Benny Pinkas
ABSTRACT
The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks. Passwords remain the most widely used authentication method despite their well-known security weaknesses. User authentication is clearly a practical problem. From the perspective of a service provider this problem needs to be solved within real-world constraints such as the available hardware and software infrastructures. From a user's perspective user-friendliness is a key requirement.In this paper we suggest a novel authentication scheme that preserves the advantages of conventional password authentication, while simultaneously raising the costs of online dictionary attacks by orders of magnitude. The proposed scheme is easy to implement and overcomes some of the difficulties of previously suggested methods of improving the security of user authentication schemes.Our key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks. This is done without affecting the usability of the system. The proposed scheme also provides better protection against denial of service attacks against user accounts.
- Alta Vista, submission of new urls. http://addurl.altavista.com/sites/addurl/newurl]]Google Scholar
- A. L. Coates, H. S. Baird, and R. J. Fateman, Pessimal Print: A Reverse Turing Test, Proc., ICDAR 2001, pp. 10--12, 2001.]] Google ScholarDigital Library
- M., Proactive Password Checking, 4th Workshop on Computer Security Incident Handling, August 1992.]]Google Scholar
- N. Bohm, I. Brown, B. Gladman, Electronic Commerce: Who Carries the Risk of Fraud?, 2000 (3) The Journal of Information, Law and Technology. http://elj.warwick.ac.uk/jilt/00-3/bohm.html]]Google Scholar
- M. K. Boyarsky, Public-Key Cryptography and Password Protocols: The Multi-User Case, 6th ACM Conf. on Comp. and Comm. Security, 1999.]] Google ScholarDigital Library
- The CAPTCHA Project. http://www.captcha.net/]]Google Scholar
- The CAPTCHA Project: Gimpy. http://www.captcha.net/gimpy.html]]Google Scholar
- Hackers find new way to bilk eBay users, CNET news.com, March 25, 2002.]]Google Scholar
- C. Dwork and M. Naor, Pricing via Processing or Combating Junk Mail, Adv. in Cryptology - CRYPTO '92, Springer-Verlag LNCS 740, pp. 139--147, 1992.]] Google ScholarDigital Library
- K. Fu, E. Sit, K. Smith, and N. Feamster, Dos and Don'ts of Client Authentication on the Web, 10th USENIX Security Symp., August 2001.]] Google ScholarDigital Library
- O. Goldreich and Y. Lindell, Session-Key Generation using Human Passwords Only, Crypto 2001, Springer-Verlag (LNCS 2139), pages 408--432, 2001.]] Google ScholarDigital Library
- Shai Halevi and Hugo Krawczyk, Public-key cryptography and password protocols, ACM Transactions on Information and System Security, Vol 2, No. 3, Pages 230--268, August 1999.]] Google ScholarDigital Library
- I. Jermyn, A. Mayer, F. Monrose, M.K. Reiter and A.D. Rubin. The design and analysis of graphical passwords. 8th USENIX Security Symp., August 1999.]] Google ScholarDigital Library
- M.D. Lillibridge, M. Abadi, K. Bharat, and A.Z. Broder. Method for selectively restricting access to computer systems. U.S. Patent 6,195,698 (2001).]]Google Scholar
- D.V. Klein, Foiling the Cracker: A Survey of, and Improvements to, Password Security, 2nd USENIX Unix Security Workshop, 1990, pp.5--14.]]Google Scholar
- P. MacKenzie, More Efficient Password-Authenticated Key Exchange, Topics in Cryptology -- CT-RSA 2001, pp. 361--377, 2001.]] Google ScholarDigital Library
- F. Monrose and A. Rubin. Authentication via keystroke dynamics. In 4th ACM Conference on Computer and Communications Security, April 1997.]] Google ScholarDigital Library
- F. Monrose, M. Reiter and S. Wetzel Password hardening based on keystroke dynamics, to appear in the International Journal of Information Security, Springer, 2002.]]Google Scholar
- R. Morris and K. Thompson, Password Security: A Case History, Communications of the ACM, Vol.22, No.11, November, 1979, pp.594--597.]] Google ScholarDigital Library
- M. Naor, Verification of a human in the loop, or Identification via the Turing test, Manuscript (1996). \verb+http://www.wisdom.weizmann.ac.il/naor/PAPERS/+\verb+human_abs.html+]]Google Scholar
- Paypal, new account reg. http://www.paypal.com.]]Google Scholar
- J. Xu, R. Lipton, I. Essa, M.-H. Sung, Mandatory human participation: A new scheme for building secure systems, Georgia Institute of Technology Technical Report GIT-CC-01-09, 2001.]]Google Scholar
- A. Perrig and R, Dhamija, Dj Vu: A User Study Using Images for Authentication, 9th Usenix security Symp., August 2000.]] Google ScholarDigital Library
- Spafford, E. H., Opus: Preventing Weak Password Choices, Computers & Security, 11 (1992), 273--278.]] Google ScholarDigital Library
- Workshop on Human Interactive Proofs http://www.parc.xerox.com/istl/groups/did/HIP2002/]]Google Scholar
- Yahoo!, new account registration.]]Google Scholar
Index Terms
- Securing passwords against dictionary attacks
Recommendations
Fast dictionary attacks on passwords using time-space tradeoff
CCS '05: Proceedings of the 12th ACM conference on Computer and communications securityHuman-memorable passwords are a mainstay of computer security. To decrease vulnerability of passwords to brute-force dictionary attacks, many organizations enforce complicated password-creation rules and require that passwords include numerals and ...
A new protocol to counter online dictionary attacks
The most popular method of authenticating users is through passwords. Though passwords are the most convenient means of authentication, they bring along themselves the threat of dictionary attacks. While offline dictionary attacks are possible only if ...
AMOGAP: Defending Against Man-in-the-Middle and Offline Guessing Attacks on Passwords
Information Security and PrivacyAbstractPasswords are widely used in online services, such as electronic and mobile banking services, and may be complemented by other authentication mechanism(s) for example in two-factor or three-factor authentication systems. There are, however, a ...
Comments