Papers:
USENIX Security 2015,
Oakland 2016,
CCS 2017,
Oakland 2019,
CCS 2019
Awards: Oakland 2016 paper won Distinguished Student Paper Award
Media coverage: Technology
Review - Threatpost
- Slashdot
Description:
We have developed improvements to the usability and
security of password-based authentication. Our hardening service
Pythia renders stored password hashes uncrackable by
offline brute-force attacks using
a new cryptographic primitive
called a partially oblivious
pseudorandom function.
More recently, we investigated
typo-tolerant password authentication that will
automatically correct, on behalf of the user,
frequently made typographical errors. In
collaboration with Dropbox, we showed that deploying
typo-tolerance would help users log in without degrading security.
We have explored the implications of password breaches in
terms of improving targeted guessing attacks, as well as
helped design privacy-preserving breach detection systems
as dpeloyed by Cloudflare and Google. Our research helped
motivate a change to Google's protocol, and ongoing
collaborations with Cloudflare and the HIBP service.