Showing papers on "Password strength published in 2008"

Pass-Go: A Proposal to Improve the Usability of Graphical Passwords

Abstract: Inspired by an old Chinese game, Go, we have designed a new graphical password scheme, Pass-Go, in which a user selects intersections on a grid as a way to input a password. While offering an extremely large full password space (256 bits for the most basic scheme), our scheme provides acceptable usability, as empirically demonstrated by, to the best of our knowledge, the largest user study (167 subjects involved) on graphical passwords, conducted in the fall semester of 2005 in two university classes. Our scheme supports most application environments and input devices, rather than being limited to small mobile devices (PDAs), and can be used to derive cryptographic keys. We study the memorable password space and show the potential power of this scheme by exploring further improvements and variation mechanisms.

Improving text passwords through persuasion

Abstract: Password restriction policies and advice on creating secure passwords have limited effects on password strength. Influencing users to create more secure passwords remains an open problem. We have developed Persuasive Text Passwords (PTP), a text password creation system which leverages Persuasive Technology principles to influence users in creating more secure passwords without sacrificing usability. After users choose a password during creation, PTP improves its security by placing randomly-chosen characters at random positions into the password. Users may shuffle to be presented with randomly-chosen and positioned characters until they find a combination they feel is memorable. In this paper, we present an 83-participant user study testing four PTP variations. Our results show that the PTP variations significantly improved the security of users' passwords. We also found that those participants who had a high number of random characters placed into their passwords would deliberately choose weaker pre-improvement passwords to compensate for the memory load. As a consequence of this compensatory behaviour, there was a limit to the gain in password security achieved by PTP.

On predictive models and user-drawn graphical passwords

Abstract: In commonplace text-based password schemes, users typically choose passwords that are easy to recall, exhibit patterns, and are thus vulnerable to brute-force dictionary attacks. This leads us to ask whether other types of passwords (e.g., graphical) are also vulnerable to dictionary attack because of users tending to choose memorable passwords. We suggest a method to predict and model a number of such classes for systems where passwords are created solely from a user's memory. We hypothesize that these classes define weak password subspaces suitable for an attack dictionary. For user-drawn graphical passwords, we apply this method with cognitive studies on visual recall. These cognitive studies motivate us to define a set of password complexity factors (e.g., reflective symmetry and stroke count), which define a set of classes. To better understand the size of these classes and, thus, how weak the password subspaces they define might be, we use the “Draw-A-Secret” (DAS) graphical password scheme of Jermyn et al. [1999] as an example. We analyze the size of these classes for DAS under convenient parameter choices and show that they can be combined to define apparently popular subspaces that have bit sizes ranging from 31 to 41—a surprisingly small proportion of the full password space (58 bits). Our results quantitatively support suggestions that user-drawn graphical password systems employ measures, such as graphical password rules or guidelines and proactive password checking.

YAGP: Yet Another Graphical Password Strategy

Abstract: Alphanumeric passwords are widely used in computer and network authentication to protect users' privacy. However, it is well known that long, text-based passwords are hard for people to remember, while shorter ones are susceptible to attack. Graphical password is a promising solution to this problem. Draw-A-Secret (DAS) is a typical implementation based on the user drawing on a grid canvas. Currently, too many constraints result in reduction in user experience and prevent its popularity. A novel graphical password strategy Yet Another Graphical Password (YAGP) inspired by DAS is proposed in this paper. The proposal has the advantages of free drawing positions, strong shoulder surfing resistance and large password space. Experiments illustrate the effectiveness of YAGP.

Universal Multi-Factor Authentication Using Graphical Passwords

Abstract: In this paper, we present a series of methods to authenticate a user with a graphical password. To that end, we employ the user?s personal handheld device as the password decoder and the second factor of authentication. In our methods, a service provider challenges the user with an image password. To determine the appropriate click points and their order, the user needs some hint information transmitted only to her handheld device. We show that our method can overcome threats such as key-loggers, weak password, and shoulder surfing. With the increasing popularity of handheld devices such as cell phones, our approach can be leveraged by many organizations without forcing the user to memorize different passwords or carrying around different tokens.

Three-Dimensional Password for More Secure Authentication

Abstract: Current authentication systems suffer from many weaknesses. Textual passwords are commonly used; however, users do not follow their requirements. Users tend to choose meaningful words from dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space. Smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. Moreover, biometrics cannot be revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user's 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space.

Transaction authentication over independent network

Abstract: A method of authenticating an online transaction over a first network uses 2-factor authentication of the user to defeat hacker attacks. A communication device is registered for use with the method. The communication device is configured to receive messages over a second network independent of the first network. The user is authenticated over the first network using a first factor, such as a username and password, and then initiates the transaction. A request to execute the transaction is received and a one-time password is obtained to be used as a second factor of authentication. The one-time password and details describing the transaction are sent to the communication device over the second network. The one-time password is received from the user over the first network to complete the second factor of authentication.

Password authenticated key exchange by juggling

Abstract: Password-Authenticated Key Exchange (PAKE) studies how to establish secure communication between two remote parties solely based on their shared password, without requiring a Public Key Infrastructure (PKI). Despite extensive research in the past decade, this problem remains unsolved. Patent has been one of the biggest brakes in deploying PAKE solutions in practice. Besides, even for the patented schemes like EKE and SPEKE, their security is only heuristic; researchers have reported some subtle but worrying security issues. In this paper, we propose to tackle this problem using an approach different from all past solutions. Our protocol, Password Authenticated Key Exchange by Juggling (J-PAKE), achieves mutual authentication in two steps: first, two parties send ephemeral public keys to each other; second, they encrypt the shared password by juggling the public keys in a verifiable way. The first use of such a juggling technique was seen in solving the Dining Cryptographers problem in 2006. Here, we apply it to solve the PAKE problem, and show that the protocol is zero-knowledge as it reveals nothing except one-bit information: whether the supplied passwords at two sides are the same. With clear advantages in security, our scheme has comparable efficiency to the EKE and SPEKE protocols.

Secure password reset for application

Abstract: A method of controlling access to an interaction context of an application, including receiving login requests pertaining to an access account, each login request including a login password to be matched against an access password associated with the access account. A database includes at least one account record including a password state field indicating whether the access password is a temporary password or a permanent password and a security hold field indicating whether a security hold has been placed on the access account by an administrator. Access is denied upon receipt of a login request when the login password fails to match the access password. Access is denied upon receipt of a login request when the login password matches the access password, the password state field indicates that the access password is a permanent password, and the security hold field indicates that there is a security hold on the access account. Access is granted upon receipt of a login request when the login password matches the access password, the password state field indicates that the access password is a permanent password, and the security hold field indicates that there is no security hold on the access account. The method includes granting access which is limited to permitting changing of the access password and prompting a change of the access password upon receipt of a login request when the login password matches the access password and the access password is a temporary password.

Improving End User Behaviour in Password Utilization: An Action Research Initiative

Abstract: This paper is about the design and implementation of techniques and strategies to improve end user behavior in the utilization of passwords within a formal setting. The researchers were requested to investigate the issues inherent in the password management and utilization procedure within the client organization and thereby improve end user behavior in utilization of passwords within the organization. The researchers completed an action research study and successfully implemented a training program to improve system users’ behavior related to passwords. They used a unique approach by designing training for creating passwords to fit with theories pertaining to human memory. In addition, the researchers also created and delivered security awareness training. The end users of the target information systems reported that after training they were able to use strong passwords (A strong password in our organization is one that has 15 characters with at least two numbers and one symbol) without writing them down. Requests to the help desk for password resets decreased. Users also reported that they are much more aware of security threats.

Panic passwords: authenticating under duress

Abstract: Panic passwords allow a user to signal duress during authentication. We show that the well-known model of giving a user two passwords, a 'regular' and a 'panic' password, is susceptible to iteration and forced-randomization attacks, and is secure only within a very narrow threat model. We expand this threat model significantly, making explicit assumptions and tracking four parameters. We also introduce several new panic password systems to address new categories of scenarios.

A Design of One-Time Password Mechanism Using Public Key Infrastructure

Abstract: One-time password mechanism solves password problems like password conjecture and wiretapping that can occur by using the same password several times repeatedly. However, such one-time password mechanism also is exposed to various attacks, and is vulnerable in matters of confidentiality and security protection, the most important elements of security depending on mechanism. This paper solves user disguise problem by authenticating users with the use of public key infrastructure, and guarantees integrity by generating password by applying session identifier L and random value R to hash function in every applicable session. Additionally, to enhance security while transferring the generated password, the mechanism digital signature the password with user's private key, encode it again with service provider's public key, and guarantee denial prevention by requesting the server authentication while being able to verify the identity of user. Therefore in this paper proposes one-time password mechanism that has enhanced security using public key infrastructure to prevent integrity problem due to birthday attack and hash collision problem occurring from hash function. Comparison and analysis of existing one-time password mechanism will tell of the excellence of this paper.

Graphical Passwords Using Images with Random Tracks of Geometric Shapes

Abstract: User authentication is one of the important topics in information security. Traditional strong password schemes could provide with certain degree of security; however, the fact that strong passwords being difficult to memorize often leads their owners to write them down on papers or even save them in a computer file. As a result, security becomes greatly compromised. On the other hand, knowing that human beings are predominant visual creatures, many researchers have investigated or developed graphical password schemes recently. In this paper, we propose a graphical password scheme for user authentication using images with random tracks of geometric shapes. Our method not only is more secure than most of the existing graphical password schemes, it also solves problems like requiring a large image database, uneasy to repeat mouse clicking at the same position, as well as images being too simple to cause collisions on points selected for different users.

Password-based cryptographic method and apparatus

Abstract: A password-based cryptographic method is effected between a first party with a specified identity and secret password and a second party with a master secret. During a registration phase, a long-term password-based public key is generated for the first party from its password and the master secret of the second party. Subsequently, to generate matching keys, asymmetric or symmetric, for the parties for a specific interaction, the first party generates short-term secret x, and computes a short-term password-based public key that requires for its computation direct knowledge of the first party's password and secrets x; the second party then transforms this short-term password-based public key into an clement X, complimentary to x, by using its master secret and at least a first-party-specific constituent of the first party's long-term password-based public key. The secret x and element X are then used to provide matching keys for the parties.

Security-enhanced log in

Abstract: A security-enhanced login technique that provides a convenient and easy-to-use two factor technique to enhance the security of passwords without requiring any changes on the server side of a client-server network. The technique employs a convenient and easy-to-use two-factor technique to generate strong passwords for Web and other applications. In this technique, a convenient or personal device such as a mouse is used as the other factor besides a user password. A secret stored in the mouse or other personal device is hashed together with the password entered by a user and the server ID, to generate a strong, server-specific password which is used to authenticate the user to the server. This password enhancement operation is carried out inside the personal device.

User policy manageable strength-based password aging

Abstract: Password aging based on the strength of the password provides an incentive for users to generate and/or memorize more complex passwords. The strength of the password is computed from a formula that relates the length of the password and the types of characters contained in the password to a strength value, which can be performed using a lookup table having values for different characteristics of the password, determining partial strength values corresponding to the ranges in which the characteristics fall, and then adding the partial strength values. Alternatively, a separate password strength application may be used to provide the strength value, which is entered by the user or administrator generating a new password. Alternatively, the password may be generated based on a specified desired expiration period, with the strength computation performed to ensure that the strength is sufficient to merit the desired expiration period.

Authentication method using icon password

Abstract: A method of authenticating a user of a terminal operating a server and connected to the terminal through a communication network, in which a password needed for authentication is inputted as icons, rather than numerals or characters, thereby preventing leakage or theft of the password. Through the present invention, security is improved in processing a password in an information processing device or a communication network, and furthermore, leakage of the password is fundamentally prevented in the process of inputting the password by a user. Therefore, an effect of securing reliability of the overall authentication process may be obtained.

A New Anonymous Password-Based Authenticated Key Exchange Protocol

Abstract: In Indocrypt 2005 Viet et al. first proposed an anonymous password-based key exchange protocol: APAKE and its extension: k -out-of-n APAKE. Then Shin et al. presented an improved protocol TAP. In this paper, we first show that the TAP protocol is vulnerable to two attacks. One is an impersonating attack and the other is an off-line dictionary attack, which is also applied to k -out-of-n APAKE. Furthermore, we propose a novel anonymous password-based key exchange protocol, and prove its security in the random oracle model under the square computational Diffie-Hellman assumption and decision inverted-additive Diffie-Hellman assumption. We also extend our protocol to the distributed setting, which is secure against the proposed attacks.

Calculating a password strength score based upon character proximity and relative position upon an input device

Abstract: A solution for computing password strength based upon layout positions of input mechanisms of an input device that entered a password. A password including an ordered sequence of at least two characters can be identified. A position of each of the characters of the sequence can be determined relative to a layout of an input device used for password entry. Each position can correspond to an input region (key) of the input device (keyboard). A proximity algorithm can generate a proximately score for the determined positions based upon a pattern produced by the positions given the layout of the input device. A password strength score can be computed based at least in part upon the proximity score.

Method and apparatus of secure authentication for system-on-chip (SoC)

Abstract: A SoC may be utilized to authenticate access to one or more secure functions. A password may be generated within the SoC which is unique to each SoC instance and unique to each iteration of authentication. The SoC may challenge external entities attempting access to provide a matching password. A random number sample may be generated within the SoC and stored. A chip ID, secret word and a table of keys with key indices are also stored in memory. Two or more of the stored items may be passed to a hash function to generate the password. The external entity may generate and return the password utilizing information communicated from the SoC during each authentication operation as well as information known a priori. The SoC may compare the returned password with the internally generated password and may grant access to the secure functions.

Digital objects as passwords

Abstract: Security proponents heavily emphasize the importance of choosing a strong password (one with high entropy). Unfortunately, by design, most humans are apparently incapable of generating such passwords, or memorizing a random-looking, machine-generated one for long-term use. Infrequently used passwords pose even bigger security and usability problems. We exploit the fact that many users now own or have access to a large quantity of digitized personal or personally meaningful content in designing an object-based password scheme called ObPwd. ObPwd enables users to select a password generating object from their local collection or from the web, and then converts the password object (e.g. an image, a particular piece of music, excerpt from a book) to a (potentially) high-entropy text password that can be used for regular or secondary web authentication, or in local applications (e.g. encryption). Instead of requiring users to memorize an exact password, ObPwd only requires one to remember a hint or pointer to the password object used. We believe that choosing digital objects as passwords is an interesting alternative to explore, and may enable users to create and maintain high quality passwords. We have implemented a prototype, and solicit feed-back from the research community in regard to using digital objects as passwords.

Attitudes and practices of students towards password security

Abstract: Passwords are the core authentication method behind most computer security systems. This paper presents a summary of the responses of students to a survey on password practices and attitudes. The paper also presents the results of an experiment to determine the effect of a brief presentation of password security best practices on students.

Weak Password Security: An Empirical Study

Abstract: Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.