# Protocols for Checking Compromised Credentials

**Authors:** Lucy Li, Bijeeta Pal, Junade Ali, Nick Sullivan, Rahul Chatterjee,, Thomas Ristenpart

arXiv: 1905.13737 · 2019-09-05

## TL;DR

This paper formalizes compromised credential checking services, analyzes their security risks, and proposes new protocols that enhance password secrecy while remaining practical for deployment.

## Contribution

It provides the first formal framework for C3 services, analyzes leakage risks, and introduces two improved protocols for better password protection.

## Key findings

- Hash prefix leakage increases guessing attack success by 12x
- Proposed protocols improve password secrecy
- Protocols are practical to implement

## Abstract

To prevent credential stuffing attacks, industry best practice now proactively checks if user credentials are present in known data breaches. Recently, some web services, such as HaveIBeenPwned (HIBP) and Google Password Checkup (GPC), have started providing APIs to check for breached passwords. We refer to such services as compromised credential checking (C3) services. We give the first formal description of C3 services, detailing different settings and operational requirements, and we give relevant threat models.   One key security requirement is the secrecy of a user's passwords that are being checked. Current widely deployed C3 services have the user share a small prefix of a hash computed over the user's password. We provide a framework for empirically analyzing the leakage of such protocols, showing that in some contexts knowing the hash prefixes leads to a 12x increase in the efficacy of remote guessing attacks. We propose two new protocols that provide stronger protection for users' passwords, implement them, and show experimentally that they remain practical to deploy.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1905.13737/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/1905.13737/full.md

## References

51 references — full list in the complete paper: https://tomesphere.com/paper/1905.13737/full.md

---
Source: https://tomesphere.com/paper/1905.13737