Detecting Potentially Compromised Credentials in a Large-Scale Production Single-Signon System

We posit that potentially compromised credentials are detectable by analyzing the system artifacts of a large-scale production, single-signon system. With permission from the Defense Manpower Data Center, we analyze a year s worth of system artifacts produced by the Department of Defense Self-Service Logon system. Using industry standard tools and descriptive statistics we develop a repeatable process that identifies potentially compromised credentials. We look for characteristics that coincide with compromised credentials and evaluate our approach by obtaining the ground truth on several of the credentials we identify.