Security of login pages on the Web: who else can know your password?

May 11, 2016 12:00 AM

Who: Steven Van Acker (Chalmers)\
When: 14:15, May 11 \
Where: room ED\
Title: {{ page.title }}

Most people with an online presence these days, store large amounts of information about their lives in online web services: e-mails, pictures, medical information, … To prevent unauthorised access to their personal and private information, these web services require users to authenticate and this authentication is typically done using a username and password, transmitted for verification via a login page. These login pages are critical to a user’s security. If an attacker can steal a user’s username and password, they can gain access to that user’s account easily.

In this talk we take a look at the state of the art when it comes to security of login pages. We consider several attacker models, ranging from your typical Starbucks network attacker to sophisticated nation-state attackers.

With these attackers in mind, we look at what the ideal login page looks like, using all security measures currently built into browsers, on top of some common sense.

Once we know what the ideal login page looks like, we also take a look at real login pages on the Web. We analysed the login pages found on the top 100,000 most popular Internet domains and (responsibly) attacked them using simulated attacker models.

Beware: This data is part of ongoing research and the results may shock you. You may never wish to use the Web again!

Previous Talks

{: .t60 } {% include list-posts tag=‘csstalk’%}