DOCSLIB.ORG

Stronger Password Authentication Using Browser Extensions∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Stronger Password Authentication Using Browser Extensions∗ Stronger Password Authentication Using Browser Extensions∗ Blake Ross Collin Jackson Nick Miyake [email protected] [email protected] [email protected] Dan Boneh John C Mitchell [email protected] [email protected] Abstract hackers to break into a low security site that simply stores username/passwords in the clear and use the We describe a browser extension, PwdHash, retrieved passwords at a high security site, such as that transparently produces a different password for a bank. This attack, which requires little work, can each site, improving web password security and de- lead to the theft of thousands of banking passwords. fending against password phishing and other attacks. While password authentication could be abandoned Since the browser extension applies a cryptographic in favor of hardware tokens or client certificates, both hash function to a combination of the plaintext pass- options are difficult to adopt because of the cost and word entered by the user, data associated with the inconvenience of hardware tokens and the overhead web site, and (optionally) a private salt stored on the of managing client certificates. client machine, theft of the password received at one site will not yield a password that is useful at an- In this paper, we describe the design, user in- other site. While the scheme requires no changes on terface, and implementation of a browser extension, the server side, implementing this password method PwdHash, that strengthens web password authen- securely and transparently in a web browser exten- tication. We believe that by providing customized sion turns out to be quite difficult. We describe the passwords, preferably over SSL, we can reduce the challenges we faced in implementing PwdHash and threat of password attacks with no server changes some techniques that may be useful to anyone facing and little or no change to the user experience. Since similar security issues in a browser environment. the users who fall victim to many common attacks are technically unsophisticated, our techniques are 1 Introduction designed to transparently provide novice users with the benefits of password practices that are otherwise Although techniques such as SSL/TLS with only feasible for security experts. We have experi- client-side certificates [DA99] are well known in the mented with Internet Explorer and Mozilla Firefox security research community, most commercial web implementations and report the result of initial user sites rely on a relatively weak form of password au- studies. thentication: the browser simply sends a user’s plain- text password to a remote web server, often using In essence, our password hashing method is ex- SSL. Even when used over an encrypted connection, tremely simple: rather than send the user’s cleartext this form of password authentication is vulnerable to password to a remote site, we send a hash value de- attack. In phishing scams, an attacker sets up a web rived from the user’s password, pwd, and the site do- site that masquerades as a legitimate site. By tricking main name. Specifically, PwdHash captures all user a user, the phishing site obtains the user’s cleartext input to a password field and sends hash(pwd,dom) password for the legitimate site. Phishing has proven to the remote site, where dom is derived from the do- surprisingly effective at stealing user passwords, as main name of the remote site. We refer to dom as documented in reports from the anti-phishing work- the salt. The hash is implemented using a Pseudo ing group [APW]. In common password attacks, Random Function keyed by the password, as de- hackers exploit the fact that web users often use the scribed in Section 3. Since the hash output is tailored same password at many different sites. This allows to meet server password requirements, the resulting hashed password is handled normally at the server; ∗Supported by NSF through the PORTIA project. no server modifications are required. This technique USENIX Association 14th USENIX Security Symposium 17 deters password phishing since the password received 2 Challenges at a phishing site is not useful at any other domain. We begin with a description of various chal- The cryptographic hash makes it difficult to compute lenges associated with implementing password hash- hash(pwd,dom2) from hash(pwd,dom1) for any do- ing in a web browser extension. Although our im- main dom2 distinct from dom1. For the same reason, plementations are for Internet Explorer and Mozilla passwords gathered by breaking into a low security Firefox, these difficulties may arise in any contempo- site are not useful at any other site, thus protecting rary browser. financial institutions from sites with lax security (e.g. those coordinating high school reunions). • JavaScript attacks. How do we prevent The main idea of password hashing, which is JavaScript on a phishing page from stealing the attractively simple, has been explored in previous user’s cleartext password? projects (discussed in Section 8). The focus of this paper is on the implementation of password hashing • Salting. What information do we use as as a secure and transparent extension (i.e. plug-in) to the salt when hashing passwords? For ex- modern browsers. Password hashing is a seductively ample, should we use the name of the do- simple concept in theory that is surprisingly challeng- main that will receive the form data, or should ing to implement in practice, both technically and in we use the domain that is hosting the lo- terms of the user experience. First, password hashing gin form? How do we ensure that the same alone is not a sufficient deterrent against phishing due salt is used for both www.amazon.com and to the considerable power afforded to web develop- www.amazon.co.uk? ers in modern browsers. For example, JavaScript on phishing pages could potentially intercept the user’s • Encoding. How do we encode the hashed cleartext password before it is hashed, whether it is value to comply with the site’s password re- typed in by the user or pasted from the clipboard. quirements? Some sites require passwords to Since these types of interactions will also raise prob- contain non-alphanumeric characters, while oth- lems for a range of other possible browser extension ers reject such passwords. projects, we expect the solutions we developed to be • Auto-complete. Our extension must be compat- relevant to other browser-based projects. And sec- ible with the password auto-complete database ond, simple ideas do not necessarily translate into and other browser features. simple user experiences. For example, the exten- sion must recognize which user input to hash. If a • Password reset. After the PwdHash extension user wishes to start using our extension, for exam- is installed, it must help users update their pass- ple, she will have to visit the change-password page words at websites they frequent to the hashed for her existing accounts and indicate to the exten- counterparts. sion to hash the new password she types in, but not the old. This is a new and potentially jarring step for • Roaming. Some users are not able or permitted novice users, but the extension cannot simply hash to install extensions at every computer they use. both password entries. We must nevertheless enable these users to log in. To summarize, our goals in the design and im- plementation of PwdHash are to strengthen pass- • Dictionary attacks. Phishing sites obtain a hash word authentication using a browser extension such of the user’s password that could be vulnerable that: (1) we introduce little or no change to the to a dictionary attack. How do we reduce the user experience, and (2) we require no server-side effectiveness of dictionary attacks? changes. Section 2 summarizes the main challenges we faced in building PwdHash, while sections 3 Conceptually, these problems fall into three cate- through 5 present solutions to these challenges. Sec- gories. Salting, encoding, and dictionary attacks are tion 6 discusses specifics of the Internet Explorer implementation decisions for the password hashing and Mozilla Firefox implementations and section 7 function itself; JavaScript and auto-complete are ex- briefly summarizes the results of our user studies. amples of general problems associated with execut- Some forms of password hashing have been used in ing in the browser environment; and password reset other systems; we survey the related work in Sec- and roaming are user experience issues. We discuss tion 8. solutions to these problems by category, beginning with defenses against JavaScript attacks. 18 14th USENIX Security Symposium USENIX Association We emphasize that we are only concerned with phisher obtains the user’s cleartext password. attacks on our extension that originate on malicious • Domain rewriting. phishing sites. Our extension is not designed to de- When the page is first fend against spyware and keyboard loggers running loaded, the form action attribute can point to a as other browser extensions or elsewhere on the user’s proper banking site. However, when the user machine. hits the “login” button, a JavaScript function changes the form action to point to the phish- 3 Isolation and the browser environment ing site (Figure 2). As a result, in the straight- forward implementation, the browser sends the Password hashing is computed using a Pseudo user’s password hashed with the banking do- Random Function (PRF) [GGM86] as follows: main name to the phisher. The phisher thus ob- tains the user’s banking password. hash(pwd,dom) = PRFpwd(dom) • Mock password field. Phishers can create a text where the user’s password pwd is used as the PRF key field <input type=“text”> that behaves like a and the remote site’s domain name dom or some vari- password field.
Load more

Recommended publications
  • Confronting the Challenges of Participatory Culture: Media Education for the 21St Century
    An occasional paper on digital media and learning Confronting the Challenges of Participatory Culture: Media Education for the 21st Century Henry Jenkins, Director of the Comparative Media Studies Program at the Massachusetts Institute of Technology with Katie Clinton Ravi Purushotma Alice J. Robison Margaret Weigel Building the new field of digital media and learning The MacArthur Foundation launched its five-year, $50 million digital media and learning initiative in 2006 to help determine how digital technologies are changing the way young people learn, play, socialize, and participate in civic life.Answers are critical to developing educational and other social institutions that can meet the needs of this and future generations. The initiative is both marshaling what it is already known about the field and seeding innovation for continued growth. For more information, visit www.digitallearning.macfound.org.To engage in conversations about these projects and the field of digital learning, visit the Spotlight blog at spotlight.macfound.org. About the MacArthur Foundation The John D. and Catherine T. MacArthur Foundation is a private, independent grantmaking institution dedicated to helping groups and individuals foster lasting improvement in the human condition.With assets of $5.5 billion, the Foundation makes grants totaling approximately $200 million annually. For more information or to sign up for MacArthur’s monthly electronic newsletter, visit www.macfound.org. The MacArthur Foundation 140 South Dearborn Street, Suite 1200 Chicago, Illinois 60603 Tel.(312) 726-8000 www.digitallearning.macfound.org An occasional paper on digital media and learning Confronting the Challenges of Participatory Culture: Media Education for the 21st Century Henry Jenkins, Director of the Comparative Media Studies Program at the Massachusetts Institute of Technology with Katie Clinton Ravi Purushotma Alice J.
    [Show full text]
  • Intro to Cryptography 1 Introduction 2 Secure Password Manager
    Programming Assignment 1 Winter 2021 CS 255: Intro to Cryptography Prof. Dan Boneh Due Monday, Feb. 8, 11:59pm 1 Introduction In many software systems today, the primary weakness often lies in the user’s password. This is especially apparent in light of recent security breaches that have highlighted some of the weak passwords people commonly use (e.g., 123456 or password). It is very important, then, that users choose strong passwords (or “passphrases”) to secure their accounts, but strong passwords can be long and unwieldy. Even more problematic, the user generally has many different services that use password authentication, and as a result, the user has to recall many different passwords. One way for users to address this problem is to use a password manager, such as LastPass and KeePass. Password managers make it very convenient for users to use a unique, strong password for each service that requires password authentication. However, given the sensitivity of the data contained in the password manager, it takes considerable care to store the information securely. In this assignment, you will be writing a secure and efficient password manager. In your implemen- tation, you will make use of various cryptographic primitives we have discussed in class—notably, authenticated encryption and collision-resistant hash functions. Because it is ill-advised to imple- ment your own primitives in cryptography, you should use an established library: in this case, the Stanford Javascript Crypto Library (SJCL). We will provide starter code that contains a basic tem- plate, which you will be able to fill in to satisfy the functionality and security properties described below.
    [Show full text]
  • User Authentication and Cryptographic Primitives
    User Authentication and Cryptographic Primitives Brad Karp UCL Computer Science CS GZ03 / M030 16th November 2016 Outline • Authenticating users – Local users: hashed passwords – Remote users: s/key – Unexpected covert channel: the Tenex password- guessing attack • Symmetric-key-cryptography • Public-key cryptography usage model • RSA algorithm for public-key cryptography – Number theory background – Algorithm definition 2 Dictionary Attack on Hashed Password Databases • Suppose hacker obtains copy of password file (until recently, world-readable on UNIX) • Compute H(x) for 50K common words • String compare resulting hashed words against passwords in file • Learn all users’ passwords that are common English words after only 50K computations of H(x)! • Same hashed dictionary works on all password files in world! 3 Salted Password Hashes • Generate a random string of bytes, r • For user password x, store [H(r,x), r] in password file • Result: same password produces different result on every machine – So must see password file before can hash dictionary – …and single hashed dictionary won’t work for multiple hosts • Modern UNIX: password hashes salted; hashed password database readable only by root 4 Salted Password Hashes • Generate a random string of bytes, r Dictionary• For user password attack still x, store possible [H(r,x after), r] in attacker seespassword password file file! Users• Result: should same pick password passwords produces that different aren’t result close to ondictionary every machine words. – So must see password file
    [Show full text]
  • M&A @ Facebook: Strategy, Themes and Drivers
    A Work Project, presented as part of the requirements for the Award of a Master Degree in Finance from NOVA – School of Business and Economics M&A @ FACEBOOK: STRATEGY, THEMES AND DRIVERS TOMÁS BRANCO GONÇALVES STUDENT NUMBER 3200 A Project carried out on the Masters in Finance Program, under the supervision of: Professor Pedro Carvalho January 2018 Abstract Most deals are motivated by the recognition of a strategic threat or opportunity in the firm’s competitive arena. These deals seek to improve the firm’s competitive position or even obtain resources and new capabilities that are vital to future prosperity, and improve the firm’s agility. The purpose of this work project is to make an analysis on Facebook’s acquisitions’ strategy going through the key acquisitions in the company’s history. More than understanding the economics of its most relevant acquisitions, the main research is aimed at understanding the strategic view and key drivers behind them, and trying to set a pattern through hypotheses testing, always bearing in mind the following question: Why does Facebook acquire emerging companies instead of replicating their key success factors? Keywords Facebook; Acquisitions; Strategy; M&A Drivers “The biggest risk is not taking any risk... In a world that is changing really quickly, the only strategy that is guaranteed to fail is not taking risks.” Mark Zuckerberg, founder and CEO of Facebook 2 Literature Review M&A activity has had peaks throughout the course of history and different key industry-related drivers triggered that same activity (Sudarsanam, 2003). Historically, the appearance of the first mergers and acquisitions coincides with the existence of the first companies and, since then, in the US market, there have been five major waves of M&A activity (as summarized by T.J.A.
    [Show full text]
  • To Change Your Ud Password(S)
    TO CHANGE YOUR UD PASSWORD(S) The MyCampus portal allows the user a single-signon for campus applications. IMPORTANT NOTICE AT BOTTOM OF THESE INSTRUCTIONS !! INITIAL PROCEDURE TO ALLOW YOU TO CHANGE YOUR PASSWORD ON THE UD NETWORK : 1. In your web browser, enter http://mycampus.dbq.edu . If you are logging in for the first time, you will be directed to answer (3) security questions. Also, be sure to answer one of the recovery methods. 2. Once the questions are answered, you will click on SUBMIT and then CONTINUE and then YES. 3. In one location, you will now find MyUD, Campus Portal, Email and UDOnline (Moodle). 4. You can now click on any of these apps and you will be logged in already. The email link will prompt you for the password a second time until we get all accounts set up properly. YOU MUST BE SURE TO LOGOUT OF EACH APPLICATION AFTER YOU’RE DONE USING IT !! TO CHANGE YOUR PASSWORD: 1. After you have logged into the MyCampus.dbq.edu website, you will see your username in the upper- right corner of the screen. 2. Click on your name and then go into My Account. 3. At the bottom, you will click on Change Password and then proceed as directed. 4. You can now logout. You will need to use your new password on your next login. Password must be a minimum of 6 characters and contain 3 of the following 4 categories: - Uppercase character - Lowercase character - Number - Special character You cannot use the previous password You’ll be required to change your password every 180 days.
    [Show full text]
  • Reset Forgotten Password with Office365
    RESET FORGOTTEN PASSWORD 1. Go to https://login.microsoftonline.com 2. Click the link “Can’t access your account?” 3. Select Work or School account 4. Enter in your User ID with the @uamont.edu at the end and then enter the characters as seen in the picture. You can click the refresh button for a different set of letters. 5. You will have 3 options to verify your account and reset your password. This information was set up when you registered with self-service password reset. If you have not registered, please go to https://aka.ms/ssprsetup and enter in your information. A step by step guide on how to do this can be found here. a. Text your mobile phone b. Call your mobile phone c. Answer Security Questions 6. Choose one option and enter the information requested 7. Click Text for text my mobile phone, Call for call my mobile phone, or click Next when you’ve answered all security questions. a. If you have selected Text my mobile phone you will be required to enter in a verification code and click Next b. If you have select Call my mobile phone you will receive a call and will need to enter # to verify. 8. Enter in your new password and click Finish a. Note: If you receive the message, “Unfortunately, your password contains a word, phrase, or pattern that makes it easily guessable. Please try again with a different password.” Please try to create a password that does not use any dictionary words. b. Passwords must meet 3 of the 4 following requirements i.
    [Show full text]
  • Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption
    S S symmetry Article Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption Rafael Álvarez 1,* , Alicia Andrade 2 and Antonio Zamora 3 1 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain 2 Fac. Ingeniería, Ciencias Físicas y Matemática, Universidad Central, Quito 170129, Ecuador; [email protected] 3 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain; [email protected] * Correspondence: [email protected] Received: 2 November 2018; Accepted: 22 November 2018; Published: 3 December 2018 Abstract: Password-based key derivation functions (PBKDFs) are commonly used to transform user passwords into keys for symmetric encryption, as well as for user authentication, password hashing, and preventing attacks based on custom hardware. We propose two optimized alternatives that enhance the performance of a previously published PBKDF. This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for AES that is available on many common platforms in order to mitigate common attacks to password-based user authentication systems. We also analyze their security characteristics, establishing that they are equivalent to the security of the core primitive (AES), and we compare their performance with well-known PBKDF algorithms, such as Scrypt and Argon2, with favorable results. Keywords: symmetric; encryption; password; hash; cryptography; PBKDF 1. Introduction Key derivation functions are employed to obtain one or more keys from a master secret. This is especially useful in the case of user passwords, which can be of arbitrary length and are unsuitable to be used directly as fixed-size cipher keys, so, there must be a process for converting passwords into secret keys.
    [Show full text]
  • Strong Password-Based Authentication in TLS Using the Three-Party Group Diffie–Hellman Protocol
    284 Int. J. Security and Networks, Vol. 2, Nos. 3/4, 2007 Strong password-based authentication in TLS using the three-party group Diffie–Hellman protocol Michel Abdalla* École normale supérieure – CNRS, LIENS, Paris, France E-mail: [email protected] *Corresponding author Emmanuel Bresson Department of Cryptology, CELAR Technology Center, Bruz, France E-mail: [email protected] Olivier Chevassut Lawrence Berkeley National Laboratory, Berkeley, CA, USA E-mail: [email protected] Bodo Möller Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Bochum, Germany E-mail: [email protected] David Pointcheval École normale supérieure – CNRS, LIENS, Paris, France E-mail: [email protected] Abstract: The internet has evolved into a very hostile ecosystem where ‘phishing’ attacks are common practice. This paper shows that the three-party group Diffie-Hellman key exchange can help protect against these attacks. We have developed password-based ciphersuites for the Transport Layer Security (TLS) protocol that are not only provably secure but also believed to be free from patent and licensing restrictions based on an analysis of relevant patents in the area. Keywords: password authentication; group Diffie–Hellman key exchange; transport layer security; TLS. Reference to this paper should be made as follows: Abdalla, M., Bresson, E., Chevassut, O., Möller, B. and Pointcheval, D. (2007) ‘Strong password-based authentication in TLS using the three-party group Diffie-Hellman protocol’, Int. J. Security and Networks, Vol. 2, Nos. 3/4, pp.284–296. Biographical notes: Michel Abdalla is currently a Researcher with the Centre National de la Recherche Scientifique (CNRS), France and a Member of the Cryptography Team at the Ecole Normale Supérieure (ENS), France.
    [Show full text]
  • Password Cracking
    Password Cracking Sam Martin and Mark Tokutomi 1 Introduction Passwords are a system designed to provide authentication. There are many different ways to authenticate users of a system: a user can present a physical object like a key card, prove identity using a personal characteristic like a fingerprint, or use something that only the user knows. In contrast to the other approaches listed, a primary benefit of using authentication through a pass- word is that in the event that your password becomes compromised it can be easily changed. This paper will discuss what password cracking is, techniques for password cracking when an attacker has the ability to attempt to log in to the system using a user name and password pair, techniques for when an attacker has access to however passwords are stored on the system, attacks involve observing password entry in some way and finally how graphical passwords and graphical password cracks work. Figure 1: The flow of password attacking possibilities. Figure 1 shows some scenarios attempts at password cracking can occur. The attacker can gain access to a machine through physical or remote access. The user could attempt to try each possible password or likely password (a form of dictionary attack). If the attack can gain access to hashes of the passwords it is possible to use software like OphCrack which utilizes Rainbow Tables to crack passwords[1]. A spammer may use dictionary attacks to gain access to bank accounts or other 1 web services as well. Wireless protocols are vulnerable to some password cracking techniques when packet sniffers are able to gain initialization packets.
    [Show full text]
  • Modified SHA1: a Hashing Solution to Secure Web Applications Through Login Authentication
    36 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 11, No. 1, April 2019 Modified SHA1: A Hashing Solution to Secure Web Applications through Login Authentication Esmael V. Maliberan Graduate Studies, Surigao del Sur State University, Philippines Abstract: The modified SHA1 algorithm has been developed by attack against the SHA-1 hash function, generating two expanding its hash value up to 1280 bits from the original size of different PDF files. The research study conducted by [9] 160 bit. This was done by allocating 32 buffer registers for presented a specific freestart identical pair for SHA-1, i.e. a variables A, B, C and D at 5 bytes each. The expansion was done by collision within its compression function. This was the first generating 4 buffer registers in every round inside the compression appropriate break of the SHA-1, extending all 80 out of 80 function for 8 times. Findings revealed that the hash value of the steps. This attack was performed for only 10 days of modified algorithm was not cracked or hacked during the experiment and testing using powerful online cracking tool, brute computation on a 64-GPU. Thus, SHA1 algorithm is not force and rainbow table such as Cracking Station and Rainbow anymore safe in login authentication and data transfer. For Crack and bruteforcer which are available online thus improved its this reason, there were enhancements and modifications security level compared to the original SHA1. being developed in the algorithm in order to solve these issues [10, 11]. [12] proposed a new approach to enhance Keywords: SHA1, hashing, client-server communication, MD5 algorithm combined with SHA compression function modified SHA1, hacking, brute force, rainbow table that produced a 256-bit hash code.
    [Show full text]
  • Rootkits for Javascript Environments
    Rootkits for JavaScript Environments Ben Adida Adam Barth Collin Jackson Harvard University UC Berkeley Stanford University ben [email protected] [email protected] [email protected] Abstract Web Site Bookmarklet Web Site Bookmarklet A number of commercial cloud-based password managers use bookmarklets to automatically populate and submit login forms. Unfortunately, an attacker web Native JavaScript environment site can maliciously alter the JavaScript environment and, when the login bookmarklet is invoked, steal the Figure 1. Developers assume the bookmarklet in- user’s passwords. We describe general attack tech- teracts with the native JavaScript environment directly niques for altering a bookmarklet’s JavaScript envi- (left). In fact, the bookmarklet’s environment can be ronment and apply them to extracting passwords from manipulated by the current web page (right). six commercial password managers. Our proposed solution has been adopted by several of the commercial vendors. If the user clicks a bookmarklet while visiting an untrusted web page, the bookmarklet’s JavaScript is run in the context of the malicious page, potentially 1. Introduction letting an attacker manipulate its execution by care- fully crafting its JavaScript environment, essentially One promising direction for building engaging web installing a “rootkit” in its own JavaScript environment experiences is to combine content and functionality (See Figure 1). Instead of interacting with the native from multiple sources, often called a “mashup.” In JavaScript objects, the bookmarklet interacts with the a traditional mashup, an integrator combines gadgets attacker’s objects. This attack vector is not much of (such as advertisements [1], maps [2], or contact a concern for Delicious’ social bookmarking service, lists [3]), but an increasingly popular mashup design because the site’s own interests are served by advertis- involves the user adding a bookmarklet [4] (also known ing its true location and title.
    [Show full text]
  • At Uncw.Indd
    5 Conference Titles • NCAA Appearances 5 2014 SCHEDULE College of Charleston COUGARS (31-13, 10-2) Overall 31-13 Home 24-6 VS CAA 10-2 Away 7-7 UNC-Wilmington SEAHAWKS (21-22, 6-7) Streak W4 Neutral 0-0 5/2 | UNCW | 6 p.m. | Wilmington, N.C. | Brooks Field Feb. 15 #12 North Carolina W, 7-4 5/3 | UNCW | 2 p.m. | Wilmington, N.C. | Brooks Field Feb. 16 #12 North Carolina L, 12-3 Feb. 17 #12 North Carolina W, 3-1 5/4 | UNCW | 2 p.m. | Wilmington, N.C. | Brooks Field Feb. 19 Charleston Southern W, 12-3 Feb. 21 Rhode Island W, 7-3 LAST TIME OUT GAME BREAKDOWN Feb. 22 Rhode Island W, 1-0 College of Charleston made program history Feb. 23 Rhode Island W, 7-4 on Sunday, defeating Bethune-Cookman, 3-2, Feb. 25 Charlotte W, 5-2 with a walk-off hit in the 11th inning to sweep Feb. 28 Marist W, 5-4 the series. College of Charleston recorded Mar 1 Marist W, 7-3 three straight walk-off wins in extra innings for Mar 2 Marist W, 7-0 the fi rst time in program history. Mar 4 Toledo L, 5-2 Mar 8 at The Citadel L, 5-4 (11) The Cougars (31-13) are now 3-1 in extra-inning Mar 9 The Citadel W, 11-5 games this year and have treated fans to four CHARLESTON UNC-WILMINGTON Mar 10 at The Citadel W. 8-0 walk-off wins at Patriots Point.
    [Show full text]