A convenient method for securely managing passwords

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A convenient method for securely managing passwords

Full text

Pdf (187 KB)

Source

International World Wide Web Conference archive
Proceedings of the 14th international conference on World Wide Web table of contents

Chiba, Japan

SESSION: Security through the eyes of users table of contents

Pages: 471 - 479

Year of Publication: 2005

ISBN:1-59593-046-9

Authors

J. Alex Halderman	Princeton University, Princeton, NJ
Brent Waters	Stanford University
Edward W. Felten	Princeton University, Princeton, NJ

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 27, Downloads (12 Months): 255, Citation Count: 13

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1060745.1060815 What is a DOI?

ABSTRACT

Computer users are asked to generate, keep secret, and recall an increasing number of passwords for uses including host accounts, email servers, e-commerce sites, and online financial services. Unfortunately, the password entropy that users can comfortably memorize seems insufficient to store unique, secure passwords for all these accounts, and it is likely to remain constant as the number of passwords (and the adversary's computational power) increases into the future. In this paper, we propose a technique that uses a strengthened cryptographic hash function to compute secure passwords for arbitrarily many accounts while requiring the user to memorize only a single short password. This mechanism functions entirely on the client; no server-side changes are needed. Unlike previous approaches, our design is both highly resistant to brute force attacks and nearly stateless, allowing users to retrieve their passwords from any location so long as they can execute our program and remember a short secret. This combination of security and convenience will, we believe, entice users to adopt our scheme. We discuss the construction of our algorithm in detail, compare its strengths and weaknesses to those of related approaches, and present Password Multiplier, an implementation in the form of an extension to the Mozilla Firefox web browser.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Microsoft Passport service. http://www.passport.net.
	2	OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org.
	3	Martín Abadi, T. Mark A. Lomas, and Roger Needham. Strengthening passwords. Technical Report 1997 - 033, 1997.
	4	Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, pages 139--155, 2000.
	5	E. Felten, D. Balfanz, D. Dean, and D. Wallach. Web spoofing: An Internet con game. Proc. 20th National Information Systems Security Conference, 1997.
	6	Eran Gabber , Phillip B. Gibbons , Yossi Matias , Alain J. Mayer, How to Make Personalized Web Browising Simple, Secure, and Anonymous, Proceedings of the First International Conference on Financial Cryptography, p.17-32, February 24-28, 1997
	7	Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key exchange. In EUROCRYPT, pages 524--543, 2003.
	8	J. Jeff, Y. Alan, B. Ross, and A. Alasdair. The memorability and security of passwords -- some empirical results, 2000.
	9	Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. The design and analysis of graphical passwords. 1999.
	10	Jonathan Katz , Rafail Ostrovsky , Moti Yung, Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.475-494, May 06-10, 2001
	11	John Kelsey , Bruce Schneier , Chris Hall , David Wagner, Secure Applications of Low-Entropy Keys, Proceedings of the First International Workshop on Information Security, p.121-134, September 17-19, 1997
	12	David P. Kormann , Aviel D. Rubin, Risks of the passport single signon protocol, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.51-58, June 2000, Amsterdam, The Netherlands
	13	U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack, 1996.
	14	Robert Morris , Ken Thompson, Password security: a case history, Communications of the ACM, v.22 n.11, p.594-597, Nov. 1979 [doi>10.1145/359168.359172]
	15	Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh, and John C. Mitchell. A browser plug-in solution to the unique password problem, 2005. Technical report, Stanford-SecLab-TR-2005-1.
	16	Bruce Schneier et al. Password Safe application. http://www.schneier.com/passsafe.html.
	17	Joe Smith. Password Safe cracker utility. http://members.aol.com/jpeschel3/recovery.htm.

CITED BY 13

	Ravi Chandra Jammalamadaka , Sharad Mehrotra , Nalini Venkatasubramanian, Pvault: a client server system providing mobile access to personal data, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
	Julie Thorpe , P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical passwords, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Xavier Boyen, Halting password puzzles: hard-to-break encryption from human-memorable keys, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Collin Jackson , Dan Boneh , John Mitchell, Transaction generators: root kits for web, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-4, August 07, 2007, Boston, MA
	Ka-Ping Yee , Kragen Sitaker, Passpet: convenient password management and phishing protection, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
	Kim-Phuong L. Vu , Robert W. Proctor , Abhilasha Bhargav-Spantzel , Bik-Lam (Belin) Tai , Joshua Cook , E. Eugene Schultz, Improving password security and memorability to protect personal and organizational information, International Journal of Human-Computer Studies, v.65 n.8, p.744-757, August, 2007
	Yue Zhang , Jason I. Hong , Lorrie F. Cranor, Cantina: a content-based approach to detecting phishing web sites, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
	ChangHee Lee , Heejo Lee, A password stretching method using user specific salts, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
	Troy Ronda , Stefan Saroiu , Alec Wolman, Itrustpage: a user-assisted anti-phishing tool, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
	P. C. van Oorschot , Julie Thorpe, On predictive models and user-drawn graphical passwords, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-33, January 2008
	Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Dinei Florencio , Cormac Herley, Evaluating a trial deployment of password re-use for phishing prevention, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.26-36, October 04-05, 2007, Pittsburgh, Pennsylvania
	Alain Forget , Sonia Chiasson , P. C. van Oorschot , Robert Biddle, Improving text passwords through persuasion, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania