Showing papers on "Password strength published in 2010"

Testing metrics for password creation policies by attacking large sets of revealed passwords

Abstract: In this paper we attempt to determine the effectiveness of using entropy, as defined in NIST SP800-63, as a measurement of the security provided by various password creation policies. This is accomplished by modeling the success rate of current password cracking techniques against real user passwords. These data sets were collected from several different websites, the largest one containing over 32 million passwords. This focus on actual attack methodologies and real user passwords quite possibly makes this one of the largest studies on password security to date. In addition we examine what these results mean for standard password creation policies, such as minimum password length, and character set requirements.

The true cost of unusable password policies: password use in the wild

Abstract: HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use.

Password Strength: An Empirical Analysis

Abstract: It is a well known fact that user-chosen passwords are somewhat predictable: by using tools such as dictionaries or probabilistic models, attackers and password recovery tools can drastically reduce the number of attempts needed to guess a password. Quite surprisingly, however, existing literature does not provide a satisfying answer to the following question: given a number of guesses, what is the probability that a state-of-the-art attacker will be able to break a password? To answer the former question, we compare and evaluate the effectiveness of currently known attacks using various datasets of known passwords. We find that a "diminishing returns" principle applies: in the absence of an enforced password strength policy, weak passwords are common; on the other hand, as the attack goes on, the probability that a guess will succeed decreases by orders of magnitude. Even extremely powerful attackers won't be able to guess a substantial percentage of the passwords. The result of this work will help in evaluating the security of authentication means based on user- chosen passwords, and our methodology for estimating password strength can be used as a basis for creating more effective proactive password checkers for users and security auditing tools for administrators.

The Password Thicket: Technical and Market Failures in Human Authentication on the Web.

Abstract: We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with moresecure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication. WEIS 2010 The Ninth Workshop on the Economics of Information Security

The security of modern password expiration: an algorithmic framework and empirical analysis

Abstract: This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.

The psychology of password management: a tradeoff between security and convenience

Abstract: Despite technological advances, humans remain the weakest link in Internet security. In this study, we examined five password-management behaviours to answer questions about user knowledge of password quality, motivation behind password selection and the effect of account type on password-management behaviour. First, we found that users know what constitutes a good/bad password and know which common password-management practices are (in)appropriate. Second, users are motivated to engage in these bad password-management behaviours because they do not see any immediate negative consequences to themselves (negative externalities) and because of the convenience-security tradeoff. Applying Construal Level Theory, we found that this tradeoff can be positively influenced by imposing a time frame factor, i.e. whether the password change will take place immediately (which results in weaker passwords) or in the future (which results in stronger passwords). Third, we found a time frame effect only for more important (online banking) accounts.

Kamouflage: loss-resistant password management

Abstract: We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results from experiments with large real-world password sets to evaluate the feasibility and effectiveness of our approach. Kamouflage is well suited to become a standard architecture for password managers on mobile devices.

A Novel User Authentication Scheme Based on QR-Code

Abstract: User authentication is one of the fundamental procedures to ensure secure communications and share system resources over an insecure public network channel. Thus, a simple and efficient authentication mechanism is required for securing the network system in the real environment. In general, the password-based authentication mechanism provides the basic capability to prevent unauthorized access. Especially, the purpose of the one-time password is to make it more difficult to gain unauthorized access to restricted resources. Instead of using the password file as conventional authentication systems, many researchers have devoted to implement various one-time password schemes using smart cards, time-synchronized token or short message service in order to reduce the risk of tampering and maintenance cost. However, these schemes are impractical because of the far from ubiquitous hardware devices or the infrastructure requirements. To remedy these weaknesses, the attraction of the QR - code technique can be introduced into our one-time password authentication protocol. Not the same as before, the proposed scheme based on QR code not only eliminates the usage of the password verification table, but also is a cost effective solution since most internet users already have mobile phones. For this reason, instead of carrying around a separate hardware token for each security domain, the superiority of handiness benefit from the mobile phone makes our approach more practical and convenient.

A new framework for efficient password-based authenticated key exchange

Abstract: Protocols for password-based authenticated key exchange (PAKE) allow two users who share only a short, low-entropy password to agree on a cryptographically strong session key. The challenge in designing such protocols is that they must be immune to off-line dictionary attacks in which an eavesdropping adversary exhaustively enumerates the dictionary of likely passwords in an attempt to match a password to the set of observed transcripts.To date, few general frameworks for constructing PAKE protocols in the standard model are known. Here, we abstract and generalize a protocol by Jiang and Gong to give a new methodology for realizing PAKE without random oracles, in the common reference string model. In addition to giving a new approach to the problem, the resulting construction off ers several advantages over prior work. We also describe an extension of our protocol that is secure within the universal composability (UC) framework and, when instantiated using El Gamal encryption, is more efficient than a previous protocol of Canetti et al.

Influence of Awareness and Training on Cyber Security

Abstract: This article presents the results of a study to determine the impact of a cyber threat education and awareness intervention on changes in user security behavior. Subjects were randomly assigned to one of two introductory lectures about cyber threats due to poor password management. The low-information condition was based on very general background information on passwords and computer security, while the high-information condition included very detailed and specific information on the threats to subjects' use of e-commerce. The pre/post-treatment design was a single, between-subjects factor (information level–low/high), repeated measures study, with password strength at Time 1 and password strength at Time 2 used to measure change in security behavior over a period of two weeks. The study found that at Time 1, participants possessed no significant differences in the strength of their passwords. Two weeks later, the password strength of the participants in the low-information condition was not statisticall...

Two-factor graphical password for text password and encryption key generation

Abstract: This invention details systems, methods, and devices for providing a two-factor graphical password system to a user so that the user may obtain access to a restricted resource. A first previously selected image (previously selected by the user) is presented to the user to enter his password by sequentially selecting predetermined areas on the first image. The user's input is used to create an encryption/decryption key which is used for communicating between a user application and a device. If the user has entered the correct password, then the device can communicate with the user application. Once the device can communicate with the user application, a second previously selected image (previously selected by the user) is presented to the user from the device. The user enters his second password and the user's input is sent to the device. The device then creates the user's alphanumeric password or another encryption key from the user's input and sends this to the user application. The user application then transmits the password or key to the system which restricts access to the restricted resource.

Password Entropy and Password Quality

Abstract: Passwords are the first line of defense for many computerized systems. The quality of these passwords decides the security strength of these systems. Many studies advocate using password entropy as an indicator for password quality where lower entropy suggests a weaker or less secure password. However, a closer examination of this literature shows that password entropy is very loosely defined. In this paper, we first discuss the calculation of password entropy and explain why it is an inadequate indicator of password quality. We then establish a password quality assessment scheme: password quality indicator (PQI). The PQI of a password is a pair (D, L), where D is the Levenshtein's editing distance of the password in relation to a dictionary of words and common mnemonics, and L is the effective password length. Finally, we propose to use PQI to prescribe the characteristics of good quality passwords.

A biometric password-based multi-server authentication scheme with smart card

Abstract: In this paper, a new biometric password-based multi-server authentication scheme with smart card is proposed. To the best knowledge of us, this is the first biometric authentication scheme which can be used in multi-server environment and distributed network. The scheme combines the advantages of password authentication and biometrics, which can strengthen the protocol's securities and has properties as mutual authentication, key agreement, fuzzy extractor and tamper-resistant of smart card. Henceforth, it is securer than the schemes in existence.

Keystroke dynamics in password authentication enhancement

Abstract: This paper describes a novel technique to strengthen password authentication system by incorporating multiple keystroke dynamic information under a fusion framework. We capitalize four types of latency as keystroke feature and two methods to calculate the similarity scores between the two given latency. A two layer fusion approach is proposed to enhance the overall performance of the system to achieve near 1.401% Equal Error Rate (EER). We also introduce two additional modules to increase the flexibility of the proposed system. These modules aim to accommodate exceptional cases, for instance, when a legitimate user is unable to provide his or her normal typing pattern due to reasons such as hand injury.

Method of identity authentication and fraudulent phone call verification that utilizes an identification code of a communication device and a dynamic password

Abstract: A method of identity authentication and fraudulent phone call verification uses an identification code of a communication device and a dynamic password. The “dynamic password” is directly sent to an Internet user via a dynamic web-page of a specific website instead of by means of a traditional telephone short message. Thus, the “dynamic password” cannot be copied from the spyware infected communication device of the Internet user. Furthermore, even if the “dynamic password” is intercepted or otherwise discovered by a hacker or intruder, authentication is still secure because the dynamic password must be sent back to the specific website via a short message or the like from the same communication device having the corresponding identification code that was initially input by the Internet user in order to generate the dynamic password.

A Hybrid Password Authentication Scheme Based on Shape and Text

Abstract: Text-based password authentication scheme tends to be more vulnerable to attacks such as shoulder surfing or a hidden camera. To overcome the vulnerabilities of traditional methods, visual or graphical password schemes have been developed as possible alternative solutions to text-based password schemes. Since it also has some drawbacks to simply adopt graphical password authentication, schemes using graphic and text have been developed. In this paper, a hybrid password authentication scheme based on shapes and texts is proposed. Shapes of strokes are used in the grid as the original passwords and users can log in with textual passwords via traditional input device. The method provides strong resistance to shoulder surfing or a hidden camera。Moreover, the scheme has high scalability and flexibility to enhance the authentication process security. The analysis of the security level of this approach is also discussed.

Securing passwords against dictionary attacks

Abstract: Described herein are various technologies pertaining to constructions of a password-based authentication protocol that are configured to allow a user to register with and authenticate to an online service without the online service receiving a password or a deterministic function of the password of the user. When registering with an online service, a client computing device establishes a cryptographically strong random secret and stores an encryption of such secret with a data storage device. The storage device also never receives the password or a deterministic function of the password. When the user wishes to authenticate to the online service, the user employs her password to retrieve the encrypted secret from the storage device, decrypts such secret, and utilizes the decrypted secret to answer a cryptographically strong challenge provided to the user by the online service upon the online service receiving a username pertaining to such user.

Securing passwords with captcha based hash when used over the web

Abstract: A password security system, hosted by a server, sends a web page over a network to a client, that includes a CAPTCHA challenge, a request for a CAPTCHA answer, a graphical user interface for receiving a user identifier and a password, and a security script. The security script is to be executed by the client to generate a client hash value from password data and a CAPTCHA answer that is received from a user. The system receives the client hash value and computes a server hash value for password data for the user and a CAPTCHA answer that is stored in a data store that is coupled to the server. The system determines whether the server hash value matches the client hash value, and grants data access to the user when the values match and denies data access to the user when the values do not match.

Against Spyware Using CAPTCHA in Graphical Password Scheme

Abstract: Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Password protection techniques using false passwords

Abstract: A password manager may receive a password, and a false password generator may generate at least one false password, based on the password A false password selector may store the at least one false password together with the password A password handler may receive a login attempt that includes the at least one false password, and an attack detector may determine that the login attempt is potentially unauthorized, based on the receipt of the at least one false password

Maintaining the Domain Access of a Virtual Machine

Abstract: A method for maintaining domain access of a virtual machine is described. According to one embodiment, a generation of a new computer account password by an operating system is identified. The new computer account password is copied to an auxiliary storage location. An existing computer account password is replaced with the new computer account password when it is determined that a file system of the computer has been restored to a previous state. The copying of the new computer account password may be performed in response to the generation of the new computer account password. The replacing of the existing computer account password may be performed in response to the restoring of file system to the previous state.

Method and system for generating one-time passwords

Abstract: A method for one-time password generation, the one-time password being used for user authentication by a restricted resource. The one-time password is generated by means of a mathematical algorithm in a user-specific device, and the one-time password is generated by the mathematical algorithm using at least one user-specific password generation parameter. A first password generation parameter is used for generating a first one-time password for use in user authentication by a first restricted resource, and a second password generation parameter is used for generating a second one-time password for use in user authentication by a second restricted resource, the second restricted resource being different from the first restricted resource, and the first and second password generation parameters being distinct.

The Security Analysis of Graphical Passwords

Abstract: nowadays, graphical password has not been widely used in practical. Most of the graphical password authentication schemes are only discussed in laboratory. In this paper, some typical graphical password authentication schemes are introduced, and the security of them are analyzed according to its estimate criterions. One conclusion is drawn that the memorability and security of graphical password are better than that of text-based password. In addition, it’s shown that the graphical password scheme has better resistance to major password attacks than others.

Authentication using a weak hash of user credentials

Abstract: Methods and apparatus for logging into a computer are disclosed. The computer receives a username and password. The computer determines whether a user with the username is authorized to access the computer. If so, the computer retrieves a weak cryptographic hash of the user's password and compares it to a weak cryptographic hash of the received password. The computer grants access if the weak cryptographic hashes are identical, and sends the username and password to a server. The server determines whether a user with the username has a server account. If so, the server retrieves a strong cryptographic hash of the user's password and compares it to a strong cryptographic hash of the received password. The server grants the user access to an account or service if the strong cryptographic hashes are identical.

One-time-password-authenticated key exchange

Abstract: To reduce the damage of phishing and spyware attacks, banks, governments, and other security-sensitive industries are deploying onetime password systems, where users have many passwords and use each password only once. If a single password is compromised, it can be only be used to impersonate the user once, limiting the damage caused. However, existing practical approaches to one-time passwords have been susceptible to sophisticated phishing attacks. We give a formal security treatment of this important practical problem. We consider the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks. We describe a security model for the use of one-time passwords, explicitly considering the compromise of past (and future) one-time passwords, and show a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol. Our techniques also allow for the secure use of pseudorandomly generated and time-dependent passwords.

Transforming static password systems to become 2-factor authentication

Abstract: The present invention provides systems and processes for transforming any system that implements a static password authentication or 1st-factor authentication so as to enforce strong 2-factor authentication, requiring the user to present both a static password and a dynamic password, without having to modify the existing system.

Electronic Device and Method for Evaluating the Strength of a Gestural Password

Abstract: An electronic device includes a movement sensing assembly for providing signals indicative of movement of an object with respect to the electronic device, wherein the movement includes a sequence of gestures making up a proposed gestural password. A processor in electronic communication with the movement sensing assembly is operable to receive and evaluate the signals to compute a password strength metric indicative of a strength of the proposed gestural password, and a user output component receives and displays an acceptability of the password strength metric.

Using probabilistic techniques to aid in password cracking attacks

Abstract: At its heart, a password cracking attack is just a guessing attack. An attacker makes guesses about a user's password until they guess correctly or they give up. While the defender may limit the number of guesses an attacker is allowed, a password's strength often depends on how hard it is for an attacker to model and reproduce the way a user created their password. If humans were effective at practicing unique habits, or generating and remembering random values, cracking passwords would be a near impossible task. In reality, that isn't true. A vast majority of people still follow common patterns, from capitalizing the first letter of their password to putting numbers at the end. What is changing though are the protective techniques being employed that are independent of user behavior. Practices such as salting password hashes negate the ability to pre-compute attacks. Likewise, password hashes are becoming more computationally complex, raising the costs for each guess an attacker makes. While before an attacker could rely on simple brute force methods and ad-hoc models, there is a growing demand for more effective ways to predict what a user's password will be. The need for this is especially strong in the law enforcement community, where tough encryption is encountered regularly. It is also important for the defender to be able to accurately model the security that user generated passwords provide. This paper details several new ways that probability information can be applied to maximize the success of password cracking attacks. From evaluating the effectiveness of known probabilistic techniques such as Markov models, to designing novel techniques such as using probabilistic context free grammars to create password guesses, there are many different ways probability information can be incorporated into modeling user behavior. Furthermore, the techniques described in this paper have been developed using real life passwords and have been tested in actual controlled password cracking attacks. This focus on training and testing against large sets of real life passwords is fairly unique, and only possible due to the increasing availability of disclosed password lists. In addition to allowing the development of more effective attacks, knowledge of how people select passwords can then be applied to evaluating the effectiveness of password creation policies. For example, how much stronger is an eight character password compared to a seven character password? In short, a better understanding of how users create passwords can benefit both the attacker and the defender.