Bit coin has emerged as the most successful cryptographic currency in history. Within two years of its quiet launch 2009, grew to comprise billions dollars economic value despite only cursory analysis system's design. Since then a growing literature identified hidden-but-important properties system, discovered attacks, proposed promising alternatives, and singled out difficult future challenges. Meanwhile large vibrant open-source community deployed numerous modifications extensions. We...

We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope we survey is also extensive, including password management software, federated login protocols, graphical schemes, cognitive one-time passwords, hardware tokens, phone-aided schemes biometrics. Our comprehensive approach leads key insights about difficulty...

We report on the largest corpus of user-chosen passwords ever studied, consisting anonymized password histograms representing almost 70 million Yahoo! users, mitigating privacy concerns while enabling analysis dozens subpopulations based demographic factors and site usage characteristics. This large data set motivates a thorough statistical treatment estimating guessing difficulty by sampling from secret distribution. In place previously used metrics such as Shannon entropy entropy, which...

Today's Internet services rely heavily on text-based passwords for user authentication.The pervasiveness of these coupled with the difficulty remembering large numbers secure tempts users to reuse at multiple sites.In this paper, we investigate first time how an attacker can leverage a known password from one site more easily guess that user's other sites.We study several hundred thousand leaked eleven web sites and conduct survey reuse; estimate 43-51% same across further identify few...

Preventing adversaries from compiling significant amounts of user data is a major challenge for social network operators. We examine the difficulty collecting profile and graph information popular networking Website Facebook report two findings. First, we describe several novel ways in which can be extracted by third parties. Second, demonstrate efficiency these methods on crawled data. Our findings highlight how current protection personal inconsistent with user's expectations privacy.

Theory on passwords has lagged practice, where large providers use back-end smarts to survive with imperfect technology.

The computer security community has advocated widespread adoption of secure communication tools to counter mass surveillance. Several popular personal (e.g., WhatsApp, iMessage) have adopted end-to-end encryption, and many new Signal, Telegram) been launched with as a key selling point. However it remains unclear if users understand what protection these offer, they value that protection. In this study, we interviewed 60 participants about their experience different perceptions the tools'...

Motivated by recent revelations of widespread state surveillance personal communication, many solutions now claim to offer secure and private messaging. This includes both a large number new projects widely adopted tools that have added security features. The intense pressure in the past two years deliver quickly has resulted varying threat models, incomplete objectives, dubious claims, lack broad perspective on existing cryptographic literature communication. In this paper, we evaluate...

The popular social networking website Facebook exposes a "public view" of user profiles to search engines which includes eight the user's friendship links.We examine what interesting properties complete graph can be inferred from this public view.In experiments on real network data, we were able accurately approximate degree and centrality nodes, compute small dominating sets, find short paths between users, detect community structure.This work demonstrates that it is difficult safely reveal...

We have conducted the first in-depth empirical study of two important new web security features: strict transport (HSTS) and public-key pinning.Both been added to platform harden HTTPS, prevailing standard for secure browsing.While HSTS is further along, both features still very limited deployment at a few large websites long tail small, security-conscious sites.We find evidence that many developers do not completely understand these features, with substantial portion using them in invalid...