Research Directions in Password Security

Cloudflare Research is exploring how to minimize password exposure and thwart password attacks, particularly credential stuffing attacks. These occur when attackers test breached credentials against multiple online login systems in an attempt to hijack user accounts. The blog post discusses two different approaches: hardening password systems using cryptographically secure keys (PAKEs) and detecting the reuse of compromised credentials. Cloudflare has recently rolled out Exposed Credential Checks feature on the Web Application Firewall (WAF), which can alert the origin if a user’s login credentials have appeared in a recent breach. The company is also analyzing data logged by this feature to find patterns of different types of credential stuffing attacks that can be generalized to form attack fingerprints.