Showing papers on "Password strength published in 2002"
Patent•
07 Nov 2002
TL;DR: A secure distributed single-login authentication system comprises a client and a server as mentioned in this paper, where the client collects a user name and password from a user and tests that user name/password at a variety of potential authentication servers to check where the login is valid.
Abstract: A secure distributed single-login authentication system comprises a client and a server. The client collects a user name and password from a user and tests that user name and password at a variety of potential authentication servers to check where the login is valid. It combines the password with a time varying salt and a service specific seed in a message digesting hash and generates a first hash value. The client sends the hash value along with the user name and the time varying salt to a currently selected server. The server extracts the user name and looks up an entry under the user name from the selected server's database. If an entry is found, it retrieves the password and performs the same hash function on the combination of the user name, the service specific seed, and the retrieved password to generate a second hash value. Then, it compares two hash values. If these two values match, the user is authenticated. In this way, the system never sufficiently reveals the password to authentication agents that might abuse the information.
174 citations
18 Aug 2002
TL;DR: This paper proposes an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that thresholds does not allow an attacker to perform an offline dictionary attack.
Abstract: In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user's password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.
126 citations
20 Apr 2002
TL;DR: Findings show that users could recall all visual elements of the doodle as well as they could recall alphanumeric passwords, but most could not perfectly redraw their selected doodles.
Abstract: Password security often fails in practice because users select predictable passwords. We conducted a study to explore the use of hand-drawn doodle password ("passdoodle"). Our findings show that users could recall all visual elements of the doodle as well as they could recall alphanumeric passwords, but most could not perfectly redraw their selected doodles. Users perceive passdoodles as easier to remember than alphanumeric passwords; however, they prefer whichever authentication method they perceive to be more secure.
117 citations
TL;DR: It is indicated that increasing the minimum character length reduces crackability and increases security, regardless of whether additional restrictions are imposed.
Abstract: Entering a username—password combination is a widely used procedure for identification and authentication in computer systems. However, it is a notoriously weak method, in that the passwords adopted by many users are easy to crack. In an attempt to improve security, proactive password checking may be used, in which passwords must meet several criteria to be more resistant to cracking. In two experiments, we examined the influence of proactive password restrictions on the time that it took to generate an acceptable password and to use it subsequently to log in. The required length was a minimum of five characters in Experiment 1 and eight characters in Experiment 2. In both experiments, one condition had only the length restriction, and the other had additional restrictions. The additional restrictions greatly increased the time it took to generate the password but had only a small effect on the time it took to use it subsequently to log in. For the five-character passwords, 75% were cracked when no other restrictions were imposed, and this was reduced to 33% with the additional restrictions. For the eight-character passwords, 17% were cracked with no other restrictions, and 12.5% with restrictions. The results indicate that increasing the minimum character length reduces crackability and increases security, regardless of whether additional restrictions are imposed.
114 citations
07 Aug 2002
TL;DR: The tradeoffs that need to be made to achieve maximum security in everyday use by forgetful users are explored.
Abstract: Password security is essential to the security of information systems. Human fallibility makes it nearly impossible to follow all of the recommended rules simultaneously. A user with many different passwords, frequently changing, will be forced to write them down somewhere. Some systems constrain them to have a certain minimum length, or to require them to contain a combination of letters and numbers. Some systems also impose maximum lengths, and some prohibit special characters. The lack of common standards for passwords makes it difficult for a user to remember which password is used for which system. To make matters worse, systems frequently revoke a user's access after a password has been incorrectly entered as few as three times. What is needed, then, is an analysis of passwords that takes both human factors and security into account. We must recognize that what really matters is the security of the total system-offline as well as online. This paper explores the tradeoffs that need to be made to achieve maximum security in everyday use by forgetful users.
112 citations
Journal Article•
109 citations
Patent•
10 Oct 2002
TL;DR: In this article, a zero-knowledge password proof is proposed to securely establish a shared password and a shared key between two parties, and incorporates explicit steps to insure that the user(s) of the system authenticates that the same password, and thus the same key, is used at both devices.
Abstract: Cryptographic systems and methods that allow secure connection of two devices over an open network, using passwords communicated in an out-of-band process. One-time versus static passwords, active versus passive models of user participation, and different combinations of password-input and password-output mechanisms may be employed. The present invention uses either a password agreement protocol or a zero-knowledge password proof to securely establish a shared password and a shared key between two parties, and incorporates explicit steps to insure that the user(s) of the system authenticates that the same password, and thus the same key, is used at both devices.
83 citations
Patent•
22 Mar 2002TL;DR: In this paper, a password reset disk is created by generating a key pair consisting of a private key and a corresponding public key and the private key is stored on a removable computerreadable medium so that it can be removed and securely stored remote from the computer system on which it was created.
Abstract: Systems and methods for recovering from a lost password are described A password reset disk is created by generating a key pair consisting of a private key and a corresponding public key The private key is stored on a removable computer-readable medium so that it can be removed and securely stored remote from the computer system on which it was created The public key is stored on the computer system and used to maintain an up-to-date encrypted copy of the current password This encrypted copy is stored on the computer system If, at a later time, the user forgets a user password, the user may insert the password reset disk into the computer system The private key is retrieved from the password reset disk and the encrypted password is decrypted using the private key If the decryption is successful, the user is allowed to set a new password The password reset disk is effective even if the user password has been changed since the creation of the password reset disk In this way, a user does not have to contact customer service to recover from a forgotten password The user may also create the password reset disk when there is no password set When a password is set, the password is encrypted with the public key and stored
77 citations
Patent•
IBM1
TL;DR: In this paper, an existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet “master” key to unlock the wallet.
Abstract: A convenient and secure system and method for access to any number of password-protected computer applications, web sites and forms without adding to the user cognitive load and without circumventing the inherent security of such password-protection schemes. An existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet “master” key to unlock the wallet. An application-specific and/or user-specific password is automatically retrieved from the wallet and entered into the password field with no other user action required.
67 citations
Journal Article•
67 citations
Journal Article•
Journal Article•
Patent•
AT&T1
TL;DR: In this paper, a method and system for dynamically changing password-keys in a secured wireless communication system includes initiating a password key change, generating a new password key, embedding the new passwords key and a password-key indicator in a first message, encrypting the first message using an old password key.
Abstract: A method and system for dynamically changing password-keys in a secured wireless communication system includes initiating a password key change, generating a new password key, embedding the new password key and a password key indicator in a first message, encrypting the first message using an old password key, storing the new password key, sending the formatted encrypted first message over a wireless communication system, receiving a subsequent second message, and decrypting the subsequent second message using the new password key.
Patent•
IBM1
TL;DR: In this paper, a system, method and program that generates a password for a user to access a resource is described, and the same password is regenerated the next time the user accesses the same resource.
Abstract: A system, method and program of the invention provides an application program tool that generates a password for a user to access a resource. The tool receives as input from a user a global user password and at least one hash key. The tool applies a consistent algorithm to the name of the resource being accessed, such as a domain name for an Internet site, and the hash key, and the global user password to generate the password. The same password is regenerated the next time the user accesses the same resource. The tool automatically populates the resource with the password.
Patent•
IBM1
TL;DR: In this article, a system and method for using a unique identifier for encryption key derivation is presented, where an application sends a password and a request for an encryption key to a hardware security module (HSM).
Abstract: A system and method for using a unique identifier for encryption key derivation is presented. An application sends a password and a request for an encryption key to a hardware security module (HSM). The HSM uses the password to generate a tied application data encryption key (ADEK). The tied ADEK includes an encryption key and a known value that is “tied” to the password. The HSM encrypts the tied ADEK with a hardware master key and sends it to the application. When the application requests to encrypt or decrypt data, the application sends the encrypted tied ADEK and a password to the HSM. The password corresponds to the password used to generate the tied ADEK. The HSM uses an identical hardware master key and the password to recover the ADEK. The HSM also verifies that the known value is correct.
Patent•
20 Sep 2002
TL;DR: In this paper, a system and methods to securely change a password in a distributed computing system (100) are presented, where a stored value and a destination address of a user are stored.
Abstract: Systems and methods to securely change a password in a distributed computing system (100) are presented. According to an exemplary method, a stored value and a destination address of a user are stored. A request to change the password is received from the user (102). A message (130), for example, an electronic mail message (120), is sent to the destination address (126). The message specifies a link to the stored values. If the link is valid, then the user is permitted to log in to the distributed computing system (100) using the stored value as a log in password. Each time that the user logs in to the distributed computing system (100), the stored value is updated, thereby invalidating any previous issued link.
TL;DR: This paper presents a simple authenticated key agreement protocol called SAKA which is simple and cost-effective, and provides a formal proof of security to show its strength against both passive and active adversaries.
Abstract: Password-based mechanism is the widely used method for user authentication. Many password-based authenticated key exchange protocols have been proposed to resist password guessing attacks. In this paper, we present a simple authenticated key agreement protocol called SAKA which is simple and cost-effective. To examine its security, we provide a formal proof of security to show its strength against both passive and active adversaries. Compared with the previously best protocols, SAKA has less number of steps and less computation cost.
Patent•
IBM1
TL;DR: In this article, the authors proposed a method and system to secure the storage and retrieval of user and resource passwords in a distributed computing network environment using a password server, which can be a stand-alone device or can be implemented in a server on a network.
Abstract: The present invention provides a method and system to secure the storage and retrieval of user and resource passwords in a distributed computing network environment. The system incorporates a password server. This server can be a stand-alone device or can be implemented in a server on a network. The password server contains software programs that store and distribute the passwords securely to proper applications (users). In the method of the present invention, the password server program stores the password in a file encrypted using the password server's public key. Only the password server has the corresponding private key. Therefore, no one except password server can decrypt the password. Applications can store their password in the password server after encrypting the password using password servers public key. The method of the present invention has an advantage over conventional password storage practices in that there is only the need to secure the password server in order to prevent lost or theft of passwords. Because user passwords usually reside on the same system as the application user, it is necessary to implement security measures to secure the password information stored on that machine.
Patent•
24 Oct 2002TL;DR: When a user's signature is registered, an authentication server presents a password to the user When the user hand-writes the password using an input device, the password and hand-written signature information are registered in a dictionary as discussed by the authors.
Abstract: When a user's signature is registered, an authentication server presents a password to the user When the user hand-writes the password using an input device, the password and hand-written signature information are registered in a dictionary At the time of authentication, the authentication server requests the user to hand-write the password When the user hand-writes the password in response to the request, a signature information control unit compares the signature information newly hand-written by the user and the signature information registered in the dictionary, and outputs the result
Patent•
02 Aug 2002TL;DR: In this article, a method for generating a password that produces a different password for each system from a single password provided by a user is presented. But this method requires users to remember one password string from which appropriate system-specific password strings are derived.
Abstract: A method for generating a password that produces a different password for each system from a single password provided by a user. The present techniques enable users to remember one password string from which appropriate system-specific password strings are derived. A system according to the present teachings obtains a user password, generates a combined password by combining the user password with a system name for a system to be accessed, and then generates a system-specific password for the system to be accessed from the combined password using a one-way hash that conforms to a well-defined specification.
Patent•
24 May 2002TL;DR: In this paper, a provably secure multi-server threshold password-authenticated key exchange system and method is proposed, in which an encryption of a function of a client's password is provided to each of a plurality of servers.
Abstract: A provably secure multi-server threshold password-authenticated key exchange system and method. Initially, an encryption of a function of a client's password is provided to each of a plurality of servers. The client later can authenticate the password (i.e., login) by generating an encryption based on the password which is nonetheless mathematically independent of the value of the password. Then, this encryption, along with a “proof” that the encryption was, in fact, generated based on the password, is provided to each of the servers for verification. Thus, it can be shown that the protocol is provably secure. The password authentication protocol advantageously incorporates a thresholding scheme such that the compromise of fewer than a given threshold number of the servers neither compromises the security of the system nor inhibits the proper operation of the password authentication process.
Journal Article•
Patent•
01 Oct 2002TL;DR: In this paper, a user authentication method using the password is presented, which is very useful for reinforcing the security by applying a simple processing, not necessarily consuming high costs and much time.
Abstract: A user authentication method includes the steps of: inputting, by a user, a predetermined password having a plurality of digits; examining whether an input password includes an actual password that is predetermined by using less digits than the input password; authenticating the input password if the input password includes the actual password; and refusing to authenticate the input password if the input password does not include the actual password. The user authentication method using the password is very useful for reinforcing the security by applying a simple processing, not necessarily consuming high costs and much time. Further, even when the password may be exposed to others, it is still safe. Also, although a password may be used in many cases in common, the security still can be reinforced by differentiating the input password. Most of all, the user can remember the actual password very easily, and yet get the same effect with changing the password.
Patent•
24 Oct 2002
TL;DR: In this paper, a method and system for dynamically changing password keys in a secured wireless communication system is presented, which includes initiating a password key change, generating a new password key, embedding the new key and password key indicator in a first message, encrypting the first message using an old password key.
Abstract: A method and system for dynamically changing password keys in a secured wireless communication system includes initiating a password key change, generating a new password key, embedding the new password key and a password key indicator in a first message, encrypting the first message using an old password key, storing the new password key, sending the formatted encrypted first message over a wireless communication system, receiving a subsequent second message, and decrypting the subsequent second message using the new password key.
Patent•
01 May 2002TL;DR: In this paper, a computer includes a processor, an input device and a read-only memory (ROM) and one or more passwords are flashed in the ROM in encoded form.
Abstract: A computer includes a processor, an input device and a read only memory (“ROM”). One or more passwords are flashed in the ROM in encoded form. The encoding process may include any well-known encryption or hash process. The password may include a power-on password usable to change the operating state of the computer and/or an administrator password. Such configuration data preferably also is stored on the ROM in encoded form. The encoded nature of the passwords makes it difficult for an unauthorized entity to gain access to the usable form of the passwords. Further, by storing the passwords and configuration in ROM, such as the computer's main system ROM, it is possible to control write access to the ROM because a computer's ROM can generally only be flashed using SMI code which operates outside the control of the computer's operating system and requires entry of a correct password.
10 Dec 2002
TL;DR: OPA (One-time Password Algorithms) implements a system that allows users to protect their accounts with a one-time password that adds minimal additional complexity over a simple reusable password system.
Abstract: Most network applications authenticate users with an account name/password system. Systems using reusable passwords are susceptible to attacks based on the theft of the password. One-time password systems attempt to alleviate the problem of "sniffed" passwords by making the replay of a password useless. However, one-time password systems require the use of a generator that creates the one-time password. The added inconvenience (and in some cases cost) of the generator has limited the wide spread application of one-time password systems. OPA (One-time Password Algorithms) implements a system that allows users to protect their accounts with a one-time password that adds minimal additional complexity over a simple reusable password system. OPA does not offer the degree of security provided by most other one-time password systems but can provide additional security when compared to reusable passwords.
Patent•
24 May 2002TL;DR: In this article, a method for distributing a password among a plurality of servers for subsequent use in a provably secure multi-server threshold password authentication process was proposed, where the encryption is of an ElGamal ciphertext of the function g (π C ) −1, where π C is password and g is the generator used to generate the cryptographic keys used for communication between the client and the plurality of server.
Abstract: A method for distributing a password amongst a plurality of servers for subsequent use in a provably secure multi-server threshold password authentication process. A client, having a password to be authenticated by a plurality of servers, generates an encryption of a function of the password. Then, this encryption is provided to each of the servers for use in subsequent password authentication. In accordance with one illustrative embodiment of the invention, the encryption is of an ElGamal ciphertext of the function g (π C ) −1 , where π C is password and g is the generator used to generate the cryptographic keys used for communication between the client and the plurality of servers.
Patent•
28 Feb 2002
TL;DR: In this paper, the authors proposed a user identification method by an indirect password, which allows for a password control system to identify user by a received value, which is calculated with a predetermined function known to both user and password control systems, and a value of a variable, provided from a password controlling system, according to which, password cannot be embezzled in the input stage and hacking by intercept on the transmission line is to be in vain.
Abstract: The present invention relates to a user identification method by an indirect password, which allows for a password control system to identify user by a received value, which is calculated with a predetermined function known to both user and password control system, and a value of a variable, which is provided from a password control system. According to the present invention, password cannot be embezzled in the input stage and hacking by intercept on the transmission line is to be in vain.
01 Feb 2002
TL;DR: This memo specifies Microsoft's Windows 2000 Kerberos change password and set password protocols.
Abstract: This memo specifies Microsoft's Windows 2000 Kerberos change password and set password protocols. The Windows 2000 Kerberos change password protocol interoperates with the original Kerberos change password protocol. Change password is a request reply protocol that includes a KRB_PRIV message that contains the new password for the user.