Biblio

Phishing is a frequent assault in which unsuspecting people’s unique, private, and sensitive information is stolen through fake websites. The primary objective of phishing websites’consistent resource allocators isto steal unique, private, and sensitive information such as user login passwords and online financial transactions. Phishers construct phony websites that look and sound just like genuine things. With the advent of technology, there are protecting users significantly increased in phishing methods. It necessitates the development of an anti-phishing technology to identify phishing and protect users. Machine learning is a useful technique for combating phishing attempts. These articles were utilized to examine Machine learning for detection strategies and characteristics.

The utilization of "cloud storage services (CSS)", empowering people to store their data in cloud and avoid from maintenance cost and local data storage. Various data integrity auditing (DIA) frameworks are carried out to ensure the quality of data stored in cloud. Mostly, if not all, of current plans, a client requires to utilize his private key (PK) to generate information authenticators for knowing the DIA. Subsequently, the client needs to have hardware token to store his PK and retain a secret phrase to actuate this PK. In this hardware token is misplaced or password is forgotten, the greater part of existing DIA plans would be not able to work. To overcome this challenge, this research work suggests another DIA without "private key storage (PKS)"plan. This research work utilizes biometric information as client's fuzzy private key (FPK) to evade utilizing hardware token. In the meantime, the plan might in any case viably complete the DIA. This research work uses a direct sketch with coding and mistake correction procedures to affirm client identity. Also, this research work plan another mark conspire that helps block less. Verifiability, yet in addition is viable with linear sketch Keywords– Data integrity auditing (DIA), Cloud Computing, Block less Verifiability, fuzzy biometric data, secure cloud storage (SCS), key exposure resilience (KER), Third Party Auditor (TPA), cloud audit server (CAS), cloud storage server (CSS), Provable Data Possession (PDP)

This project develops a face recognition-based door locking system with two-factor authentication using OpenCV. It uses Raspberry Pi 4 as the microcontroller. Face recognition-based door locking has been around for many years, but most of them only provide face recognition without any added security features, and they are costly. The design of this project is based on human face recognition and the sending of a One-Time Password (OTP) using the Twilio service. It will recognize the person at the front door. Only people who match the faces stored in its dataset and then inputs the correct OTP will have access to unlock the door. The Twilio service and image processing algorithm Local Binary Pattern Histogram (LBPH) has been adopted for this system. Servo motor operates as a mechanism to access the door. Results show that LBPH takes a short time to recognize a face. Additionally, if an unknown face is detected, it will log this instance into a "Fail" file and an accompanying CSV sheet.

In recent years, blockchain-based cryptocurren-cies have attracted much attention. Attacks targeting cryptocurrencies and related services directly profit an attacker if successful. Related studies have reported attacks targeting configuration-vulnerable nodes in Ethereum using a method called honeypots to observe malicious user attacks. They have analyzed 380 million observed requests and showed that attacks had to that point taken at least 4193 Ether. However, long-term observations using honeypots are difficult because the cost of maintaining honeypots is high. In this study, we analyze the behavior of malicious users using our honeypot system. More precisely, we clarify the pre-investigation that a malicious user performs before attacks. We show that the cost of maintaining a honeypot can be reduced. For example, honeypots need to belong in Ethereum's P2P network but not to the mainnet. Further, if they belong to the testnet, the cost of storage space can be reduced.

A secure hash code or message authentication code is a one-way hash algorithm. It is producing a fixed-size hash function to be used to check verification, the integrity of electronic data, password storage. Numerous researchers have proposed hashing algorithms. They have a very high time complexity based on several steps, initial value, and key constants which are publically known. We are focusing here on the many exiting algorithms that are dependent on the initial value and key constant usage to increasing the security strength of the hash function which is publically known. Therefore, we are proposing autonomous initial value proposed secure hash algorithm (AIVPSHA64) in this research paper to produce sixty-four-bit secure hash code without the need of initial value and key constant, it is very useful for a smart card to verify their identity which has limited memory space. Then evaluate the performance of hash function using autonomous initial value proposed secure hash algorithm (AIVPSHA64) and will compare the result, which is found by python-3.9.0 programming language.

Nowadays, the increasing complexity of digital applications for social and business activities has required more and more advanced mechanisms to prove the identity of subjects like those based on the Two-Factor Authentication (2FA). Such an approach improves the typical authentication paradigm but it has still some weaknesses. Specifically, it has to deal with the disadvantages of a centralized architecture causing several security threats like denial of service (DoS) and man-in-the-middle (MITM). In fact, an attacker who succeeds in violating the central authentication server could be able to impersonate an authorized user or block the whole service. This work advances the state of art of 2FA solutions by proposing a decentralized Microservices and Blockchain Based One Time Password (MBB-OTP) protocol for security-enhanced authentication able to mitigate the aforementioned threats and to fit different application scenarios. Experiments prove the goodness of our MBB-OTP protocol considering both private and public Blockchain configurations.

To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies’ post-breach practices. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine—based on real-world password data from 249 participants—whether and how constructively participants changed their passwords after a breach announcement. Of the 249 participants, 63 had accounts on breached domains; only 33% of the 63 changed their passwords and only 13% (of 63) did so within three months of the announcement. New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords were overall more similar to participants’ other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain. Our results highlight the need for more rigorous passwordchanging requirements following a breach and more effective breach notifications that deliver comprehensive advice.

Security and usability are two essential aspects of a system, but they usually move in opposite directions. Sometimes, to achieve security, usability has to be compromised, and vice versa. Password-based authentication systems require both security and usability. However, to increase password security, absurd rules are introduced, which often drive users to compromise the usability of their passwords. Users tend to forget complex passwords and use techniques such as writing them down, reusing them, and storing them in vulnerable ways. Enhancing the strength while maintaining the usability of a password has become one of the biggest challenges for users and security experts. In this paper, we define the pronounceability of a password as a means to measure how easy it is to memorize - an aspect we associate with usability. We examine a dataset of more than 7 million passwords to determine whether the usergenerated passwords are secure. Moreover, we convert the usergenerated passwords into phonemes and measure the pronounceability of the phoneme-based representations. We then establish a relationship between the two and suggest how password creation strategies can be adapted to better align with both security and usability.

“Phishing emails” are phishing emails with illegal links that direct users to pages of some real websites that are spoofed, or pages where real HTML has been inserted with dangerous HTML code, so as to deceive users' private information such as bank or credit card account numbers, email account numbers, and passwords. People are the most vulnerable part of security. Phishing emails use human weaknesses to attack. This article describes the application of the principle of persuasion in phishing emails, and based on the existing methods, this paper proposes a phishing email detection method based on the persuasion principle. The principle of persuasion principle is to count whether the corresponding word of the feature appears in the mail. The feature is selected using an information gain algorithm, and finally 25 features are selected for detection. Finally experimentally verified, accuracy rate reached 99.6%.

Current paradigms for client-server authentication often rely on username/password schemes. Studies show such schemes are increasingly vulnerable to heuristic and brute-force attacks. This is either due to poor practices by users such as insecure weak passwords, or insecure systems by server operators. A recurring problem in any system which retains information is insecure management policies for sensitive information, such as logins and passwords, by both hosts and users. Increased processing power on the horizon also threatens the security of many popular hashing algorithms. Furthermore, increasing reliance on applications that exchange sensitive information has resulted in increased urgency. This is demonstrated by a large number of mobile applications being deemed insecure by Open Web Application Security Project (OWASP) standards. This paper proposes a secure alternative technique of authentication that retains the current ecosystem, while minimizes attack vectors without inflating responsibilities on users or server operators. Our proposed authentication scheme uses layered encryption techniques alongside a two-part verification process. In addition, it provides dynamic protection for preventing against common cyber-attacks such as replay and man-in-the-middle attacks. Results show that our proposed authentication mechanism outperform other schemes in terms of deployability and resilience to cyber-attacks, without inflating transaction's speed.

Abstract Despite decades of research into developing abstract security advice and improving interfaces, users still struggle to make passwords. Users frequently create passwords that are predictable for attackers [1, 9] or make other decisions (e.g., reusing the same password across accounts) that harm their security [2, 8]. In this thesis,1 I use data-driven methods to better understand how users choose passwords and how attackers guess passwords. I then combine these insights into a better password-strength meter that provides real-time, data-driven feedback about the user's password. I first quantify the impact on password security and usability of showing users different password-strength meters that score passwords using basic heuristics. I find in a 2,931- participant online study that meters that score passwords stringently and present their strength estimates visually lead users to create stronger passwords without significantly impacting password memorability [6]. Second, to better understand how attackers guess passwords, I perform comprehensive experiments on password-cracking approaches. I find that simply running these approaches in their default configuration is insufficient, but considering multiple well-configured approaches in parallel can serve as a proxy for guessing by an expert in password forensics [9]. The third and fourth sections of this thesis delve further into how users choose passwords. Through a series of analyses, I pinpoint ways in which users structure semantically significant content in their passwords [7]. I also examine the relationship between users' perceptions of password security and passwords' actual security, finding that while users often correctly judge the security impact of individual password characteristics, wide variance in their understanding of attackers may lead users to judge predictable passwords as sufficiently strong [5]. Finally, I integrate these insights into an open-source2 password-strength meter that gives users data-driven feedback about their specific password. This meter uses neural networks [3] and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about a given password. I evaluate this meter through a ten-participant laboratory study and 4,509-participant online study [4]. Under the more common password-composition policy we tested, we find that the data-driven meter with detailed feedback leads users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator. In sum, the objective of this thesis is to demonstrate how integrating data-driven insights about how users create and how attackers guess passwords into a tool that presents real-time feedback can help users make better passwords.

Despite their ubiquity, many password meters provide inaccurate strength estimates. Furthermore, they do not explain to users what is wrong with their password or how to improve it. We describe the development and evaluation of a data-driven password meter that provides accurate strength measurement and actionable, detailed feedback to users. This meter combines neural networks and numerous carefully combined heuristics to score passwords and generate data-driven text feedback about the user's password. We describe the meter's iterative development and final design. We detail the security and usability impact of the meter's design dimensions, examined through a 4,509-participant online study. Under the more common password-composition policy we tested, we found that the data-driven meter with detailed feedback led users to create more secure, and no less memorable, passwords than a meter with only a bar as a strength indicator.

Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood. We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them. We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.