{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,4]],"date-time":"2026-03-04T17:15:12Z","timestamp":1772644512634,"version":"3.50.1"},"reference-count":73,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"Institute of Information and Communications Technology Planning and Evaluation"},{"name":"Korean Government through Ministry of Science and ICT (MSIT) (Artificial Intelligence","award":["2022-0-00688"],"award-info":[{"award-number":["2022-0-00688"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Access"],"published-print":{"date-parts":[[2023]]},"DOI":"10.1109\/access.2023.3343411","type":"journal-article","created":{"date-parts":[[2023,12,15]],"date-time":"2023-12-15T19:45:07Z","timestamp":1702669507000},"page":"141610-141627","source":"Crossref","is-referenced-by-count":3,"title":["An Empirical Analysis of Incorrect Account Remediation in the Case of Broken Authentication"],"prefix":"10.1109","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-2173-5803","authenticated-orcid":false,"given":"Jeongho","family":"Lee","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, Sungkyunkwan University, Suwon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5342-5913","authenticated-orcid":false,"given":"Hyoung-Kee","family":"Choi","sequence":"additional","affiliation":[{"name":"College of Software, Sungkyunkwan University, Suwon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jin Hee","family":"Yoon","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Sungkyunkwan University, Suwon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Seongjune","family":"Kim","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Sungkyunkwan University, Suwon, South Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","volume-title":"OWASP Top Ten","year":"2021"},{"key":"ref2","volume-title":"Slack Vulnerability Allowed Hackers to Hijack Accounts","year":"2020"},{"key":"ref3","volume-title":"Exchange\/Outlook Autodiscover Bug Spills 100K+ Email Passwords","year":"2021"},{"key":"ref4","volume-title":"Norton LifeLock Says 925,000 Accounts Targeted By Credential-Stuffing Attacks","year":"2023"},{"key":"ref5","volume-title":"A Comparison of Cookies and Tokens for Secure Authentication","year":"2022"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.33"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.49"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/6245306"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.03.003"},{"key":"ref10","volume-title":"Stateful and Stateless Applications and its Best Practices","year":"2022"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7519"},{"key":"ref12","first-page":"1","article-title":"There is no free phish: An analysis of \u2018free\u2019 and live phishing kits","volume-title":"Proc. 2nd USENIX Workshop Off.","volume":"8","author":"Cova"},{"key":"ref13","article-title":"Breaking the target: An analysis of target data breach and lessons learned","author":"Shu","year":"2017","journal-title":"arXiv:1701.04940"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.3390\/fi11040089"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2015.03.002"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133973"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/2220352.2220353"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897889"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3497756"},{"key":"ref20","volume-title":"Check If Your Email Has Been Compromised in a Data Breach","year":"2023"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2018.09.064"},{"key":"ref22","first-page":"257","article-title":"Alice in warningland: A large-scale field study of browser security warning effectiveness","volume-title":"Proc. 22nd USENIX Conf. Secur.","author":"Akhawe"},{"key":"ref23","first-page":"1556","article-title":"Protecting accounts from credential stuffing with password breach alerting","volume-title":"Proc. 28th USENIX Conf. Secur.","author":"Thomas"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2010.27"},{"key":"ref25","first-page":"132","article-title":"OWASP cheat sheets","author":"Woschek","year":"2015","journal-title":"OWASP Found."},{"key":"ref26","volume-title":"Top 200 Sites on the Web","year":"2022"},{"key":"ref27","volume-title":"Top Apps Ranking","year":"2023"},{"key":"ref28","volume-title":"Web Apps vs. Native Apps vs. Hybrid Apps\u2014Difference Between Types of Web and Mobile Applications","year":"2023"},{"key":"ref29","volume-title":"Stateful vs. Stateless Web App Design","year":"2023"},{"key":"ref30","volume-title":"Integrate Play Games Services With Existing Identity Solution","year":"2022"},{"key":"ref31","volume-title":"Sign Me Out","year":"2023"},{"key":"ref32","author":"Kumar","year":"2021","journal-title":"Reissue JSON Web Token (JWT) With Sliding Expiration Using ASP. NET Core"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484791"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313481"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-181149"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417869"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131404"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978339"},{"key":"ref39","first-page":"1019","article-title":"Ara\u00f1a: Discovering and characterizing password guessing attacks in practice","volume-title":"Proc. 32nd USENIX Conf. Secur.","author":"Islam"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-16-8826-3_44"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134067"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.03.015"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"ref44","article-title":"The race to the vulnerable: Measuring the Log4j shell incident","author":"Hiesgen","year":"2022","journal-title":"arXiv:2205.02544"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485384"},{"key":"ref46","first-page":"511","article-title":"When governments hack opponents: A look at actors and technology","volume-title":"Proc. 23rd USENIX Conf. Secur.","author":"Marczak"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313489"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/3106426.3106543"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987475"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3321705.3329818"},{"key":"ref51","first-page":"735","article-title":"A case study of credential stuffing attack: Canva data breach","volume-title":"Proc. Int. Conf. Comput. Sci. Comput. Intell. (CSCI)","author":"Ba"},{"key":"ref52","first-page":"2201","article-title":"Detecting stuffing of a user\u2019s credentials at her own accounts","volume-title":"Proc. 29th USENIX Conf. Secur.","author":"Wang"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354229"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00056"},{"key":"ref55","first-page":"1831","article-title":"Might I get Pwned: A second generation compromised credential checking service","volume-title":"Proc. 31th USENIX Conf. Secur.","author":"Pal"},{"key":"ref56","first-page":"21","article-title":"Who are you?Astatistical approach to measuring user authenticity","volume-title":"Proc. NDSS","author":"Freeman"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1080\/08839514.2020.1782002"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00059"},{"key":"ref59","first-page":"155","article-title":"Users\u2019 perceptions of Chrome compromised credential notification","volume-title":"Proc. 18th USENIX Conf. Usable Priv. Secur.","author":"Huang"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.198"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.24"},{"key":"ref62","first-page":"89","article-title":"A comprehensive quality evaluation of security and privacy advice on the web","volume-title":"Proc. 29th USENIX Conf. Secur.","author":"Redmiles"},{"key":"ref63","first-page":"359","article-title":"Investigating web service account remediation advice","volume-title":"Proc. 17th USENIX Conf. Usable Priv. Secur.","author":"Neil"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.44"},{"key":"ref65","first-page":"227","article-title":"Adventures in recovery land: Testing the account recovery of popular websites when the second factor is lost","volume-title":"Proc. 19th USENIX Conf. Usable Priv. Secur.","author":"Gerlitz"},{"key":"ref66","first-page":"387","article-title":"I\u2019m too busy to reset my linked in password: On the effectiveness of password reset emails","volume-title":"Proc. CHI Conf. Human Factors Comput. Syst.","author":"Huh"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.9"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/EISIC.2016.035"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-80825-9_1"},{"key":"ref70","first-page":"863","article-title":"Howare your zombie accounts? Understanding users\u2019 practices and expectations on mobile app account deletion","volume-title":"Proc. 31th USENIX Conf. Secur.","author":"Liu"},{"key":"ref71","first-page":"1475","article-title":"O single sign-off where art thou? An empirical analysis of single signon account hijacking and session management on the web","volume-title":"Proc. 27th USENIX Conf. Secur.","author":"Ghasemisharif"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833753"},{"key":"ref73","first-page":"1795","article-title":"Pre-hijacked accounts: An empirical study of security failures in user account creation on the web","volume-title":"Proc. 31th USENIX Conf. Secur.","author":"Sudhodanan"}],"container-title":["IEEE Access"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/6287639\/10005208\/10360844.pdf?arnumber=10360844","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T19:58:59Z","timestamp":1705089539000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10360844\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"references-count":73,"URL":"https:\/\/doi.org\/10.1109\/access.2023.3343411","relation":{},"ISSN":["2169-3536"],"issn-type":[{"value":"2169-3536","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]}}}