Private Password Auditing
Date: December 2014
Publication: The 8th International Conference on Passwords (Passwords14) / Lecture Notes in Computer Science Volume 9393
Page(s): 138 - 145
Source 1: https://hal.inria.fr/hal-01119953/file/pwdaudit.pdf
Source 2: http://dx.doi.org/10.1007/978-3-319-24192-0_9 - Subscription or payment required
Abstract or Summary:
Password is the foremost mean to achieve data and computer security. Hence, choosing a strong password which may withstand dictionary attacks is crucial in establishing the security of the underlying system. In order to ensure that strong passwords are chosen and that they are periodically updated, system administrators often rely on password auditors to filter weak password digests. Several tools aimed at preventing digest misuse have been designed to aid auditors in their task. We however show that the objective remains a far cry as these tools essentially reveal the digests corresponding to weak passwords. As a case study, we discuss the issues with Blackhash, and develop the notion of Private Password Auditing -- a mechanism that does not require a system administrator to reveal password digests to an external auditor and symmetrically the dictionaries remain private to the auditor. We further present constructions based on Private Set Intersection and its variant, and evaluate a proof-of-concept implementation against real-world dictionaries.
PasswordResearch.com Note: Video of presentation: https://video.adm.ntnu.no/pres/549931f1366a9
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.