Title:
Empirical Measurements of the Security, Privacy, and Usability of Website Password Authentication Workflows
Empirical Measurements of the Security, Privacy, and Usability of Website Password Authentication Workflows
Author(s)
Alroomi, Suood
Advisor(s)
Li, Frank
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
In an era where digital interactions are integral to daily life, the security and privacy of online authentication mechanisms are crucial for protecting user data and maintaining trust in web services. Passwords, though decades old, remain the most common form of authentication and are likely to stay ubiquitous. Therefore, the web ecosystem’s security depends on how users and websites handle passwords and manage authentication. Researchers have extensively explored user behavior with passwords, offering insights into how websites should handle authentication and leading to significant updates in modern guidelines.
A significant gap remains in understanding how websites handle authentication and whether they adhere to best practices. This dissertation aims to bridge that gap through large-scale empirical measurements of website authentication practices. I develop measurement techniques to systematically evaluate websites’ authentication policies and implementation decisions and apply them at scale to assess their authentication workflows.
I reveal the disparity between modern recommendations and real-world implementations. My studies show that while guidelines inform policy decisions, barriers prevent adopting recent recommendations, highlighting the need for education and outreach efforts. Further, I found poor policy decisions aligning with the default configurations of web software, which often compromise security, privacy, or usability. Updating these defaults to match modern guidelines could significantly reduce vulnerabilities and promote best practices. Moreover, incorporating security features such as blocking common passwords and rate limiting could significantly enhance the security of websites, as many are found lacking these defenses. I also identify concerning practices in authentication workflows, such as insecure communication, misconfigured HTTPS deployments, and mixed content vulnerabilities. While TLS deployment has improved, work remains to migrate all sensitive resources to HTTPS. Standardized authentication workflows with centralized security controls and outreach efforts can further mitigate inconsistencies and improve authentication security.
Sponsor
Date Issued
2024-07-31
Extent
Resource Type
Text
Resource Subtype
Dissertation