We present a framework by which websites can coordinate to make it difficult for users to set similar passwords at these websites, in an effort to break the culture of password reuse on the web today. Though the design of such a framework is fraught with risks to users' security and privacy, we show that these risks can be effectively mitigated through careful scoping of the goals for such a framework and through principled design. At the core of our framework is a private set-membership-test protocol that enables one website to determine, upon a user setting a password for use at it, whether that user has already set a similar password at another participating website, but with neither side disclosing to the other the password(s) it employs in the protocol. Our framework then layers over this protocol a collection of techniques to mitigate the leakage necessitated by such a test. We verify via probabilistic model checking that these techniques are effective in maintaining account security, and since these mechanisms are consistent with common user experience today, our framework should be unobtrusive to users who do not reuse similar passwords across websites (e.g., due to having adopted a password manager). Through a working implementation of our framework and optimization of its parameters based on insights of how passwords tend to be reused, we show that our design can meet the scalability challenges facing such a service.
翻译:我们提出了一个框架,使网站能够协调,使用户难以在这些网站上设置类似的密码,从而难以在这些网站上设置类似的密码,从而打破今天网上重复使用密码的文化。虽然这一框架的设计充满了用户安全和隐私的风险,但我们表明,通过仔细界定这一框架的目标,并通过原则设计,这些风险是可以有效减轻的。我们框架的核心是私人设定成员测试协议,使一个网站能够在用户设定密码供用户使用时,确定该用户是否已经在另一个参与的网站上设置过类似的密码,但双方都没有向对方披露协议中使用的密码。虽然这一框架的设计给这个协议增添了减少这种测试所需要泄漏的技术。我们通过概率模型核查这些技术是否有效维护账户安全,并且由于这些机制与当今共同用户的经验一致,我们的框架应当不难于让用户在另一个参与的网站上重复使用类似的密码(例如,如何采用密码管理器),但双方都没有向对方披露它所使用的密码。我们的框架随后又在协议中添加了一组技术,以缓解这种漏洞。我们通过工作执行框架和优化其设计参数,从而满足了我们基于常规的清晰度的难度。