Protecting Accounts from Credential Stuffing with Password Breach Alerting

Explore a Distinguished Paper Award-winning conference talk from USENIX Security '19 that delves into a privacy-preserving protocol for protecting accounts from credential stuffing attacks. Learn about the asymmetry of knowledge between attackers and users, and discover how a centralized breach repository can be queried without compromising sensitive information. Examine the implementation of a cloud service accessing over 4 billion breached credentials and a Chrome extension client. Analyze findings from anonymous telemetry involving 670,000 users and 21 million logins, revealing that 1.5% of web logins use breached credentials. Understand the impact of breach alerts on user behavior, with 26% of warnings resulting in password changes. Explore the ethical considerations, principles, and challenges in designing this protocol, including private set intersection and denial of service prevention. Gain insights into Google's strategy, password security state, and the prevalence of credential stuffing threats across the internet.

Introduction
Motivation
Challenge
Research
Googles strategy
Asymmetry of knowledge
Ethics
Principles
User retention
Most predominant threat
How we designed this protocol
Proof of work
Private 10 intersection
Challenges
Private Center
Denial of Service
Data Source
How we do this
Password Checkup
Breach Response
Warning
Chrome Web Store
Anonymous telemetry
In practice
State of password security
Where is this threat most prominent
The long tail of the Internet
Password strength