Securing Passwords Against Dictionary Attacks
Date: November 2002
Publication: Proceedings of the 9th ACM Conference on Computer and Communications Security
Page(s): 161 - 170
Source 1: http://www.pinkas.net/PAPERS/pwdweb.pdf
Source 2: http://www.pinkas.net/PAPERS/pwdweb.ps
Source 3: http://doi.acm.org/10.1145/586110.586133 - Subscription or payment required
Abstract or Summary:
The use of passwords is a major point of vulnerability in computer security, as passwords are often easy to guess by automated programs running dictionary attacks. Passwords remain the most widely used authentication method despite their well-known security weaknesses. User authentication is clearly a practical problem. From the perspective of a service provider this problem needs to be solved within real-world constraints such as the available hardware and software infrastructures. From a user's perspective user-friendliness is a key requirement.In this paper we suggest a novel authentication scheme that preserves the advantages of conventional password authentication, while simultaneously raising the costs of online dictionary attacks by orders of magnitude. The proposed scheme is easy to implement and overcomes some of the difficulties of previously suggested methods of improving the security of user authentication schemes.Our key idea is to efficiently combine traditional password authentication with a challenge that is very easy to answer by human users, but is (almost) infeasible for automated programs attempting to run dictionary attacks. This is done without affecting the usability of the system. The proposed scheme also provides better protection against denial of service attacks against user accounts.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.