SaTC: CORE: Small: Understanding, Analyzing, and Improving Password Authentication Practices across the Web

For decades, passwords have served as a cornerstone of online authentication, and will likely remain so for the foreseeable future. As a consequence, the security of the web ecosystem, its billions of users, and the global economy are critically dependent on how websites manage password authentication. Yet each year, attackers successfully hijack millions of online accounts, highlighting a salient need to improve real-world password authentication.

Towards this end, prior research has explored understanding and improving user password behavior, but to date, there has been limited consideration for how websites and their operators actually handle password authentication. Taking a website-centric perspective, this project will systematically investigate the password authentication practices employed by websites to identify root causes of insecure methods.

Drawing on the insights gained, this project will also develop innovative technical and non-technical approaches for improving the practices actually adopted by website operators. Ultimately, this research will help advance online authentication security across the web, by impacting the way web-site operators manage password related security. This could possibly lead to better security standards (e.g., web standards or password standards).

Research outcomes will be widely disseminated and integrated into open-source tools that website developers and administrators can directly use.

To achieve these goals, this project will pursue three interconnected thrusts. The first thrust will develop web crawling and analysis techniques to measure website password authentication practices at scale and evaluate their implications, providing new visibility into the state of online authentication security throughout the web ecosystem. The second thrust will employ user studies and experiments with website operators to establish a socio-technical understanding of why insecure practices manifest in reality, considering human, organizational, policy, legal, and technical factors.

Finally, the third thrust will build on the insights gained from the other two thrusts and develop practical technical and non-technical solutions for improving how website operators manage password authentication. These solutions will include hardened designs and implementations of existing authentication mechanisms, tools that reduce the barriers to adopting secure practices, and methods of raising operator awareness of poor practices.

Together, these complementary thrusts serve as a comprehensive effort to improve web authentication in practice.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.