Showing papers on "Password strength published in 2013"
04 Nov 2013
TL;DR: It is proposed that an auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
Abstract: We propose a simple method for improving the security of hashed passwords: the maintenance of additional ``honeywords'' (false passwords) associated with each user's account. An adversary who steals a file of hashed passwords and inverts the hash function cannot tell if he has found the password or a honeyword. The attempted use of a honeyword for login sets off an alarm. An auxiliary server (the ``honeychecker'') can distinguish the user password from honeywords for the login routine, and will set off an alarm if a honeyword is submitted.
264 citations
TL;DR: A modified smart card based remote user password authentication scheme to overcome the weaknesses of Chen et al.'s scheme and shows that it is user friendly and more secure than other related schemes.
250 citations
04 Nov 2013
TL;DR: This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength.
Abstract: Despite considerable research on passwords, empirical studies of password strength have been limited by lack of access to plaintext passwords, small data sets, and password sets specifically collected for a research study or from low-value accounts. Properties of passwords used for high-value accounts thus remain poorly understood.We fill this gap by studying the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy. Key aspects of our contributions rest on our (indirect) access to plaintext passwords. We describe our data collection methodology, particularly the many precautions we took to minimize risks to users. We then analyze how guessable the collected passwords would be during an offline attack by subjecting them to a state-of-the-art password cracking algorithm. We discover significant correlations between a number of demographic and behavioral factors and password strength. For example, we find that users associated with the computer science school make passwords more than 1.5 times as strong as those of users associated with the business school. while users associated with computer science make strong ones. In addition, we find that stronger passwords are correlated with a higher rate of errors entering them.We also compare the guessability and other characteristics of the passwords we analyzed to sets previously collected in controlled experiments or leaked from low-value accounts. We find more consistent similarities between the university passwords and passwords collected for research studies under similar composition policies than we do between the university passwords and subsets of passwords leaked from low-value accounts that happen to comply with the same policies.
240 citations
27 Apr 2013
TL;DR: It is concluded that meters result in stronger passwords when users are forced to change existing passwords on "important" accounts and that individual meter design decisions likely have a marginal impact.
Abstract: Password meters tell users whether their passwords are "weak" or "strong." We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords, and when they were not told that their passwords were the subject of a study. We observed that the presence of meters yielded significantly stronger passwords. We performed a followup field experiment to test a different scenario: creating a password for an unimportant account. In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts. We conclude that meters result in stronger passwords when users are forced to change existing passwords on "important" accounts and that individual meter design decisions likely have a marginal impact.
215 citations
TL;DR: An ECC-based scheme is proposed that in addition to the secured password authentication and password update, it protects several related attacks efficiently and one advantage of the proposed scheme is that it generates an E CC-based common secret key that can be used for symmetric encryption, which requires lesser processing time than the time required in the public key encryption-based techniques.
105 citations
TL;DR: An advanced smart card-based password authentication and update scheme and extend the scheme to provide the privacy of the client is proposed and not only solves several hard security threats but also satisfies more functionality features.
Abstract: Password authentication has been widely used in computer networks to provide secure remote access control. In this study, the authors show that the improved password authentication and update scheme based on elliptic curve cryptography proposed by Islam and Biswas is vulnerable to offline password guessing, stolen-verifier and insider attacks. We propose an advanced smart card-based password authentication and update scheme and extend the scheme to provide the privacy of the client. By comparing the criteria with other related schemes, our scheme not only solves several hard security threats but also satisfies more functionality features.
90 citations
01 Jan 2013
TL;DR: The analysis show that the property of untraceability can easily be broken by the legal user of the system, and find the scheme of Chang et al. vulnerable to offline password guessing attack, impersonation attack, stolen smart card attack, and insider attack.
85 citations
13 Nov 2013
TL;DR: Wang et al. as mentioned in this paper analyzed two two-factor authentication schemes, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme, and showed that under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack.
Abstract: The design of secure and efficient smart-card-based password authentication schemes remains a challenging problem today despite two decades of intensive research in the security community, and the current crux lies in how to achieve truly two-factor security even if the smart cards can be tampered. In this paper, we analyze two recent proposals, namely, Hsieh-Leu's scheme and Wang's PSCAV scheme. We show that, under their non-tamper-resistance assumption of the smart cards, both schemes are still prone to offline dictionary attack, in which an attacker can obtain the victim's password when getting temporary access to the victim's smart card. This indicates that compromising a single factor i.e., the smart card of these two schemes leads to the downfall of both factors i.e., both the smart card and the password, thereby invalidating their claim of preserving two-factor security. Remarkably, our attack on the latter protocol, which is not captured in Wang's original protocol security model, reveals a new attacking scenario and gives rise to the strongest adversary model so far. In addition, we make the first attempt to explain why smart cards, instead of common cheap storage devices e.g., USB sticks, are preferred in most two-factor authentication schemes for security-critical applications.
67 citations
TL;DR: This paper categorizes existing graphical password schemes into four kinds according to the authentication style and provides a comprehensive introduction and analysis for each scheme, highlighting security aspects.
Abstract: Beginning around 1996, numerous graphical password schemes have been proposed, motivated by improving password usability and security, two key factors in password scheme evaluation. In this paper, we focus on the security aspects of existing graphical password schemes, which not only gives a simple introduction of attack methods but also intends to provide an in-depth analysis with specific schemes. The paper first categorizes existing graphical password schemes into four kinds according to the authentication style and provides a comprehensive introduction and analysis for each scheme, highlighting security aspects. Then we review the known attack methods, categorize them into two kinds, and summarize the security reported in some user studies of those schemes. Finally, some suggestions are given for future research.
66 citations
Posted Content•
TL;DR: A novel password cracker based on Markov models is proposed, which builds upon and extends ideas used by Narayanan and Shmatikov (CCS 2005) and can crack up to 69% of passwords at 10 billion guesses, more than all probabilistic password crackers.
Abstract: Passwords are widely used for user authentication and, despite their weaknesses, will likely remain in use in the foreseeable future. Human-generated passwords typically have a rich structure, which makes them susceptible to guessing attacks. In this paper, we study the effectiveness of guessing attacks based on Markov models. Our contributions are two-fold. First, we propose a novel password cracker based on Markov models, which builds upon and extends ideas used by Narayanan and Shmatikov (CCS 2005). In extensive experiments we show that it can crack up to 69% of passwords at 10 billion guesses, more than all probabilistic password crackers we compared again t. Second, we systematically analyze the idea that additional personal information about a user helps in speeding up password guessing. We find that, on average and by carefully choosing parameters, we can guess up to 5% more passwords, especially when the number of attempts is low. Furthermore, we show that the gain can go up to 30% for passwords that are actually based on personal attributes. These passwords are clearly weaker and should be avoided. Our cracker could be used by an organization to detect and reject them. To the best of our knowledge, we are the first to systematically study the relationship between chosen passwords and users' personal information. We test and validate our results over a wide collection of leaked password databases.
62 citations
02 Sep 2013
TL;DR: The results reveal that currently used passwords are significantly longer than the participants’ first passwords and that most participants are aware of how to compose strong passwords, however, most users are still using significantly weaker passwords for most services.
Abstract: In this paper, we investigate the evolutionary change of user-selected passwords. We conducted one-on-one interviews and analyzed the complexity and the diversity of users’ passwords using different analysis tools. By comparing their first-ever created passwords to several of their currently used passwords (e.g. most secure, policy-based), we were able to trace password reuse, password changes and influencing factors on the evolutionary process. Our approach allowed for analyzing security aspects without actually knowing the clear-text passwords. The results reveal that currently used passwords are significantly longer than the participants’ first passwords and that most participants are aware of how to compose strong passwords. However, most users are still using significantly weaker passwords for most services. These weak passwords, often with roots in the very first passwords the users have chosen, apparently survive very well, despite password policies and password meters.
07 Jan 2013
TL;DR: While the interactive password strength meter and static fear appeal treatments were not effective, the interactive fear appeal treatment resulted in significantly stronger passwords, suggesting that interactive fear appeals are a promising means of encouraging a range of secure behaviors in end users.
Abstract: Passwords remain the dominant authentication mechanism for information security. Unfortunately, research has shown that most passwords are highly insecure. Given the risks of using weak passwords, there is a need to effectively motivate users to select strong passwords. In this study we examine the influence of interactivity, as well as static and interactive fear appeals, on motivating users to increase the strength of their passwords. We developed a field experiment involving the account registration process of a website in use in which we observed the strength of passwords chosen by users. Data were collected from 354 users in 65 countries. We found that while the interactive password strength meter and static fear appeal treatments were not effective, the interactive fear appeal treatment resulted in significantly stronger passwords. Our findings suggest that interactive fear appeals are a promising means of encouraging a range of secure behaviors in end users.
Journal Article•
TL;DR: The authors shall show that the OSPA protocol is vulnerable to the guessing attacks in this paper.
Abstract: Password authentication is the most important and convenient protocol for verifying users to get the system’s resources Lin et al had proposed an optimal strongpassword authentication protocol (OSPA) which is a onetime password method It can protect against the replaying attacks, impersonation attacks, and denial of service attacks However, the authors shall show that the OSPA protocol is vulnerable to the guessing attacks in this paper
TL;DR: This paper introduces a framework of the proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes.
TL;DR: In this article, Boyen et al. proposed several protocols that can allow a user to use a single password to authenticate to multiple services securely, which can provide another layer of security against malware and phishing.
18 Feb 2013
TL;DR: It is shown that the strength of long passwords does not increase uniformly with length, and an analytical model based on Parts-of-Speech tagging shows that the decrease in search space due to the presence of grammatical structures can be more than 50%.
Abstract: Use of long sentence-like or phrase-like passwords such as "abiggerbetterpassword" and "thecommunistfairy" is increasing. In this paper, we study the role of grammatical structures underlying such passwords in diminishing the security of passwords. We show that the results of the study have direct bearing on the design of secure password policies, and on password crackers used for enforcing password security. Using an analytical model based on Parts-of-Speech tagging we show that the decrease in search space due to the presence of grammatical structures can be more than 50%. A significant result of our work is that the strength of long passwords does not increase uniformly with length. We show that using a better dictionary e.g. Google Web Corpus, we can crack more long passwords than previously shown (20.5% vs. 6%). We develop a proof-of-concept grammar-aware cracking algorithm to improve the cracking efficiency of long passwords. In a performance evaluation on a long password dataset, 10% of the total dataset was exclusively cracked by our algorithm and not by state-of-the-art password crackers.
04 Nov 2013
TL;DR: SAuth is a protocol which employs authentication synergy among different services without ties to a specific method, thus enabling different services to employ heterogeneous systems and employs password decoys to protect users that share a password across services.
Abstract: Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms.In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.
02 May 2013
TL;DR: This paper proposes an improved text-based shoulder surfing resistant graphical password scheme by using colors, and shows the resistance of the proposed scheme to shoulder surfing and accidental login.
Abstract: Since conventional password schemes are vulnerable to shoulder surfing, many shoulder surfing resistant graphical password schemes have been proposed However, as most users are more familiar with textual passwords than pure graphical passwords, text-based graphical password schemes have been proposed Unfortunately, none of existing text-based shoulder surfing resistant graphical password schemes is both secure and efficient enough In this paper, we propose an improved text-based shoulder surfing resistant graphical password scheme by using colors In the proposed scheme, the user can easily and efficiently login system Next, we analyze the security and usability of the proposed scheme, and show the resistance of the proposed scheme to shoulder surfing and accidental login
22 Feb 2013
TL;DR: A new approach to using MD5 in password storage is proposed by using external information, a calculated salt and a random key to encrypt the password before the MD5 calculation, and using key stretching to make the hash calculation slower and using XOR cipher tomake the final hash value impossible to find in any standard rainbow table.
Abstract: Hashing algorithms are commonly used to convert passwords into hashes which theoretically cannot be deciphered. This paper analyses the security risks of the hashing algorithm MD5 in password storage and discusses different solutions, such as salts and iterative hashing. We propose a new approach to using MD5 in password storage by using external information, a calculated salt and a random key to encrypt the password before the MD5 calculation. We suggest using key stretching to make the hash calculation slower and using XOR cipher to make the final hash value impossible to find in any standard rainbow table.
18 Feb 2013
TL;DR: This paper uncovers the vulnerabilities of existing BPMs and proposes a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties.
Abstract: Web users are confronted with the daunting challenges of creating, remembering, and using more and more strong passwords than ever before in order to protect their valuable assets on different websites. Password manager is one of the most popular approaches designed to address these challenges by saving users' passwords and later automatically filling the login forms on behalf of users. Fortunately, all the five most popular Web browsers have provided password managers as a useful built-in feature. Unfortunately, the designs of all those Browser-based Password Managers (BPMs) have severe security vulnerabilities. In this paper, we uncover the vulnerabilities of existing BPMs and analyze how they can be exploited by attackers to crack users' saved passwords. Moreover, we propose a novel Cloud-based Storage-Free BPM (CSF-BPM) design to achieve a high level of security with the desired confidentiality, integrity, and availability properties. We have implemented a CSF-BPM system into Firefox and evaluated its correctness and performance. We believe CSF-BPM is a rational design that can also be integrated into other popular Web browsers.
11 Apr 2013
TL;DR: This paper presents the implementation of Rainbow tables for cracking passwords of operating systems such as Windows7 and application which uses Message Digest v5(MD5) and Simple Hash Algorithmv1(SHA1) as their password hashing mechanism.
Abstract: Rainbow tables are basically huge tables filled with hash values and are used to find required password. Rainbow Table is used by the hackers to find the password by reversing the hashing function. Hashing the plaintext or password is a 1-way function which implies that hash can't be decrypted to find the required password[10]. To authenticate the user a system takes the hash value generated by the hash function on user's computer and it is compared with the hash value stored in the table on the server machine. If the hash matches, then the user is authenticated and can access the system. Rainbow tables are used to crack the password in short amount of time as compared to brute force technique, but it takes a lot of storage to hold rainbow table itself[1]. It is the most efficient methods for cracking passwords. This paper presents the implementation of Rainbow tables for cracking passwords of operating systems such as Windows7 and application which uses Message Digest v5(MD5) and Simple Hash Algorithmv1(SHA1) as their password hashing mechanism. It discusses the functionality of Rainbow Tables and its advantages over conventional brute-force approach and the usage of rainbow table to crack windows password.
01 Apr 2013
TL;DR: It is shown that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk, and recommendations are made how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.
Abstract: Password managers aim to help users manage their ever increasing number of passwords for online authentication. Since users only have to memorise one master secret to unlock an encrypted password database or key chain storing all their (hopefully) different and strong passwords, password managers are intended to increase username/password security. With mobile Internet usage on the rise, password managers have found their way onto smartphones and tablets. In this paper, we analyse the security of password managers on Android devices. While encryption mechanisms are used to protect credentials, we will show that a usability feature of the investigated mobile password managers puts the users’ usernames and passwords at risk. We demonstrate the consequences of our findings by analysing 21 popular free and paid password managers for Android. We then make recommendations how to overcome the current problems and provide an implementation of a secure and usable mobile password manager.
TL;DR: It is shown that Li-Lee's scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card, and their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy.
Abstract: It is a challenge for password authentication protocols using non-tamper resistant smart cards to achieve user anonymity, forward secrecy, immunity to various attacks and high performance at the same time. In 2011, Li and Lee showed that both Hsiang-Shih’s password-based remote user authentication schemes are vulnerable to various attacks if the smart card is non-tamper resistant. Consequently, an improved scheme was developed to preclude the identified weaknesses and claimed that it is secure against smart card loss attacks. In this paper, however, we will show that Li-Lee’s scheme still cannot withstand offline password guessing attack under the non-tamper resistance assumption of the smart card. In addition, their scheme is also vulnerable to denial of service attack and fails to provide user anonymity and forward secrecy. As our main contribution, a robust scheme is presented to cope with the aforementioned defects, while keeping the merits of different password authentication schemes using smart cards. The analysis demonstrates that our scheme meets all the proposed criteria and eliminates several hard security threats that are difficult to be tackled at the same time in previous scholarship.
Patent•
IBM1
TL;DR: In this article, a method for managing password strength including receiving a password on a data processing system for a user, filtering for personal information about the user from multiple independent data sources accessible across a computer network is presented.
Abstract: A method for managing password strength including receiving a password on a data processing system for a user, filtering for personal information about the user from multiple independent data sources accessible across a computer network, computing the password strength by the data processing system using an algorithm which compares the password to the filtered personal information about the user, and presenting feedback to the user through a user interface on a data processing system display regarding the computed password strength.
Patent•
20 Dec 2013
TL;DR: In this paper, the authors proposed a method to authenticate a user to a computer prior to the user having access to the computer or network, which can be provided within a keyboard, in a computer, or in a third device having connectivity thereto.
Abstract: The present invention includes a device and method to authenticate a user to a computer prior to the user having access to the computer or network. As user name and password protocols are nearly ubiquitous in authentication applications used today, there have been developed many nefarious techniques to defeat the security of such systems. It is relatively easy to write a computer program to guess passwords and then use those passwords to defeat security and cause harm and mischief to a computer, its users and others. To thwart such activity, the present invention provides a novel device that can be provided within a keyboard, in a computer, or in a third device having connectivity thereto. The device in conjunction with the method provides a secure password mode and a challenge/response protocol to verify that the password is entered in response to a particular request for a password.
TL;DR: This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-Guessing attack, and proposes a new password- based multi- server authentication scheme to overcome these vulnerabilities.
Abstract: A multi-server authentication scheme is a useful authentication mechanism in which a remote user can access the services of multiple servers after registering with the registration center (RC). This study shows that the password-based multi-server authentication scheme proposed by Yeh and Lo is vulnerable to undetectable password-guessing attack and offline password-guessing attack. This study proposes a new password-based multi-server authentication scheme to overcome these vulnerabilities. The proposed protocol introduces a new mechanism for protecting user password. The RC sends an alternative key to help the server verify the legitimacy of user instead of the user's password. The values of these keys are changed with a random large nonce in each session. Therefore, the password-guessing attack cannot work successfully on the proposed scheme.
TL;DR: The evidence shows that, pre-compiled lists of usernames and passwords that are widely shared form the basis for brute-force attacks.
Abstract: We studied Brute-force SSH attacks carried out on six different universities campus networks by using Honeypot Techniques. Brute-force password guessing attacks against SSH, FTP and telnet servers are the most common form of attack to compromise servers facing the internet. A key factor to avoid disruption of these networks is to defend it against Brute-force attacks. We focused on the attempts to gain remote access to our SSH Honeypots Plus Tools and techniques employed. There are striking similarities in the methods used to attack these dissimilar systems. The evidence shows that, pre-compiled lists of usernames and passwords that are widely shared form the basis for brute-force attacks. When the passwords were analysed, it was found that in the event of actual malicious traffic what was commonly understood to be strong password did not protect the systems from being compromised. The data from the study were used to evaluate the efficacy of a variety of techniques designed to defend the systems against these attacks. Table 17 lists some commonly recommendation for the protection of SSH servers.
16 Jun 2013
TL;DR: In this article, the authors introduce the first theoretical model for password composition policies and study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords.
Abstract: A password composition policy restricts the space of allowable passwords to eliminate weak passwords that are vulnerable to statistical guessing attacks. Usability studies have demonstrated that existing password composition policies can sometimes result in weaker password distributions; hence a more principled approach is needed. We introduce the first theoretical model for optimizing password composition policies. We study the computational and sample complexity of this problem under different assumptions on the structure of policies and on users' preferences over passwords. Our main positive result is an algorithm that -- with high probability --- constructs almost optimal policies (which are specified as a union of subsets of allowed passwords), and requires only a small number of samples of users' preferred passwords. We complement our theoretical results with simulations using a real-world dataset of 32 million passwords.
TL;DR: The password feedback mechanism that was most effective was the feedback of the estimated amount of time to break the password, which significantly influenced users with lower password entropy to choose a more secure password.
Abstract: Purpose – Text-based passwords created by users are typically weak. A common mitigation is to provide meaningful feedback to users regarding the relative strength of their newly created password. However, the effects of these feedback mechanisms on users to create stronger passwords have not been well studied. This study examined four different types of password feedback mechanisms to determine which, if any, are the most effective. The paper aims to discuss these issues. Design/methodology/approach – Undergraduate student volunteers created four different passwords and then entered the passwords into four different online password feedback mechanisms. Participants were then asked whether the feedback persuaded them to change their original password. Findings – In all cases, the feedback mechanisms significantly influenced users with lower password entropy to choose a more secure password. The password feedback mechanism that was most effective was the feedback of the estimated amount of time to break the...
09 Dec 2013
TL;DR: It is shown that the proposed 3PAKE scheme is vulnerable to off-line password guessing attack and partition attack, and an efficient method to fix these problems is proposed.
Abstract: A Three-party Password-based Authenticated Key Exchange (3PAKE) protocol allows two users to establish a secure session key over an insecure communication channel with the help of a third party, which is a trusted server. Recently, Lou and Huang proposed a 3PAKE which is efficient and suitable for running on resource-constrained devices such as smart cards and mobile phones. In this paper, we show that their scheme is vulnerable to off-line password guessing attack and partition attack. We then propose an efficient method to fix these problems. Additionally, the mutual authentication and session key secrecy of the proposed protocol are verified using a formal verification tool. DOI: http://dx.doi.org/10.5755/j01.itc.42.3.1905