A Novel Verification scheme for Resisting Password Guessing Attacks

TLDR: In this article, the entropy discrepancy between the passwords entered by the user and an attacker is calculated by accumulating the frequencies of the entered characters, not the password itself, and the experimental results show that even if the user selects a common password, the proposed authentication method can distinguish between legitimate users and attackers effectively and efficiently.

Abstract: User name and password are one of the most commonly used authentication mechanisms in information systems and social networks. Strong passwords are secure, but not easy to memorize; users may choose passwords that are easy to remember as well as easy to be compromised. Therefore, online password guessing attacks becomes a major security threat in information systems and social networks. It is a challenge to provide a reliable user authentication solution that allows legitimate access and prevents password guessing attacks. Our preliminary study observed the fact that legal users know what passwords they have chosen, while attackers can only guess what they are. The proposed solution applies information theory and compares the entropy discrepancy between the passwords entered by the user and attacker. The password entropy is calculated by accumulating the frequencies of the entered characters, not the password itself. The experimental results show that, even if the user selects a common password, the proposed authentication method can distinguish between legitimate users and attackers effectively and efficiently.