"I want my money back!" Limiting Online Password-Guessing Financially


Maximilian Golla, Daniel V. Bailey, and Markus Dürmuth, Ruhr-University Bochum


Online password guessing attacks are a serious threat to the integrity of online accounts. A common defense is rate-limiting, either by slowing down or blocking connections, or by requiring CAPTCHAs to be solved. Either of these options has serious drawbacks, facilitating denial of service attacks, being circumventable by proxies and CAPTCHA solving services, and offering bad usability to the legitimate user. Furthermore, guessing attacks are becoming increasingly easier, fueled by recent data breaches containing several hundred million credentials from famous websites. In this work-in-progress report, we propose an opt-in deposit-based approach to rate-limiting that tackles online guessing attacks. By demanding a small deposit for each login attempt, which is immediately refunded after a successful sign in, online guessing attackers face high costs for repeated unsuccessful logins. We provide an initial analysis of suitable payment systems and reasonable deposit values for real-world implementations and discuss security and usability implications of the system.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {205714,
title = {"I want my money {back!}" Limiting Online {Password-Guessing} Financially},
booktitle = {Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017)},
year = {2017},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/soups2017/workshop-program/way2017/golla},
publisher = {USENIX Association},
month = jul