J. Alex Halderman
Brent Waters
ABSTRACT
Computer users are asked to generate, keep secret, and recall an increasing number of passwords for uses including host accounts, email servers, e-commerce sites, and online financial services. Unfortunately, the password entropy that users can comfortably memorize seems insufficient to store unique, secure passwords for all these accounts, and it is likely to remain constant as the number of passwords (and the adversary's computational power) increases into the future. In this paper, we propose a technique that uses a strengthened cryptographic hash function to compute secure passwords for arbitrarily many accounts while requiring the user to memorize only a single short password. This mechanism functions entirely on the client; no server-side changes are needed. Unlike previous approaches, our design is both highly resistant to brute force attacks and nearly stateless, allowing users to retrieve their passwords from any location so long as they can execute our program and remember a short secret. This combination of security and convenience will, we believe, entice users to adopt our scheme. We discuss the construction of our algorithm in detail, compare its strengths and weaknesses to those of related approaches, and present Password Multiplier, an implementation in the form of an extension to the Mozilla Firefox web browser.
- Microsoft Passport service. http://www.passport.net.]]Google Scholar
- OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org.]]Google Scholar
- Martín Abadi, T. Mark A. Lomas, and Roger Needham. Strengthening passwords. Technical Report 1997 - 033, 1997.]]Google Scholar
- Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, pages 139--155, 2000.]] Google ScholarDigital Library
- E. Felten, D. Balfanz, D. Dean, and D. Wallach. Web spoofing: An Internet con game. Proc. 20th National Information Systems Security Conference, 1997.]]Google Scholar
- Eran Gabber, Phillip B. Gibbons, Yossi Matias, and Alain J. Mayer. How to make personalized web browsing simple, secure, and anonymous. In Financial Cryptography, pages 17--32, 1997.]] Google ScholarDigital Library
- Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key exchange. In EUROCRYPT, pages 524--543, 2003.]] Google ScholarDigital Library
- J. Jeff, Y. Alan, B. Ross, and A. Alasdair. The memorability and security of passwords -- some empirical results, 2000.]]Google Scholar
- Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. The design and analysis of graphical passwords. 1999.]]Google Scholar
- Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient password-authenticated key exchange using human-memorable passwords. In EUROCRYPT '01: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques, pages 475--494. Springer-Verlag, 2001.]] Google ScholarDigital Library
- J. Kelsey, B. Schneier, C. Hall, and D. Wagner. Secure applications of low-entropy keys. Lecture Notes in Computer Science, 1396:121--134, 1998.]] Google ScholarDigital Library
- David P. Kormann and Aviel D. Rubin. Risks of the Passport single signon protocol. In Proc. 9th international World Wide Web conference on computer networks, pages 51--58. North-Holland Publishing Co., 2000.]] Google ScholarDigital Library
- U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack, 1996.]]Google Scholar
- Robert Morris and Ken Thompson. Password security: A case history. CACM, 22(11):594--597, 1979.]] Google ScholarDigital Library
- Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh, and John C. Mitchell. A browser plug-in solution to the unique password problem, 2005. Technical report, Stanford-SecLab-TR-2005-1.]]Google Scholar
- Bruce Schneier et al. Password Safe application. http://www.schneier.com/passsafe.html.]]Google Scholar
- Joe Smith. Password Safe cracker utility. http://members.aol.com/jpeschel3/recovery.htm.]]Google Scholar
Index Terms
- A convenient method for securely managing passwords
Recommendations
Securely combining public-key cryptosystems
CCS '01: Proceedings of the 8th ACM conference on Computer and Communications SecurityIt is a maxim of sound computer-security practice that a cryptographic key should have only a single use. For example, an RSA key pair should be used only for public-key encryption or only for digital signatures, and not for both.In this paper we show ...
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityPrevious research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
The Design and Implementation of Passwords Management System Based on Blowfish Cryptographic Algorithm
IFCSTA '09: Proceedings of the 2009 International Forum on Computer Science-Technology and Applications - Volume 02In modern society, especially on the Internet, you might have found you are having more and more usernames or IDs and passwords, which contains your private information. There are too many for you to remember and it is unsafe to write them down on you ...
Comments