ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Passpet: convenient password management and phishing protection
Full text PdfPdf (479 KB)
Source SOUPS; Vol. 149 archive
Proceedings of the second symposium on Usable privacy and security table of contents
Pittsburgh, Pennsylvania
SESSION: Password management, mnemonics, and mother's maiden names table of contents
Pages: 32 - 43  
Year of Publication: 2006
ISBN:1-59593-448-0
Authors
Ka-Ping Yee  University of California, Berkeley
Kragen Sitaker
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 12,   Downloads (12 Months): 150,   Citation Count: 13
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1143120.1143126
What is a DOI?

ABSTRACT

We describe Passpet, a tool that improves both the convenience and security of website logins through a combination of techniques. Password hashing helps users manage multiple accounts by turning a single memorized password into a different password for each account. User-assigned site labels (petnames) help users securely identify sites in the face of determined attempts at impersonation (phishing). Password-strengthening measures defend against dictionary attacks. Customizing the user interface defends against user-interface spoofing attacks. We propose new improvements to these techniques, discuss how they are integrated into a single tool, and compare Passpet to other solutions for managing passwords and preventing phishing.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Abadi, T. M. A. Lomas, and R. Needham. Strengthening Passwords. Technical Report 1997-033, SRC, 2005.
 
2
T. Close. Petname Tool. http://petname.mozdev.org/.
 
3
CoreStreet. Spoofstick. http://www.spoofstick.com/.
4
Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073009]
5
Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124861]
 
6
Earthlink. Earthlink Toolbar and ScamBlocker FAQ. http://kb.earthlink.net/case.asp?article=30492.
 
7
Earthlink. Earthlink Toolbar Featuring ScamBlocker for Windows Users. http://www.earthlink.net/software/free/toolbar/.
 
8
S. Fox, L. Rainie, J. Horrigan, A. Lenhart, T. Spooner, and C. Carter. Trust and privacy online: Why Americans want to rewrite the rules. August 2000. http://www.pewinternet.org/report_display.asp?r=19.
 
9
R. Franco. Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers. November 2005. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.
 
10
Eran Gabber , Phillip B. Gibbons , Yossi Matias , Alain J. Mayer, How to Make Personalized Web Browising Simple, Secure, and Anonymous, Proceedings of the First International Conference on Financial Cryptography, p.17-32, February 24-28, 1997
11
Evgeniy Gabrilovich , Alex Gontmakher, The homograph attack, Communications of the ACM, v.45 n.2, February 2002  [doi>10.1145/503124.503156]
12
J. Alex Halderman , Brent Waters , Edward W. Felten, A convenient method for securely managing passwords, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan  [doi>10.1145/1060745.1060815]
 
13
A. Herzberg and A. Gbara. TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Cryptology ePrint Archive, Report 2004/155, 2004. http://www.cs.biu.ac.il/~herzbea/TrustBar/.
 
14
A. Karp. Site-Specific Passwords. Technical report, HP Labs. http://www.hpl.hp.com/personal/Alan_Karp/site_password/.
 
15
John Kelsey , Bruce Schneier , Chris Hall , David Wagner, Secure Applications of Low-Entropy Keys, Proceedings of the First International Workshop on Information Security, p.121-134, September 17-19, 1997
 
16
R. Naraine. Microsoft Downgrades Claria Adware Detections. July 2005. http://www.eweek.com/article2/0,1895,1834607,00.asp.
 
17
Netcraft. Netcraft Anti-Phishing Toolbar. http://toolbar.netcraft.com/.
 
18
Netcraft. Netcraft Toolbar Privacy Policy. http://toolbar.netcraft.com/privacypolicy.html.
 
19
Bank of America. Sign up for the SiteKey Service. http://www.bankofamerica.com/privacy/passmark/.
 
20
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger Password Authentication Using Browser Extensions. In Proc. 14th Usenix Security, 2005.
 
21
T. Sharif. Phishing Filter in IE7. September 2005. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx.
 
22
M. Stiegler. An Introduction to Petname Systems. http://www.skyhunter.com/marcs/petnames/IntroPetNames.html.
 
23
Protocom Development Systems. Global Password Usage Survey. September 2003. http://www.protocom.com/html/whitepapers/biz_password_survey.html.
 
24
T. Wu. The Secure Remote Password Protocol. In Proc. 1998 Internet Society Network and Distributed System Security Symposium, pages 97--111, March 1998.

CITED BY  13
 
Collin Jackson , Dan Boneh , John Mitchell, Transaction generators: root kits for web, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-4, August 07, 2007, Boston, MA
Vassilis Kostakos, Human-in-the-loop: rethinking security in mobile and pervasive systems, CHI '08 extended abstracts on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Jennifer Stoll , Craig S. Tashman , W. Keith Edwards , Kyle Spafford, Sesame: informing user security decisions with system visualization, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Serge Egelman , Lorrie Faith Cranor , Jason Hong, You've been warned: an empirical study of the effectiveness of web browser phishing warnings, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Ye Cao , Weili Han , Yueran Le, Anti-phishing based on automated individual white-list, Proceedings of the 4th ACM workshop on Digital identity management, October 31-31, 2008, Alexandria, Virginia, USA
Frederik De Keukelaere , Sumeer Bhola , Michael Steiner , Suresh Chari , Sachiko Yoshihama, SMash: secure component model for cross-domain mashups on unmodified browsers, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China
Troy Ronda , Stefan Saroiu , Alec Wolman, Itrustpage: a user-assisted anti-phishing tool, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
Radia Perlman , Charlie Kaufman, User-centric PKI, Proceedings of the 7th symposium on Identity and trust on the Internet, March 04-06, 2008, Gaithersburg, Maryland
Dinei Florencio , Cormac Herley, Evaluating a trial deployment of password re-use for phishing prevention, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.26-36, October 04-05, 2007, Pittsburgh, Pennsylvania
Steve Sheng , Bryant Magnien , Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Yue Zhang , Jason I. Hong , Lorrie F. Cranor, Cantina: a content-based approach to detecting phishing web sites, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
Amir Herzberg , Ahmad Jbara, Security and identification indicators for browsers against spoofing and phishing attacks, ACM Transactions on Internet Technology (TOIT), v.8 n.4, p.1-36, September 2008
Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  H. Information Systems
  H.3 INFORMATION STORAGE AND RETRIEVAL
      H.3.5 On-line Information Services
          Subjects: Web-based services
  H.4 INFORMATION SYSTEMS APPLICATIONS
      H.4.3 Communications Applications
          Subjects: Information browsers
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)
          Subjects: Graphical user interfaces (GUI)

Collaborative Colleagues:
Ka-Ping Yee: colleagues
Kragen Sitaker: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player