The focus of the talk, however, will be a measurement study we performed of the University of Chicago’s vulnerability to credential-guessing attacks across twenty years. Given a list of university usernames, we searched for matches in data breaches from hundreds of websites. Ultimately, we successfully guessed passwords for thousands of UChicago affiliates. I will conclude my talk by discussing our parallel investigations of FIDO2 passwordless authentication, including analyzing why passkeys have not yet replaced passwords for web authentication.
Continue reading