LITERATURE SURVEY

L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi,

Expoure! "inding Mali#iou $o%ain Uing &ai'e $(S Anal)i,*
&ro#. +,-. Ann. (e-/or0 and $i-ri1u-ed S)-e% Se#uri-) S)%p. 2($SS3,
"e1. 45++.
We find that traditional password advice given to users is somewhat
dated. Strong passwords do nothing to protect online users from password
stealing attacks such as phishing and key logging, and yet they place
considerable burden on users. Passwords that are too weak of course invite
brute-force attacks. However, we find that relatively weak passwords, about 2
bits or so, are sufficient to make brute-force attacks on a single account
unrealistic so long as a three strikes! type rule is in place. "bove that minimum
it appears that increasing password strength does little to address any real threat.
#f a larger credential space is needed it appears better to increase the strength of
the user #$%s rather than the passwords. &or large institutions this is 'ust as
effective in deterring bulk guessing attacks and is a great deal better for users.
&or small institutions there appears little reason to re(uire strong passwords for
online accounts.
$. $agon, Bo-ne- $e-e#-ion and Repone, -.e (e-/or0 I -.e In6e#-ion,*
&ro#. $o%ain (a%e S)-e% 7pera-ion Anal)i and Reear#. Cen-er
8or0.op, 4559.
)he Passwords are perhaps the most widely-used methods of user
authentication. "lthough there are more secure authentication mechanisms, e.g.
hardware token, certification or fingerprint based authentication, password
based authentication remains the widely used mechanism due to its low-cost
and convenience. *ecause passwords should be memori+ed, they are generally
chosen from a small domain, which enables an adversary mounting dictionary
attack on password-based schemes. ,everse )uring )est -,)). is a promising
tool to defeat online password attacks mounted by automated programs. )he
,everse )uring )est is easy for human users to pass, but hard for automated
programs. "t present, it is widespread for web service providers to ask users to
pass ,))s before the user names and passwords are checked. )he scheme is
secure against global password attacks mounted by automated programs. )he
main drawbacks of this scheme are usability and scalability. *ecause for each
login attempt, a user has to answer at least one ,)) (uestion, which may annoy
some of the users/ and the server has to generate one ,)) (uestion, which
consumes a lot of computation power of the server if there are many users login
simultaneously.
C.:. $ie-ri#., C. Roo/, ".C. "reiling, ;. Bo, M. 'an S-een, and (.
&o.l%ann, 7n Bo-ne- -.a- Ue $(S 6or Co%%and and Con-rol,*
&ro#. European Con6. Co%pu-er (e-/or0 $e6ene, Sep-. 45++.
)here have been many attempts to measure how many hosts are on the
#nternet. 0any of those endpoints, however, are 1") bo2es -1etwork "ddress
)ranslators., and actually represent several different computers. We describe a
techni(ue for detecting 1")s and counting the number of active hosts behind
them. )he techni(ue is based on the observation that on many operating
systems, the #P header3s #$ field is a simple counter. *y suitable processing of
trace data, packets emanating from individual machines can be isolated, and the
number of machines determined. 4ur implementation, tested on aggregated
local trace data, demonstrates the feasibility -and limitations. of the scheme.

M.T. <oodri#., R. Ta%aia, and $. Yao, A##redi-ed $o%ainKe)! A
Ser'i#e Ar#.i-e#-ure 6or I%pro'ed E%ail Valida-ion,*
&ro#. Con6. E%ail and An-i=Spa% 2CEAS >593, :ul) 4559.
)he present a usability study of two recent password manager proposals5
Pwd Hash and Password 0ultiplier. *oth pro'ects considered usability issues in
greater than typical detail, the former briefly reporting on a small usability
study/ both also provided implementations for download. 4ur study involving
26 users found that both proposals suffer from ma'or usability problems. Some
of these are not 7simply8 usability issues, but rather lead directly to security
e2posures. 1ot surprisingly, we found the most significant problems arose from
users having inaccurate or incomplete mental models of the software. 4ur study
revealed many interesting misunderstandings 9 for e2ample, users reporting a
task as easy even when unsuccessful at completing that task/ and believing their
passwords were being strengthened when in fact they had failed to engage the
appropriate protection mechanism. 4ur findings also suggested that ordinary
users would be reluctant to opt-in to using these managers5 users were
uncomfortable with 7relin(uishing control8 of their passwords to a manager, did
not feel that they needed the password managers, or that the managers provided
greater security.
I. Mo0o/i-z, R.E. (e/%an, $.&. Crepeau, and A.R. Miller, Co'er-
C.annel and Anon)%izing (e-/or0,* &ro#. ACM 8or0.op &ri'a#) in
-.e Ele#-roni# So#. 28&ES >5?3, pp. @A=,,, 455?.
$o and $on>- o6 Clien- Au-.en-i#a-ion on -.e 8e1
)he :lient authentication has been a continuous source of problems on the
Web. "lthough many well-studied techni(ues e2ist for authentication, Web sites
continue to use e2tremely weak authentication schemes, especially in non-
enterprise environments such as store fronts. )hese weaknesses often result
from careless use of authenticators within Web cookies. 4f the twenty-seven
sites we investigated, we weakened the client authentication on two systems,
gained unauthori+ed access on eight, and e2tracted the secret key used to mint
authenticators from one. We provide a description of the limitations,
re(uirements, and security models specific to Web client authentication. )his
includes the introduction of the interrogative adversary, a surprisingly powerful
adversary that can adaptively (uery a Web site. We propose a set of hints for
designing a secure client authentication scheme. ;sing these hints, we present
the design and analysis of a simple authentication scheme secure against
forgeries by the interrogative diversary. #n con'unction with SS<, our scheme is
secure against forgeries by the active adversary.