scispace - formally typeset
Search or ask a question

Showing papers on "Password strength published in 2011"


Proceedings ArticleDOI
07 May 2011
TL;DR: A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate.
Abstract: Text-based passwords are the most common mechanism for authenticating humans to computer systems. To prevent users from picking passwords that are too easy for an adversary to guess, system administrators adopt password-composition policies (e.g., requiring passwords to contain symbols and numbers). Unfortunately, little is known about the relationship between password-composition policies and the strength of the resulting passwords, or about the behavior of users (e.g., writing down passwords) in response to different policies. We present a large-scale study that investigates password strength, user behavior, and user sentiment across four password-composition policies. We characterize the predictability of passwords by calculating their entropy, and find that a number of commonly held beliefs about password composition and strength are inaccurate. We correlate our results with user behavior and sentiment to produce several recommendations for password-composition policies that result in strong passwords without unduly burdening users.

398 citations


Journal ArticleDOI
TL;DR: An enhanced authentication scheme is proposed, which covers all the identified weaknesses of Wang et al.'s scheme and is more secure and efficient for practical application environment.

239 citations


Book ChapterDOI
28 Mar 2011
TL;DR: A general framework for constructing passwordbased authenticated key exchange protocols with optimal round complexity - one message per party, sent simultaneously - in the standard model, assuming a common reference string is assumed.
Abstract: We show a general framework for constructing passwordbased authenticated key exchange protocols with optimal round complexity - one message per party, sent simultaneously - in the standard model, assuming a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols in the standard model that are universally composable while still using only one (simultaneous) round.

122 citations


Journal ArticleDOI
TL;DR: This paper describes an efficient 3PAKE based on LHL-3PAKE proposed by Lee et al. that requires neither the server public keys nor symmetric cryptosystems such as DES.

89 citations


Patent
02 Aug 2011
TL;DR: In this paper, a multi-factor password comprising a plurality of factors may be used to improve the security of a device's authentication and/or other purposes, each factor correspond to a different type of information that can be used for authentication or other purposes.
Abstract: Techniques for improving security on a device are disclosed. In an aspect, a multi-factor password comprising a plurality of factors may be used to improve security. Each factor may correspond to a different type of information that may be used for authentication and/or other purposes. For example, the plurality of factors may include an alpha-numeric string, a fingerprint of a user, a voice clip, a picture, a video, etc. The device may authenticate the user based on the multi-factor password. In another aspect, a dynamic password that varies with at least one parameter (e.g., time, location, etc.) may be used to improve security. The dynamic password may have a plurality of values for a plurality of scenarios defined by at least one parameter. The device may authenticate a user in a given scenario based on a value of the dynamic password applicable for that scenario.

66 citations


Patent
23 Aug 2011
TL;DR: In this article, a method for controlling access to an encrypted document, a computer receives a request to access the encrypted documents, the access request comprising a user ID and a user password.
Abstract: In a method for controlling access to an encrypted document, a computer receives a request to access the encrypted document, the access request comprising a user ID and a user password. The computer performs a one-way hash function on the user password to generate a hash value. The computer searches an access control table for the hash value which indicates an authorization for the user to access the encrypted document and corresponds to a document password encrypted with the user password. The computer decrypts the document password using the user password. The computer decrypts the encrypted document using the decrypted document password.

54 citations


Journal ArticleDOI
TL;DR: This work shows that the protocol proposed could be vulnerable to an undetectable online password guessing attack, and an improved protocol is proposed to avoid the attack.
Abstract: In 2009, Huang (Int. J. Commun. Syst., 22, 857–862) proposed a simple and efficient three-party password-based key exchange protocol without server's public key. This work shows that the protocol could be vulnerable to an undetectable online password guessing attack. Furthermore, an improved protocol is proposed to avoid the attack. Copyright © 2011 John Wiley & Sons, Ltd.

51 citations


Journal ArticleDOI
TL;DR: It is demonstrated that HS‐3PAKE protocol is vulnerable to undetectable online password guessing attacks and off‐line password guessing attack by any other user.
Abstract: In order to secure communications between two clients with a trusted server's help in public network environments, a three-party authenticated key exchange (3PAKE) protocol is used to provide the transaction confidentiality and the efficiency. In 2009, Huang proposed a simple three-party password-based authenticated key exchange (HS-3PAKE) protocol without any server's public key. By analysis, Huang claimed that the proposed HS-3PAKE protocol is not only secure against various attacks, but also more efficient than previously proposed 3PAKE protocols. However, this paper demonstrates that HS-3PAKE protocol is vulnerable to undetectable online password guessing attacks and off-line password guessing attacks by any other user. Copyright © 2010 John Wiley & Sons, Ltd.

48 citations


Posted Content
TL;DR: A new hybrid graphical password based system is proposed, which is a combination of recognition and recall based techniques that offers many advantages over the existing systems and may be more convenient for the user.
Abstract: Passwords provide security mechanism for authentication and protection services against unwanted access to resources. A graphical based password is one promising alternatives of textual passwords. According to human psychology, humans are able to remember pictures easily. In this paper, we have proposed a new hybrid graphical password based system, which is a combination of recognition and recall based techniques that offers many advantages over the existing systems and may be more convenient for the user. Our scheme is resistant to shoulder surfing attack and many other attacks on graphical passwords. This scheme is proposed for smart mobile devices (like smart phones i.e. ipod, iphone, PDAs etc) which are more handy and convenient to use than traditional desktop computer systems.

48 citations


Journal ArticleDOI
TL;DR: The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words, however, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.
Abstract: This study investigates the efficacy of using a restrictive password composition policy. The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly under-researched area is whether restrictive password composition policies actually change user behaviours in significant ways. The results of this study show that a password composition policy reduces the similarity of passwords to dictionary words. However, in this case the regime did not reduce the use of meaningful information in passwords such as names and birth dates, nor did it reduce password recycling.

47 citations


Proceedings ArticleDOI
19 Feb 2011
TL;DR: Using Cryptography and Steganography at the same time, this scheme tries to provide Biometric as well as Password security to voter accounts and produces a stego image which looks quite similar to the cover image but not detectable by human eye.
Abstract: Using Cryptography and Steganography at the same time, we try to provide Biometric as well as Password security to voter accounts. The scheme uses images as cover objects for Steganography and as keys for Cryptography. The key image is a Biometric measure, such as a fingerprint image. Proper use of Cryptography greatly reduces the risks in these systems as the hackers have to find both secret key and the template. The basic idea is to merge the secret key with the cover image on the basis of key image. The result of this process produces a stego image which looks quite similar to the cover image but not detectable by human eye. The system targets the authentication requirement of a voting system.

Journal ArticleDOI
TL;DR: Object-based Password (ObPwd), leveraging the universe of personal or personally meaningful digital content that many users now own or have access to, is proposed, which converts user-selected digital objects to high-entropy text passwords.
Abstract: Despite all efforts, password schemes intended to deploy or encourage the use of strong passwords have largely failed. As an alternative to enable users to create, maintain, and use high-quality passwords willingly, we propose Object-based Password (ObPwd), leveraging the universe of personal or personally meaningful digital content that many users now own or have access to. ObPwd converts user-selected digital objects to high-entropy text passwords. Memorization of exact passwords is replaced by remembering password objects. We present the design details, variants, and usability and security analysis of ObPwd, and report on the results of a hybrid in-lab/at-home user study on 32 participants. The results suggest the scheme has good usability, with excellent memorability, acceptable login times, and very positive user perception, achieved while providing strong security for the threat context explored. We believe this work lays the foundation for a promising password selection paradigm.

Journal Article
TL;DR: This paper proposes an improved scheme with enhanced security, maintaining advantages of the original scheme and free from the attacks pointed out by Yoon-Yoo and Xiang et al.
Abstract: In 2006, Liao et al. proposed a scheme over insecure networks. In 2006, Yoon-Yoo, and in 2008, Xiang et al. analyzed Liao et al.'s scheme and both of them pointed out, more or less, same vulnerabilities: like offline password guessing attack, impersonating the server by replay attack, denial of service attack on password changing and insider attack on it. But none of them suggested any solution to the pointed out attacks. This paper proposes an improved scheme with enhanced security, maintaining advantages of the original scheme and free from the attacks pointed out by Yoon-Yoo and Xiang et al..

Proceedings ArticleDOI
10 Nov 2011
TL;DR: This paper explores certain aspects of utilizing keystroke dynamics in username-password based systems and shows that habituation plays a key role in classification of genuine login attempts by reducing the equal error rate (EER) over time.
Abstract: Access control systems rely on a variety of methods for authenticating legitimate users and preventing malicious ones from accessing the system. The most commonly used system is a simple username and password approach. This technology has been the de-facto standard for remote authentication applications. A username-password based system assumes that only the genuine users know their own credentials. However, breaching this type of system has become a common occurrence in today's age of social networks and modern computational devices. Once broken, the system will accept every authentication trial using compromised credentials until the breach is detected. In this paper, we explore certain aspects of utilizing keystroke dynamics in username-password based systems. We show that as users get habituated to typing their credentials, there is a significant reduction in the variance of the keystroke patterns. This trend is more pronounced for long and complex passwords as opposed to short dictionary based passwords. We also study the time window necessary to perceive habituation in user typing patterns. Furthermore, we show that habituation plays a key role in classification of genuine login attempts by reducing the equal error rate (EER) over time. Finally, we explore an authentication scheme that employs the security of complex passwords and keystroke dynamics. Access control systems rely on a variety of methods for authenticating legitimate users and preventing malicious ones from accessing the system. The most commonly used system is a simple username and password approach. This technology has been the de-facto standard for remote authentication applications. A username-password based system assumes that only the genuine users know their own credentials. However, breaching this type of system has become a common occurrence in today's age of social networks and modern computational devices. Once broken, the system will accept every authentication trial using compromised credentials until the breach is detected. In this paper, we explore certain aspects of utilizing keystroke dynamics in username-password based systems. We show that as users get habituated to typing their credentials, there is a significant reduction in the variance of the keystroke patterns. This trend is more pronounced for long and complex passwords as opposed to short dictionary based passwords. We also study the time window necessary to perceive habituation in user typing patterns. Furthermore, we show that habituation plays a key role in classification of genuine login attempts by reducing the equal error rate (EER) over time. Finally, we explore an authentication scheme that employs the security of complex passwords and keystroke dynamics.

Proceedings ArticleDOI
21 Feb 2011
TL;DR: This paper presents a new shoulder-surfing resistant password that makes it difficult for attackers to observe a user's password by requiring the user to locate his or her password in the given password grid instead of entering the password.
Abstract: In mobile devices such as smart phones, it is important to provide adequate user authentication. Conventional text-based passwords have significant drawbacks though they are used as the most common authentication method. To address the vulnerabilities of traditional text-based passwords, graphical password schemes have been developed as possible alternative solutions. However, a potential drawback of graphical password schemes is that they are more vulnerable to shoulder-surfing than conventional text-based passwords. In this paper, we present a new shoulder-surfing resistant password. Our approach makes it difficult for attackers to observe a user's password by requiring the user to locate his or her password in the given password grid instead of entering the password (Figure 1). Security analysis for shoulder-surfing attacks shows that our password is robust against both random and shoulder-surfing attacks.

Patent
31 Jan 2011
TL;DR: In this article, a password security input system is presented, which performs authentication through input of a security password key which is obtained by applying a shift value to an actual password key, and a password authentication method thereof.
Abstract: The present invention relates to a password security input system which performs authentication through input of a security password key which is obtained by applying a shift value to an actual password key, and a password security input method thereof. According to the present invention, a password security input system is configured with a user terminal comprising: a password setting module for receiving and storing an actual password which is inputted during the initial setting by a user; an input window generating module for generating an input window in which key buttons are randomly disposed in every instance where a password is inputted; a password input module for receiving keys of a security password which are position-changed by applying the same shift distance to the key positions of the actual password in the input window displayed on a screen; and a password authentication module for comparing a key shift value of the pre-stored actual password with a key shift value of a security password inputted by a user on the basis of the input window, and determining that password authentication is in success when the two key shift values are the same. According to the present invention, even if a security password is exposed to a third person, the user can maintain the actual password with a sound mind.

Journal ArticleDOI
TL;DR: In this paper, the authors proposed a new simple three-party password-based authenticated key exchange scheme based on elliptic curve cryptography (ECC), which not only reduces computation cost for remote users and a trusted server but also is more efficient than previously proposed schemes.
Abstract: In three-party password-based key exchange protocol, a client is allowed to share a human-memorable password with a trusted server such that two clients can negotiate a session key to communicate with each other secretly. Recently, many three-party password-based key exchange protocols have been developed. However, these proposed schemes cannot simultaneously achieve security and efficiency. Based on elliptic curve cryptography (ECC), this paper will propose a new simple three-party password-based authenticated key exchange scheme. The proposed method not only reduces computation cost for remote users and a trusted server but also is more efficient than previously proposed schemes. It is better suited for resource constrained devices, such as smart cards or mobile units. Copyright © 2010 John Wiley & Sons, Ltd.

Book ChapterDOI
20 Jun 2011
TL;DR: Everybody needs to authenticate himself on his computer before using it, or even before using different applications, and password-based solutions suffer from several security drawbacks.
Abstract: Everybody needs to authenticate himself on his computer before using it, or even before using different applications (email, e-commerce, intranet, . . . ). Most of the times, the adopted authentication procedure is the use of a classical couple of login and password. In order to be efficient and secure, the user must adopt a strict management of its credentials (regular changing of the password, use of different credentials for different services, use of a strong password containing various types of characters and no word contained in a dictionary). As these conditions are quite strict and difficult to be applied for most users, they do not not respect them. This is a big security flaw in the authentication mechanism (Conklin et al., 2004). According to the 2002 NTA Monitor Password Survey1, a study done on 500 users shows that there is approximately 21 passwords per user, 81% of them use common passwords and 30% of them write their passwords down or store them in a file. Hence, password-based solutions suffer from several security drawbacks. A solution to this problem, is the use of strong authentication....

Patent
13 Sep 2011
TL;DR: In this paper, a user computing device receives a user-associated password such as a PIN from a user, where the PIN is operable to authenticate an identity of a user.
Abstract: Methods, apparatus and systems for securing user-associated passwords used in transactions are disclosed. The methods include a user computing device receiving a user-associated password such as a PIN from a user, where the user-associated password is operable to authenticate an identity of a user. The user-associated password may be received in response to the user receiving a request for the user-associated password from a third party such as a merchant. The user computing device may generate a temporary password such as a one-time password, dynamic password, or the like, and encrypt the user-associated password using the temporary password. The encrypted user-associated password may then be communicated to the third party in lieu of the user-associated password received by the user.

Journal ArticleDOI
TL;DR: In this article, a well-designed password-based authentication protocol for multi-server communication environment, introduced by Hsiang and Shih, is evaluated and security analysis indicates that their scheme is insecure against session key disclosure, server spoofing attack, and replay attack and behavior denial.
Abstract: From user point of view, password-based remote user authentication technique is one of the most convenient and easy-to-use mechanisms to provide necessary security on system access. As the number of computer crimes in modern cyberspace has increased dramatically, the robustness of password-based authentication schemes has been investigated by industries and organizations in recent years. In this paper, a well-designed password-based authentication protocol for multi-server communication environment, introduced by Hsiang and Shih, is evaluated. Our security analysis indicates that their scheme is insecure against session key disclosure, server spoofing attack, and replay attack and behavior denial. Copyright © 2010 John Wiley & Sons, Ltd.

Proceedings ArticleDOI
15 Apr 2011
TL;DR: This extended abstract proposes a simple graphical password authentication system, describes its operation with some examples, and highlights important aspects of the system.
Abstract: Graphical passwords provide a promising alternative to traditional alphanumeric passwords. They are attractive since people usually remember pictures better than words. In this extended abstract, we propose a simple graphical password authentication system. We describe its operation with some examples, and highlight important aspects of the system.

Journal ArticleDOI
TL;DR: If files containing sensitive patient information must be transferred by email, mechanisms to encrypt them and to ensure that password strength is high are necessary and recommendations are provided to implement these practices.
Abstract: Background: Findings and statements about how securely personal health information is managed in clinical research are mixed. Objective: The objective of our study was to evaluate the security of practices used to transfer and share sensitive files in clinical trials. Methods: Two studies were performed. First, 15 password-protected files that were transmitted by email during regulated Canadian clinical trials were obtained. Commercial password recovery tools were used on these files to try to crack their passwords. Second, interviews with 20 study coordinators were conducted to understand file-sharing practices in clinical trials for files containing personal health information. Results: We were able to crack the passwords for 93% of the files (14/15). Among these, 13 files contained thousands of records with sensitive health information on trial participants. The passwords tended to be relatively weak, using common names of locations, animals, car brands, and obvious numeric sequences. Patient information is commonly shared by email in the context of query resolution. Files containing personal health information are shared by email and, by posting them on shared drives with common passwords, to facilitate collaboration. Conclusion: If files containing sensitive patient information must be transferred by email, mechanisms to encrypt them and to ensure that password strength is high are necessary. More sophisticated collaboration tools are required to allow file sharing without password sharing. We provide recommendations to implement these practices. [J Med Internet Res 2011;13(1):e18]

Proceedings ArticleDOI
22 Mar 2011
TL;DR: This paper introduces a framework of the proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes.
Abstract: Authentication is the first line of defense against compromising confidentiality and integrity. Though traditional login/password based schemes are easy to implement, they have been subjected to several attacks. As an alternative, token and biometric based authentication systems were introduced. However, they have not improved substantially to justify the investment. Thus, a variation to the login/password scheme, viz. graphical scheme was introduced. But it also suffered due to shoulder-surfing and screen dump attacks. In this paper, we introduce a framework of our proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes.

Patent
Jens-Uwe Busser1, Steffen Fries1
22 Jul 2011
TL;DR: In this paper, a method for providing a one-time password for a user device belonging to a user, which password is intended to register the user device with a server, is presented.
Abstract: In a method for providing a one-time password for a user device belonging to a user, which password is intended to register the user device with a server, the server generates the one-time password using a cryptographic operation on the basis of a unique use identifier and transmits the password to the user device The method provides a service provider with the possibility of tying additional conditions for registration to the one-time password and thus increases the flexibility of the service provider when configuring the services offered by the latter and increases security against manipulation

Patent
06 Dec 2011
TL;DR: In this paper, the authentication server receives a first form of a password from a client device in accordance with an authentication protocol, and authenticates the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database.
Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Book ChapterDOI
28 Feb 2011
TL;DR: This work presents a scheme called Mercury, which employs user-level public keys and a personal mobile device (PMD) such as a smart-phone, netbook, or tablet to allow forgotten passwords to be securely restored.
Abstract: Instead of allowing the recovery of original passwords, forgotten passwords are often reset using online mechanisms such as password verification questions (PVQ methods) and password reset links in email. These mechanisms are generally weak, exploitable, and force users to choose new passwords. Emailing the original password exposes the password to third parties. To address these issues, and to allow forgotten passwords to be securely restored, we present a scheme called Mercury. Its primary mode employs user-level public keys and a personal mobile device (PMD) such as a smart-phone, netbook, or tablet. A user generates a key pair on her PMD; the private key remains on the PMD and the public key is shared with different sites (e.g., during account setup). For password recovery, the site sends the (public key)-encrypted password to the user's pre-registered email address, or displays the encrypted password on a webpage, e.g., as a barcode. The encrypted password is then decrypted using the PMD and revealed to the user. A prototype implementation of Mercury is available as an Android application.

Journal Article
TL;DR: Remote authentication is a method to authenticate remote users over insecure communication channel and Hsiang et al.
Abstract: Remote authentication is a method to authenticate remote users over insecure communication channel. Password-based authentication schemes have been widely deployed to verify the legitimacy of remote users. Very recently, Hsiang et al. pointed out that Yoon et al’s scheme is vulnerable to parallel session attack, masquerading attack and password guess attack. They proposed an improved scheme to remedy these pitfalls. They claimed their scheme can against parallel session attack, masquerading attack and password guess attack. However, we find that Hsiang et al.’s scheme is vulnerable password guess attack, masquerading user attack and masquerading server attack.

Proceedings ArticleDOI
12 Aug 2011
TL;DR: A novel cued-recall graphical password scheme CBFG (Click Buttons according to Figures in Grids) is proposed, which has the capability against shoulder surfing attack and intersection analysis attack and also has the ideology of image identification.
Abstract: Graphical passwords have been proposed as an alternative to alphanumeric passwords with their advantages in usability and security. However, most of these alternate schemes have their own disadvantages. For example, cued-recall graphical password schemes are vulnerable to shoulder-surfing and cannot prevent intersection analysis attack. A novel cued-recall graphical password scheme CBFG (Click Buttons according to Figures in Grids) is proposed in this paper. Inheriting the way of setting password in traditional cued-recall scheme, this scheme is also added the ideology of image identification. CBFG helps users tend to set their passwords more complex. Simultaneously, it has the capability against shoulder surfing attack and intersection analysis attack. Experiments illustrate that CBFG has better performance in usability, especially in security.

Proceedings ArticleDOI
Yao Ma1, Jinjuan Feng1
10 Aug 2011
TL;DR: The result suggests that the graphical password took longer time for authentication and demanded higher work load than the text password and the mnemonic password.
Abstract: Effective user authentication is critical for protecting information and system safety. The most common computer authentication method is text password. Previous research suggests that text password can be hard to remember and users tend to create simple text password that is unsecure. Various password strategies and alternative authentication applications have been proposed, such as mnemonic password, graphical password, and biometrics. However, existing research on the usability of these authentication methods are limited. We conducted a longitudinal empirical study to examine the usability of three authentication methods: traditional text password, mnemonic password, and graphical password, in a real life environment. The result suggests that the graphical password took longer time for authentication and demanded higher work load than the text password and the mnemonic password.