Measuring login webpage security
Paper in proceedings, 2017

Copyright 2017 ACM. Login webpages are the entry points into sensitive parts of web applications, dividing between public access to a website and private, user-specific, access to the website resources. As such, these entry points must be guarded with great care. A vast majority of today's websites relies on text-based username/password pairs for user authentication. While much prior research has focused on the strengths and weaknesses of textual passwords, this paper puts a spotlight on the security of the login webpages themselves. We conduct an empirical study of the Alexa top 100,000 pages to identify login pages and scrutinize their security. Our findings show several widely spread vulnerabilities, such as possibilities for password leaks to third parties and password eavesdropping on the network. They also show that only a scarce number of login pages deploy advanced security measures. Our findings on open-source web frameworks and content management systems confirm the lack of support against the login attacker. To ameliorate the problematic state of the art, we discuss measures to improve the security of login pages.

Login page

Large-scale study

Web security

Attacker models

Author

Steven Van Acker

Information Security

Daniel Hausknecht

Information Security

Andrei Sabelfeld

Information Security

Proceedings of the ACM Symposium on Applied Computing

Vol. Part F128005 1753-1760

Subject Categories

Computer and Information Science

DOI

10.1145/3019612.3019798

ISBN

978-145034486-9

More information

Created

10/8/2017