices in their implementation right now. So that is the basic emphasis of the talk that we know, but how far they are with the implementation of these best practices. So bed lunging protection. So when we were surveying the different online cloud service providers and different online service providers, we came across mainly two categories which were basically used for slowing down an attacker from trying harder to crack your

password. One was use of captcha and one was timeout. So first of all, of course, if you are an online service provider, you need to restrict the maximum amount of price a user can attempt to log into the account. I mean, you should not provide unlimited accounts to users to log into the account. So this is the best practice of explaining that. Going down with CAPTCHA, again, I would like to mention that there are a lot of documents which say that CAPTCHA is not good practice, we should move away from CAPTCHA, specifically the reason behind those things is the automation of CAPTCHA. People know that there are tools out there which are automatically used to crack the CAPTCHAs, but I'm again focusing on complex CAPTCHAs.

people who are trying to build so complex captchas, like with a flexible image and the letters waving on the image and something like that, that those captchas are still hard to crack by automated tools and it is still considered and we highly recommend to use captcha as the first or initial step to slow down the attacker who's trying to boot-posed account.

The second method which I was discussing was going down with timeout. This is the process of basically timing out or logging out of account after the maximum amount of tries have exceeded on an account. So we have to be really, really cautious of time out because it can potentially be a reason of dosing of an account. Like if I know that Facebook is timing out an account after 10 bad logging attempts for 15 minutes and I don't like my friend and I don't like him surfing the Facebook all the time, I can intentionally write a program of dosing his account for after every 10 attempts, especially, intentionally I can DOS him from logging into his,

on Facebook, logging into his Facebook account by just DOSing his account. So the special care should be taken while implementing timeout so that you should, you should block the attacker from getting into the account, but you should, at the same time, you should allow the legit user who is trying to log into the account to log into the account. So Facebook was using a pretty sophisticated algorithm or complex algorithm for timing out the mechanics for timing out the attacker, they were using kind of like an IP combination with the total number of attempts. So if an attacker, for example, somewhere in other geographic location is trying to brute force an account, they are going to

time out that account for them. But if a legit user at the same time is trying to log into the account, that user is allowed to log into the account. So special precautions should be taken while dealing with timing out of an account.

This is very interesting. So we should, we all know that we get a bad error login message whenever we attempt a login and attempt fails. So interesting part is you should, the online service provider should not disclose what went wrong, like whether your username wasn't correct or whether your password wasn't correct because it is very important and you'll be surprised. When I surveyed the online service providers, there were some online service providers who were very nice to the users and they were giving out the information. Like, whenever I try to log in and if the login fails, they were giving me information like, oh, your username was correct, but your password was wrong. Try another

password. So it is very interesting. Like, they are nice enough to tell you that your username was correct, but your password was wrong. But if I'm an attacker, I'm not, and if I'm not against, if I'm not behind force in your account, I can use that information. I can use any kind of legend information which I can get from the online service providers. I can come up with all the valid user names for the service. I can sell that user names for my own malicious intentions or I can use those user names and I can use those legend information for phishing attacks. I can sell that information to ad agencies and they can send you spans and ads or I can use that information for

my own gain. So this is, this is This has to be taken in consideration that while you are trying to tell the user that what is wrong, you should not disclose the, you should not make the message more specific. The message should be very generic that the login was failed or username or password is incorrect.

Nobody thinks about that, that the timing difference in loading pages. If I want to automate the process of brute forcing, and if I know, I can create a dummy account, and if I know that if my login is successful, the very next page loads in like 100 milliseconds. But at the same time, if my login is failed, then the next page is loaded in like one second, or it is taking a lot of time to load the next page after the failed login. So I can use that information for my gain, for automating my tool, that okay, if I'm trying brute force, and if a brute force is successful, then do this next step based

on the timing difference of loading of pages. This is really interesting that the online service providers try not to have a different timing lags between the pages they are loading after a successful login or a failed login. It's considered one of the best practices. And the second one, notification of bad login is really very important. I mean, even this DNA, there are service providers who do not notify you for the bad login attempts on your account. there should be some kind of notification to the users so that they know that if they are not the one who are trying to log into the account, then they should take preventive steps upfront to see what is going wrong with their account. Like, if I forgot my password

and after five attempts I just logged out and I'm notified back, so I can ignore that message by thinking that, oh, I am the one who logged out from my account. But if there is someone else who is trying to bootforce my account and I'm getting notified of bad login attempts, I can proactively take corrective actions, whether I can notify the service provider that this is happening on my account, please prevent that, or I can go ahead and I can change my password if I think that my password is weak enough to be easily guessed. And surprisingly, when I was surveying, nobody, no online service provider, neither clouds nor social media providers were using that practice of notifying users. Again, I'm going to pick

on Apple on that. So this is, again, when the iCloud breach happened. They said that they are going to implement the notification process for their users so that their users can know that what's going on with their account and can take proactive actions to connect it. I don't know whether they have implemented it or not because I don't have an iCloud account, but you guys can check.

Okay, so those were the practices for the pad logging prevention. And password recovery, this is very important because nobody, the online service providers,

they want to be nice to you when you forget your password. And they don't want you to go through the trauma of steps, different steps to recover your account. So 2FA for password reset, again when I was discussing 2FA, I said that People usually focus 2FA or people when 2FA comes, they think about, okay, login purpose. But they can use that for the password reset as well. So if I have enabled 2FA on my account and I have my 2FA token, but I forgot my password and I want to recover my password, then no matter what steps they are providing me to reset my password or recover my account, if I have 2FA, the online

service provider should use my 2FA for their advantage of recovering the account. So that even if the attacker is trying to get into the account by password recovery method, the attacker has to have my 2FA token to reset my password or to reset my account. So that's really important to have 2FA for the password reset or password recovery process. Use of recovery email, this is a pretty common method which is used by online service providers, especially the social media providers and iCloud providers because the primary way of you getting into your account is your email. So they will just send you recovery steps of recovering your password to your email address. So use of recovery email is when you have an alternate email account associated with your service account

and when you forget, when you forgot your password, you ask your service provider to send you the steps or to send you the hint to your alternate email address. That is kind of like tied up with the 2FA because email address, again, it will be, second layer of security when recovering your password because if I'm an attacker and if I'm seeing that they are sending the code to your email address, then I have to hack your email address to get into your social account. So it will provide one more layer of security while recovering the password. Okay.

As we discussed about the email stuff, that if I have forgotten my password, my service provider will email me with the password recovery steps. They need to consider some steps before doing that. So the main thing is they should not disclose any kind of legit account information in that email or any kind of password hints like, okay, your password starts with FAP or your password starts with PAS and star, star, star. Because if the scenario is other way around, if the attacker did not get the whole of your online service accounts, but they did get the whole of your email account. Then even though they were not thinking of hacking your online accounts, if they

go through the recovery emails and they see the hint of your passwords, it will be really easy for them to detect or to figure out what your actual passwords are for your online service accounts and you can be more vulnerable to get hacked on your online services part as well. So this is for the purpose of protecting your online services account if the attacker get hold of your email addresses, email accounts.

The third one is really very important that we highly recommend that there should not be any personal security questions for recovery. There are online service providers who completely rely on this process. They will have a list of 10 or 15 questions which if you can answer them correctly, they are nice enough to allow you to reset your password. So it is really important because if I'm a celebrity and if I have a high fingerprint on social media, it is not hard for an attacker to guess my mother's maiden name, my father's maiden name, my place of birth, my date of birth, my favorite pet's name, my favorite car name, my favorite first house where I

live, blah, blah, blah. So that is really important that even if you are not a celebrity or you're not a very famous person, but if you are a good, if you are a, known person in your work, like if you are famous in the cyber security or if you are famous in something or the other, and I really, I am really behind you, I can track you or I can stalk you on social media and because of your fingerprint available on this internet, I can easily come up with a list of answers, possible answers, and I can try exhaustively to guess the security questions for recovery and I can get into your account via this

possible recovery method if I'm not trying to put on your account. So this is very important. And one more thing to mention, when online service providers use this kind of method for recovery, they have fixed number of questions. They don't even change the questions. I mean, if you make a dummy account and if you try to recover your own password, you can easily come up with a list of 10 or 12 questions which are fixed for each account for the password recovery. So you can try it for all the accounts or all the famous celebrity accounts or whatever for getting into their account.

I have seen when we were, when I was doing the survey, I have seen that some of the online service providers including the password recovery questions, they have something like if you had your alternate email address associated with your account and if you have forgotten the password of that email address as well, the service providers are so nice that they will ask you to provide any random email address or phone number to send you the code or to send you the hints to how you can go ahead and log in to your account or reset your password. So this is highly recommended that you should not let the user select any email or any email or phone number while recovering the account because

it's very easy for the attackers to spoof the email address and phone number and can get your secret code and get your secret hint for password recovering. It's very,

timeout the recovery URL. So when online service providers are using your email address to send you the link or URL for you to go ahead and do the password recovery from that URL, they should timeout that URL. And in most of the cases, almost all online service providers who are using email for the recovery, they have timeout of like either 24 hours, six hours. As soon as they'll send you the URL, it is going to timeout and depending on the service, in 24 hours, six hours, 60 minutes, half hour.

So you should not provide, as an online service provider, you should not provide any legit information associated with your user's account. Because as we discussed earlier, that any legit information of yours can be used for any malicious purpose in future by the attacker. So even if the attacker is not behind your account, like I have to hack into the account, they can harvest all the legit and all the useful information from your password recovery and they can use that personal information of yours in other malicious,

in other malicious purposes. So there should not be any disclosure of your email address or your legit phone number or some part of your email address or some part of your phone number to the attackers.

Notifications are really important part of password best security practices, but unfortunately nobody follows it. We talked about the notification of back text and we are definitely going to follow the password reset notification as well. So there are no online service providers who notify their user whenever they change their password. So if the attacker is trying this door to get into your account and they are successful in resetting your password, you will never know about it. And if the intent of the attacker is to be persistent in your account and to see what activities you do in your account, you will never be able to know what kind of things are going along. So we highly recommend that whenever there's a password reset, you should notify your user

that this, at this date, by this IP address, your password got reset. So if this was not you, please take preventive actions, and if that was you, then you can please ignore, you can safely ignore this message. And same with the password recovery, email, password recovery, email and ID changes. So in a nutshell, whatever is changed on your account, either your password, either your personal information, Online services should notify the users that there is some kind of change going in your account. And unfortunately, you guys might have seen it, whenever you change your password, or whenever you do some changes on your account, you never get notified on your alternate email address. It's really important for the users, if they know that something's going wrong,

they can proactively prevent any kind of further damage to their account.

Okay, so these were the best practices, these were the practices were the combination of practices which were practiced and which we have seen online services to use. And then we came up with some of the best practices of our own which can be used by online service providers to more safeguard the account. So if you think about it, we pay a lot of attention on creating complex passwords. But if we think that our user names, right, we have two keys to log into our account. One is username and one is password. So brute force is all about if I know your username, I can quickly brute force your password. And to know a username is not very hard. It's available on social media. I mean, you

can hardly have two or three unique usernames for all your accounts, right? So this practice talks about all the combinations or all the minimum requirements which you follow for your password. If you follow the same minimum requirements for your username, then it will become harder for an attacker or it will just double the amount of time and amount of resources and amount of what an attacker has to do to first guess your correct username and then the correct password. So, I mean basically all the best practices in password selection, we can apply all the best practices in username selection as well to make it more uncommon for the attacker to guess your username. And if

we are more concerned with this, for social media providers, if they are more concerned with if we will have complex username, it will be harder for other people to search their friends on internet. then we would suggest that you can have some kind of pseudoname on your account. For example, I can use a very complex username and password to log into my Facebook account, but as soon as I log into my Facebook account, I can have a pseudonym of, I can have my name as my pseudoname, like, , so if my friends want to search me, they can search me with my pseudoname, but they will not be able to know my correct username which

I'm using to log into my account. So this is a really nice practice which they can use for further narrowing down the, of the accounts.

Okay, so mandatory upgrade of password after new password policy. This is pretty obvious, right? I mean whenever an organization comes up with new password policies that okay now we are going to include this, this, this, this, you need to upgrade your account, right? It addresses two main questions. I came up with the password policies and now I think that they are very good and now they will protect my users and whoever will try to create my account, they will no longer be able to create an account with simple passwords like QWERTY or 1234. But the problem is, what about your alumni accounts? What about the users who made the accounts for your services a decade ago? Like I made my first Gmail account when I was 10. And

I am 100% sure that I have selected the stupidest password in the world. So even if Gmail have very strict password policies right now, what happens to my other account? They're still vulnerable to attacks, right? And majority of the time, the hacks involve the old accounts rather than the new accounts because when people become more and more aware of good practices, they try to select good passwords, but the people who are old or the people who have made their accounts with the services a decade ago, they have still the same easy passwords. So it's very easy for an attacker to hack those accounts. So this is really important that You should force all the accounts

to comply with the password policies and you should force all the users to change their password to comply with the policies.

This is kind of like invisible aspect which is not visible to us users, but whenever there's a breach and the password database gets compromised, it still should be hard for an attacker to crack all the passwords if they are hatched with a proper hash and a good solve. It's highly recommended that the online service providers should use as big of a salt as a number of bits they have for their hash algorithm. And the last one is the periodic password reset. Whenever you know that your password requirements are no longer complying with the current industrial practices, you can any time upgrade your password policies. So it's highly recommended that you come up with the upgraded password policies very frequently, like six

months or three months, and you force your users to comply with that upgraded password policy. Okay, so I have already covered kind of like my findings when I was discussing the best practices and by elucidating that who is using what, but we will quickly go through the basic online So we have done survey on two kinds of services. One was online cloud service providers and other was social media. So we will quickly go through the results of what they were using almost a year and couple of months ago because these results are kind of like a year old because I did my research in 2015. So they are not very current and up to date, but this

is not very, not very old, this is very recent. So quickly on password selection, online cloud service providers, Spider Oak was the weakest. When I surveyed, they had the password selection policy that a user can select a password, a character long. You can have a password with A, B, C, or D. So that was the weakest thing which we can find, and Spyro is an online cloud service provider if you haven't heard of it. Trezorate and Simplicity are far better than other cloud service providers in password selection. Amazon, Google, Dropbox, they don't have stringent password restrictions. They didn't have stringent password restrictions when I surveyed them.

Bad login attempts. There were only two major categories, CAPTCHA and timeout. Majority of the users were using CAPTCHA. That's interesting because as I have discussed earlier, that CAPTCHA is no longer considered a best practice, but we still recommend to use CAPTCHA for the first layer of security provided to your account. So majority use CAPTCHA and surprisingly, No one, no cloud service provider uses any kind of notification for bad attempts, password selection, and password recovery. Password reset. So as it is understood that all cloud services are linked, cloud services are linked with your email addresses, they use their email addresses to recover the password. So almost majority of them use the email addresses for the recovery, except Resoid doesn't offer any kind of password recovery for the user.

And they don't use any kind of notification. Talking about social media providers for the password selection. Guess what? There were no restrictions for the password selection. You can have very easy passwords and it's understood because they don't want, their clients are their basic products, right? I mean, their consumers are what make them big. So they don't want to piss the users away when they are trying to create their accounts with the social media providers. So they don't want you to they don't want to present you with 100 questions and you can't feed an account until you have this, this, this things in place. So that's why social media providers, for them, they let the users select easy passwords and then they have mechanisms on other bad

password attempts and password recovery for protecting your account. But yeah, there were not very many restrictions on the password selection process for social media service providers.

Bedlogin attempts, Yahoo, there was, when we did the survey, there was no slowdown mechanism for Yahoo. Neither they were using Captcha nor they were using Timeout. But on the other hand, they had a good password selection. So I think they had a trade-off of if you have a good password, there is less likely to have a successful group post on your account. Gmail and LinkedIn, they both use Captcha. Twitter, Facebook, they use timeout. I think I have mentioned before that Facebook has a pretty sophisticated use of timeout in which they are, I think, using a combination of IP and the bad password attempts coming from together to lock out an account. And again, no one is using the notification for bad logins. Password

recovery, almost everyone used the email address, social media providers, social media providers use the email address and that was, and nobody used 2FA for the password recovery. We highly recommend to use 2FA for password recovery for the accounts who have enabled 2FA, but nobody was using that. And no notification for password reset for social media providers as well. Good discussion on timeout versus CAPTCHA. CAPTCHA, I have mentioned a couple of times that CAPTCHA is no longer considered a best practice in the, security society right now, but we highly recommend CAPTCHA as one of the layers of security, and you will be surprised by the results. So we surveyed 22 online service providers, and out of 10 service providers, like,

almost 45 persons were using CAPTCHA, and only five service providers were using Timeout. And seven service providers, and then the other, others were using nothing, like Yahoo, they weren't using anything for timing, they weren't using anything for slowing down the users. So this is a quick graphical, representation of the findings of time of capture and none. And surprisingly, you can see that majority of them are still using capture for timing out, for slowing down mechanism.

A quick discussion on 2FA. So when we were serving the online user service providers, nobody was using, or nobody was making it mandatory for the users to use 2FA. So I had a good discussion with Dropbox that what the thing that either 2FA should be made mandatory or 2FA should be just like there, it's there, but you can use it and you can't use it. You can use it, but it's optional. So they had a very interesting use case. What they provide, what they said that we have two kinds of accounts. One is free and one is paid. So if you are the paid customers, you are kind of like our premium users. So we

make it mandatory for our paid customers to use 2FA on their password, on their login attempts, but if you're a free user, you don't make it mandatory. So that made me think that it's a trade off, it's always a trade off between your business use case, your business model and what you want, what is your customer base. If your customer base is highly dependent on users, you don't want the user, you don't want to make your users unhappy with the service by asking them questions, providing the two FAs or making two FAs mandatory. There was a good discussion with Dropbox which was very interesting to know that they don't make anything to secure their users for free versus the

users who are paid. But the problem is whenever there is a breach, majority of the accounts that are get hacked or that are get compromised are free accounts, right? And the newspaper does not say that, okay, our our free accounts got compromised, but our paid, the good news is the paid accounts are still protected. The newspaper is going to say that 80% of accounts got compromised and that will create a bad market value or that will just create a lose of trust of customers on the online service provider and they will be, they are basically going to lose their market value. And even their paid customers or their paid customers or the customers who wants to go to a paid service will think twice that, oh, that

service got brief, so should we want an account in that service or not? So in conclusion, all the best practices which I have covered, you guys might have already known that as I believe that you guys work in security, but the problem is we all know, we all know that these are the best practices we should follow for our online security, but the problem is online service providers They don't know, I mean, they might know, but they are not following those because they just, they are just more dependent on their business model thing. But yeah, that was an interesting conclusion that it's not enough that, you know, you know, but your online service accounts, they are not highly, they are not highly adaptive of those online, of those best

practices. So even you can think right now that you guys have the accounts, right? how secure your passwords are, whether you have a strong password or even in your own organization, are they trying to implement all the best practices for the password selection or how strong their password selection mechanisms right now are and how vulnerable they are to brute force. Do you guys get the notification when you change your password or in your organization or do you guys just do not get any kind of brute force notification? So in future, future for this is we would So majority of the work that was done on this online survey was manual and it was time intensive. So we would like to have a

tool created for online automated auditing of the online services that can run through the online services with a predefined set of requirements which you want to test that service against and it can come up with a result that how secure the service is. Kind of like it can give it a grade of 80% secure, 90% secure depending on the business model. So it will be really interesting or it will be really nice to have a tool to do that kind of auditing for any online service. And the challenges again include that there are variety and diverse set of online services right now, like cloud services, social services, that they all have very different use cases

and they all have very different business models. So it's kind of like hard and the tool should be highly customizable to adapt to what kind of business models they are using and what are the challenges that they are trying to mitigate.

When we were doing the survey, we reviewed couple of NIST documents and surprisingly, they have very interesting use cases or they have interesting recommendations for username and passwords for the authentication process and they are not highly up to the grade that we should think they should be. But if you want to see that what base they recommend as the best practices for online user authentication. You can try to read those three documents and you will be surprised at what they're recommending. So we just think that when we were reviewing those documents, they were not good enough and some of the best practices were missing. So you can go through those if you want. And exact on

time, so thank you and do you guys have any questions?