Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users From Password Theft (original) (raw)
Related papers
Computer Communications, 2008
This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier's archiving and manuscript policies are encouraged to visit: http://www.elsevier.com/copyright
The Surfing Attacks Secured Password Authentication System
INTERNATIONAL JOURNAL OF ADVANCED INFORMATION AND COMMUNICATION TECHNOLOGY, 2020
People enjoy the convenience of on-line services, but online environments may bring many risks. We propose a virtual password concept involving a small amount of human computing to secure users’ passwords in on-line environments. We adopt user determined randomized linear generation functions to secure users’ passwords based on the fact that a server has more information than any adversary does. We analyze how the proposed scheme defends against phishing, key logger, and shoulder-surfing attacks. To the best of our knowledge, our virtual password mechanism is the first one which is able to defend against all three attacks together. In this work, we discussed how to prevent users’ passwords from being stolen by adversaries. We proposed a virtual password concept involving a small amount of human computing to secure users’ passwords in on-line environments. We also implemented the system to do some tests and survey feedback indicates the feasibility of such a system. In this paper, we...
Journal of Cryptology, 1989
We prove relationships between the security of a function generator when used in an encryption scheme and the security of a function generator when used in a UNIX-like password scheme.
A Simple and Secure Reformation-Based Password Scheme
IEEE Access
The electronic applications of financial institutions like banks and insurance companies use either token-based, biometric-based, or knowledge-based password scheme to keep the confidential information of their customers safe from hackers. The knowledge-based password scheme's resistance, particularly its reformation-based password scheme against shoulder surfing attacks, is comparatively better than the other two because its password can be entered in crowded places without fear of shoulder surfers. However, the available reformation based passwords involve mental computation making their usability difficult. Furthermore, they also need an extra device like earphones during password entry causing to create a gap for information leakage. Moreover, most of the passwords store passwords' actual content on a server database that causes penetration in the financial institutions' database. In this article, a reformation-based password scheme involving no mental computation and using no extra device is proposed. The proposed scheme works on the password characters' indices, which change dynamically after each login process. It gets the password characters' indices from the end-user and obtains his password characters' indices from the database. Next, the textual passwords are formed from the user-provided indices and those obtained from the database. The textual passwords are then compared, and if found match, then login is succeeded, otherwise failed. Our proposed password scheme's experimental results on the password data set showed better security and usability compared to state-of-art password schemes.
VIRTUAL PASSWORD VALIDATION MANAGEMENT
Passwords are widely used when accessing computers, networks, accounts and websites. A big drawback of password is called password problem which is not being resist against several password attacks such as guessing, dictionary attack, key-loggers, shoulder-surfing and social engineering. Other than being secure against these attacks passwords should be easy to remember. Usability and security are two important issues to be concerned about while working with passwords. Graphical passwords seem to be the solution as it is described more in the paper, but graphical passwords primarily get attacked by shoulder surfing and motion capture. In order to overcome shoulder surfing and motion capture technique we proposing the Implicit password authentication system to give immune against the shoulder surfing and screen dump attack.
Breaking Randomized Linear Generation Functions Based Virtual Password System
2010 IEEE International Conference on Communications, 2010
In ICC2008 and subsequent work, Lei et al. proposed a user authentication system (virtual password system), which is claimed to be secure against identity theft attacks, including phishing, keylogging and shoulder surfing. Their authentication system is a challenge-response protocol based on a randomized linear generation function, which uses a random integer in the responses of each login session to offer security against assorted attacks.
Password Authentication Scheme with Secured Login Interface
2012
This paper presents a novel solution to the age long problem of password security at input level. In our solution, each of the various characters from which a password could be composed is encoded with a random single digit integer and presented to the user via an input interface form. A legitimate user entering his password only needs to carefully study the sequence of code that describe his password, and then enter these code in place of his actual password characters. This approach does not require the input code to be hidden from anyone or converted to placeholder characters for security reasons. Our solution engine regenerates new code for each character each time the carriage return key is struck, producing a hardened password that is convincingly more secure than conventional password entry system against both online and offline attackers. Using empirical data and a prototype implementation of our scheme, we give evidence that our approach is viable in practice, in terms of e...
A Text based Authentication Scheme for Improving Security of Textual Passwords
International Journal of Advanced Computer Science and Applications
User authentication through textual passwords is very common in computer systems due to its ease of use. However textual passwords are vulnerable to different kinds of security attacks, such as spyware and dictionary attacks. In order to overcome the deficiencies of textual password scheme, many graphical password schemes have been proposed. The proposed schemes could not fully replace textual passwords, due to usability and security issues. In this paper a text based user authentication scheme is proposed which improves the security of textual password scheme by modifying the password input method and adding a password transformation layer. In the proposed scheme alphanumeric password characters are represented by random decimal numbers which resist online security attacks such as shoulder surfing and key logger attacks. In the registration process password string is converted into a completely new string of symbols or characters before encryption. This strategy improves password security against offline attacks such as brute-force and dictionary attacks. In the proposed scheme passwords consist of alphanumeric characters therefore users are not required to remember any new kind of passwords such as used in graphical authentication. Hence password memorability burden has been minimized. However mean authentication time of the proposed scheme is higher than the textual password scheme due to the security measures taken for the online attacks.
oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks
Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, users' passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user's cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.
Challenges and Opportunities in Password Management: A Review of Current Solutions
Sri Lanka Journal of Social Sciences and Humanities
For over six decades, passwords have served as the primary authentication mechanism for almost all modern computer systems. However, password management is a challenging task for most computer users, and that has led users to many malpractices that open the door for most information security breaches over time. Despite many efforts, no alternative solution has ever succeeded in replacing passwords as the primary authentication mechanism. As a result, users are now heavily relying on password managers to alleviate the burden of manual password management. This paper addresses the topic of password management about different types of password managers and their inherent limitations. By evaluating the existing password management approaches and identifying potential improvements, this paper aims to signify an important research gap that exists in the study area; the need for fully automating the process of manual password management.