Showing papers on "Password strength published in 2009"

Password Cracking Using Probabilistic Context-Free Grammars

Abstract: Choosing the most effective word-mangling rules to use when performing a dictionary-based password cracking attack can be a difficult task In this paper we discuss a new method that generates password structures in highest probability order We first automatically create a probabilistic context-free grammar based upon a training set of previously disclosed passwords This grammar then allows us to generate word-mangling rules, and from them, password guesses to be used in password cracking We will also show that this approach seems to provide a more effective way to crack passwords as compared to traditional methods by testing our tools and techniques on real password sets In one series of experiments, training on a set of disclosed passwords, our approach was able to crack 28% to 129% more passwords than John the Ripper, a publicly available standard password cracking program

Two factor authentication using mobile phones

Abstract: This paper describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short user-defined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMS-based mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method.

A comprehensive study of frequency, interference, and training of multiple graphical passwords

Abstract: Graphical password systems have received significant attention as one potential solution to the need for more usable authentication, but nearly all prior work makes the unrealistic assumption of studying a single password. This paper presents the first study of multiple graphical passwords to systematically examine frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical passwords, and patterns of access while training multiple graphical passwords. We find that all of these factors significantly impact the ease of authenticating using multiple facial graphical passwords. For example, participants who accessed four different graphical passwords per week were ten times more likely to completely fail to authenticate than participants who accessed a single password once per week. Our results underscore the need for more realistic evaluations of the use of multiple graphical passwords, have a number of implications for the adoption of graphical password systems, and provide a new basis for comparing proposed graphical password systems.

Shoulder Surfing attack in graphical password authentication

Abstract: Information and computer security is supported largely by passwords which are the principle part of the authentication process The most common computer authentication method is to use alphanumerical username and password which has significant drawbacks To overcome the vulnerabilities of traditional methods, visual or graphical password schemes have been developed as possible alternative solutions to text-based scheme A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords When users input their passwords in a public place, they may be at risk of attackers stealing their password An attacker can capture a password by direct observation or by recording the individual's authentication session This is referred to as shoulder- surfing and is a known risk, of special concern when authenticating in public places In this paper we will present a survey on graphical password schemes from 2005 till 2009 which are proposed to be resistant against shoulder surfing attacks

Improving multiple-password recall: an empirical study

Abstract: As one of the most common authentication methods, passwords help secure information by granting access only to authorized parties. To be effective, passwords should be strong, secret, and memorable. While password strength can be enforced by automated information technology policies, users frequently jeopardize secrecy to improve memorability. The password memorability problem is exacerbated by the number of different passwords a user is required to remember. While short-term memory theories have been applied to individual-password management problems, the relationship between memory and the multiple-password problem has not been examined. This paper treats the multiple-password management crisis as a search and retrieval problem involving human beings’ long-term memory. We propose that interference between different passwords is one of the major challenges to multiple-password recall and that interference alleviation methods can significantly improve multiple-password recall. A lab experiment was conducted to examine the effectiveness of two interference alleviation methods: the list reduction method and the unique identifier method. While both methods improve multiple-password recall performance, the list reduction method leads to statistically significant improvement. The results demonstrate the potential merit of practices targeting multiple-password interference. By introducing long-term memory theory to multiple-password memorability issues, this study presents implications benefiting users and serves as the potential starting point for future research.

Passwords and perceptions

Abstract: The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords

Abstract: By using the protection motivation theory, this article tests a model of password protection intentions for online users. Hypotheses are proposed concerning the intention to engage in good password practices. Data were collected from 182 college students of 3 universities in the southern United States. The results suggest that fear, response cost, and response efficacy are significantly related to online password protection intentions. However, perceived severity and vulnerability are not significant predictors. The study suggests that reducing cognitive costs for passwords is imperative.

Design and Analysis of a Graphical Password Scheme

Abstract: Graphical passwords are believed to be more secure than traditional textual passwords, but the authentications are usually complex and boring for users. Furthermore, most of the existing graphical password schemes are vulnerable to spyware and shoulder surfing. A novel graphical password scheme ColorLogin is proposed in this paper. ColorLogin is implemented in an interesting game way to weaken the boring feelings of the authentication. ColorLogin uses background color, a method not previously considered, to decrease login time greatly. Multiple colors are used to confuse the peepers, while not burdening the legitimate users. Meanwhile, the scheme is resistant to shoulder surfing and intersection attack to a certain extent. Experiments illustrate the effectiveness of ColorLogin.

An off-line dictionary attack on a simple three-party key exchange protocol

Abstract: Key exchange protocols allow two or more parties communicating over a public network to establish a common secret key called a session key. Due to their significance in building a secure communication channel, a number of key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called S-3PAKE protocol proposed by Lu and Cao for password-authenticated key exchange in the three-party setting. In the current work, we are concerned with the password security of the S-3PAKE protocol. We first show that S-3PAKE is vulnerable to an off-line dictionary attack in which an attacker exhaustively enumerates all possible passwords in an off-line manner to determine the correct one. We then figure out how to eliminate the security vulnerability of S-3PAKE.

A Stroke-Based Textual Password Authentication Scheme

Abstract: Textual-based password authentication scheme tend to more vulnerable to attacks such as shoulder-surfing and hidden camera. To overcome the vulnerabilities of traditional methods, visual or graphical password schemes have been developed as possible alternative solutions to text-based scheme. Because simply adopting graphical password authentication also has some drawbacks, some hybrid schemes based on graphic and text were developed. In this paper, we proposed a stroke-based textual password authentication scheme. It uses shapes of strokes on the grid as the origin passwords and allows users to login with text passwords via traditional input devices. The method provides strong resistant to hidden-camera and shoulder-surfing. Moreover, the scheme has flexible enhancements to secure the authentication process. The analysis of the security of this approach is also discussed.

A One-Time Password Scheme with QR-Code Based on Mobile Phone

Abstract: User authentication is one of the fundamental procedures to ensure secure communications and share system resources over an insecure public network channel. Especially, the purpose of the one-time password is to make it more difficult to gain unauthorized access to restricted resources. Instead of using the password file as conventional authentication systems, many researchers have devoted to implement various one-time password schemes using smart cards, time-synchronized token or short message service in order to reduce the risk of tampering and maintenance cost. However, these schemes are impractical because of the far from ubiquitous hardware devices or the infrastructure requirements. To remedy these weaknesses, the attraction of the QR code technique can be introduced into our one-time password authentication protocol. Not the same as before, the proposed scheme based on QR code not only eliminates the usage of the password verification table, but also is a cost effective solution since most internet users already have mobile phones.

A Survey on Recognition Based Graphical User Authentication Algorithms

Abstract: Nowadays, user authentication is one of the important topics in information security. Strong textbased password schemes could provide with certain degree of security. However, the fact that strong passwords are difficult to memorize often leads their owners to write them down on papers or even save them in a computer file. Graphical authentication has been proposed as a possible alternative solution to textbased authentication, motivated particularly by the fact that humans can remember images better than text. In recent years, many networks, computer systems and Internet based environments try used graphical authentication technique for their users authentication. All of graphical passwords have two different aspects which are usability and security. Unfortunately none of these algorithms were being able to cover both of these aspects at the same time. In this paper, we described eight recognition based authentication algorithms in terms of their drawbacks and attacks. In the next section, the usability standards from ISO and the related attributes for graphical user authentication usability are discussed. The related attack patterns for graphical user authentication security part are also discussed. Finally, a comparison table of all recognition based algorithms is presented based on ISO and attack patterns standards.

Challenge response-based device authentication system and method

Abstract: A challenge response scheme authenticates a requesting device by an authenticating device The authenticating device generates and issues a challenge to the requesting device The requesting device combines the challenge with a hash of a password provided by a user, and the combination is further hashed in order to generate a requesting encryption key used to encrypt the user supplied password The encrypted user supplied password is sent to the authenticating device as a response to the issued challenge The authenticating device generates an authenticating encryption key by generating the hash of a combination of the challenge and a stored hash of an authenticating device password The authenticating encryption key is used to decrypt the response in order to retrieve the user-supplied password If the user-supplied password hash matches the stored authenticating device password hash, the requesting device is authenticated and the authenticating device is in possession of the password

Towards Usable Solutions to Graphical Password Hotspot Problem

Abstract: Click based graphical passwords that use background images suffer from hot-spot problem. Previous graphical password schemes based on recognition of images do not have a sufficiently large password space suited for most Internet applications. In this paper, we propose two novel graphical password methods based on recognition of icons to solve the hotspot problem without decreasing the password space. The experiment we have conducted that compares the security and usability of proposed methods with earlier work (i.e. Passpoints) shows that hotspot problem can be eliminated if a small increase in password entrance and confirmation times is tolerable.

Hidden credential retrieval from a reusable password

Abstract: We revisit the venerable question of access credentials management, which concerns the techniques that we, humans with limited memory, must employ to safeguard our various access keys and tokens in a connected world. Although many existing solutions can be employed to protect a long secret using a short password, those solutions typically require certain assumptions on the distribution of the secret and/or the password, and are helpful against only a subset of the possible attackers.After briefly reviewing a variety of approaches, we propose a user-centric comprehensive model to capture the possible threats posed by online and offline attackers, from the outside and the inside, against the security of both the plaintext and the password. We then propose a few very simple protocols, adapted from the Ford-Kaliski server-assisted password generator and the Boldyreva unique blind signature in particular, that provide the best protection against all kinds of threats, for all distributions of secrets. We also quantify the concrete security of our approach in terms of online and offline password guesses made by outsiders and insiders, in the random-oracle model.The main contribution of this paper lies not in the technical novelty of the proposed solution, but in the identification of the problem and its model. Our results have an immediate and practical application for the real world: they show how to implement single-sign-on stateless roaming authentication for the internet, in a ad-hoc user-driven fashion that requires no change to protocols or infrastructure.

A new graphical password scheme against spyware by using CAPTCHA

Abstract: To date, there have been some schemes which have made contributions to the development of graphical password in term of spyware resistance [2, 3]. Using a challenge-response protocol, they have an advantage in that they are resistant to replay attacks. Namely, even the third party who observes a successful login session cannot perform a replay attack. Though they have a positive effect on protecting users’’ password, they are not yet sufficient to stop attackers from harvesting passwords.

Multi Factor Authentication Using Mobile Phones

Abstract: This paper describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short user-defined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMSbased mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method.

Password self encryption method and system and encryption by keys generated from personal secret information

Abstract: A public key cryptographic system and method is provided for a password or any other predefined personal secret information that defeats key factoring and spoofing attacks. The method adopts a new technique of encrypting a password or any predefined secret information by a numeric function of itself, replacing the fixed public key of the conventional RSA encryption. The whole process involving key generation, encryption, decryption and password handling is discussed in detail. Mathematical and cryptanalytical proofs of defeating factoring and spoofing attacks are furnished.

Analysis and Evaluation of the ColorLogin Graphical Password Scheme

Abstract: It is believed that graphical passwords are more memorable than traditional textual passwords, but usually seen as complex and time-consuming for users. Furthermore, most of the existing graphical password schemes are vulnerable to spyware and shoulder surfing. ColorLogin uses color, a method not previously considered, to decrease login time. Multiple colors are used to confuse the peepers, while not burdening the legitimate users. Meanwhile, the scheme is resistant to shoulder surfing and intersection attack to a certain extent. This paper analyzes and evaluates the ColorLogin scheme using some experiments.

Building a better password: The role of cognitive load in information security training

Abstract: User passwords are the gateway to an organization's assets. When users are the agents selecting passwords, they are the key component to improving passwords. Users must be persuaded to select passwords difficult to compromise. User behavior can be influenced by information security training. This study examines the use of cognitive load theory to design the information security training on password strength. The comprehension of training is measured by an examination of passwords selected after the training.

Authentication using a Wireless Mobile Communication Device

Abstract: An authentication scheme may be used to decide whether to permit access to a user account access to which is controlled by a network resource server. An initial portion of a password is received at a mobile communication device, and a remaining portion of the password is received at a password client installed in or otherwise coupled to the network resource server. The initial portion is communicated from the mobile communication device to the network resource server, where it is passed to the password client, which combines it and the remaining portion to produce a complete password. A value calculated by the password client from the complete password is sent to a password server, which generated the password and sent the initial portion and remaining portion. If the value matches a value calculated by the password server from the complete password in the same manner, authentication has succeeded.

Provably Secure Password-Based Three-Party Key Exchange With Optimal Message Steps

Abstract: A password-based three-party encrypted key exchange (3PEKE) is a protocol that enables any pair of two registered clients to establish session keys with the help of a trusted server such that each client shares only one password with the server. This approach greatly improves the scalability of key agreement protocol in distributed environments and provides great user convenience. This article proposes a new password-based 3PEKE scheme that completes its entire job in only a record low four steps, which we prove that it is optimal for password-based 3PEKE protocols. The security of the proposed scheme, as we will detail later, has been proved in the random oracle model.

A New Approach for Anonymous Password Authentication

Abstract: Anonymous password authentication reinforces password authentication with the protection of user privacy. Considering the increasing concern of individual privacy nowadays, anonymous password authentication represents a promising privacy-preserving authentication primitive. However, anonymous password authentication in the standard setting has several inherent weaknesses, making its practicality questionable. In this paper, we propose a new and efficient approach for anonymous password authentication. Our approach assumes a different setting where users do not register their passwords to the server; rather, they use passwords to protect their authentication credentials. We present a concrete scheme, and get over a number of challenges in securing password-protected credentials against off-line guessing attacks. Our experimental results confirm that conventional anonymous password authentication does not scale well, while our new scheme demonstrates very good performance.

Cryptanalysis of Threshold Password Authentication Against Guessing Attacks in Ad Hoc Networks

Abstract: Recently, Chai et al proposed a threshold password authentication scheme that t out of n server nodes could efficiently carry out mutual authentication with a user while preserving strong security requirements in the mobile ad hoc networks In this article, we will show that their scheme suffers from a number of security vulnerabilities by passive attacks

Confidential communication method

Abstract: In SSL encryption communication in which a client and a server share a password, the client generates random number data, encrypts the random number data with a public key and a password, and transmits the encrypted random number data to the server, so that the client and the server safely share the random number data having a bit length longer than that of the password. Safe cryptographic communication is performed without intermediaries by using the random number data or by mutually presenting a hash value of the random number data.

Noisy password scheme: A new one time password system

Abstract: The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced. In this paper, we propose the new noisy password technique. The proposed system attempts to alleviate the problem of shoulder surfing or eves dropping by making the replay of a password useless. Every time a user is authenticated by totally different password. The noisy password constitute of several parts, the actual password and additional noisy parts that are well studied to generate different passwords almost every time a user wants to authenticate himself. The noisy parts are proven to be robust against any hacking attacks. Experimental results give good indication of the ease of utilization of the new system with low error rates that can be enhanced by time.

An efficient One-Time Password authentication scheme using a smart card

Abstract: This paper presents a One-Time Password (OTP) mechanism to provide authentication, with particular application to thin clients in wireless networks. Many of the current OTP mechanisms have high client side computation costs, high communication costs, or limited login times. To cope with these problems, this paper proposes a new one-time password scheme using a smart card. In the scheme, we present a novel modification to the Depth-First Search (DFS) based on a unique tree structure to generate a private key. We present a detailed analysis of the proposed scheme using an OpenSSL based implementation.