Passwords and Bicycle attaks

Cybersecurity bicycle attacks consist of data leaks caused by a security weakness related to password length through encrypted traffic. This terminology, coined by Vranken (2016), was created following the observation by this researcher that SSL (unpadded) traffic can allow the disclosure of information about the length of passwords. He named this phenomenon the “bicycle attack,” referring to the principle that a bicycle wrapped as a gift still retains its original shape. So despite the wrapping, it’s easy to deduce what the gift is. In short, this principle applies to specific weaknesses observed in some encryption languages, for example, ciphertext. Indeed, sensitive information, such as typed and lengths of texts before encryption, can be inferred from the document once encrypted.

For this reason, researchers Harsha & coll. (2021) raised two research questions: 1) How many Internet pages are potentially at risk and thus vulnerable to bicycle attacks? 2) How can the leakage of password length information affect the fraction of passwords a hacker would crack in an online or offline attack? Briefly, the researchers aim to quantify both the prevalence of password length information leaks and the harm this can cause to users of these websites.

The authors carried out different analyzes, taking into account different types of attackers (hacker, criminal, and nation-state). They concluded that in all the cases observed, an attacker who knows the length of each password gets an advantage compared to an attacker not having this information.

To counter this significant risk that undermines users’ paramount security, the authors propose a new standard called W3C, which aims to secure how web page administrators handle input fields for password characters. This is intended to eliminate most password length information leaks actively.

This article has a significant contribution both for its empirical and practical aspects. Indeed, data breaches and identity theft are still often perpetrated through password theft. The fact that criminals can have advantages, including, i.e., the initial length of the password to be stolen, gives an edge over the rest of the decoding to be carried out. In addition to illustrating the importance of the problem, the authors provided solutions to counter this problem.

To cite: Harsha, B., Morton, R., Blocki, J., Springer, J., Dark, M. (2021). Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage. Computers & Security, 100.