ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Digital Library logoTake a look at the new version of this page: [ beta version ]. Tell us what you think.
A convenient method for securely managing passwords
Full text PdfPdf (187 KB)
Source International World Wide Web Conference archive
Proceedings of the 14th international conference on World Wide Web table of contents
Chiba, Japan
SESSION: Security through the eyes of users table of contents
Pages: 471 - 479  
Year of Publication: 2005
ISBN:1-59593-046-9
Authors
J. Alex Halderman  Princeton University, Princeton, NJ
Brent Waters  Stanford University
Edward W. Felten  Princeton University, Princeton, NJ
Sponsor
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 23,   Downloads (12 Months): 204,   Citation Count: 13
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1060745.1060815
What is a DOI?

ABSTRACT

Computer users are asked to generate, keep secret, and recall an increasing number of passwords for uses including host accounts, email servers, e-commerce sites, and online financial services. Unfortunately, the password entropy that users can comfortably memorize seems insufficient to store unique, secure passwords for all these accounts, and it is likely to remain constant as the number of passwords (and the adversary's computational power) increases into the future. In this paper, we propose a technique that uses a strengthened cryptographic hash function to compute secure passwords for arbitrarily many accounts while requiring the user to memorize only a single short password. This mechanism functions entirely on the client; no server-side changes are needed. Unlike previous approaches, our design is both highly resistant to brute force attacks and nearly stateless, allowing users to retrieve their passwords from any location so long as they can execute our program and remember a short secret. This combination of security and convenience will, we believe, entice users to adopt our scheme. We discuss the construction of our algorithm in detail, compare its strengths and weaknesses to those of related approaches, and present Password Multiplier, an implementation in the form of an extension to the Mozilla Firefox web browser.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Microsoft Passport service. http://www.passport.net.
 
2
OpenSSL: The open source toolkit for SSL/TLS. http://www.openssl.org.
 
3
Martín Abadi, T. Mark A. Lomas, and Roger Needham. Strengthening passwords. Technical Report 1997 - 033, 1997.
 
4
Mihir Bellare, David Pointcheval, and Phillip Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT, pages 139--155, 2000.
 
5
E. Felten, D. Balfanz, D. Dean, and D. Wallach. Web spoofing: An Internet con game. Proc. 20th National Information Systems Security Conference, 1997.
 
6
Eran Gabber , Phillip B. Gibbons , Yossi Matias , Alain J. Mayer, How to Make Personalized Web Browising Simple, Secure, and Anonymous, Proceedings of the First International Conference on Financial Cryptography, p.17-32, February 24-28, 1997
 
7
Rosario Gennaro and Yehuda Lindell. A framework for password-based authenticated key exchange. In EUROCRYPT, pages 524--543, 2003.
 
8
J. Jeff, Y. Alan, B. Ross, and A. Alasdair. The memorability and security of passwords -- some empirical results, 2000.
 
9
Ian Jermyn, Alain Mayer, Fabian Monrose, Michael K. Reiter, and Aviel D. Rubin. The design and analysis of graphical passwords. 1999.
 
10
Jonathan Katz , Rafail Ostrovsky , Moti Yung, Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords, Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology, p.475-494, May 06-10, 2001
 
11
John Kelsey , Bruce Schneier , Chris Hall , David Wagner, Secure Applications of Low-Entropy Keys, Proceedings of the First International Workshop on Information Security, p.121-134, September 17-19, 1997
 
12
David P. Kormann , Aviel D. Rubin, Risks of the passport single signon protocol, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.51-58, June 2000, Amsterdam, The Netherlands
 
13
U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack, 1996.
14
Robert Morris , Ken Thompson, Password security: a case history, Communications of the ACM, v.22 n.11, p.594-597, Nov. 1979  [doi>10.1145/359168.359172]
 
15
Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh, and John C. Mitchell. A browser plug-in solution to the unique password problem, 2005. Technical report, Stanford-SecLab-TR-2005-1.
 
16
Bruce Schneier et al. Password Safe application. http://www.schneier.com/passsafe.html.
 
17
Joe Smith. Password Safe cracker utility. http://members.aol.com/jpeschel3/recovery.htm.

CITED BY  13
Ravi Chandra Jammalamadaka , Sharad Mehrotra , Nalini Venkatasubramanian, Pvault: a client server system providing mobile access to personal data, Proceedings of the 2005 ACM workshop on Storage security and survivability, November 11-11, 2005, Fairfax, VA, USA
Julie Thorpe , P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical passwords, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
Xavier Boyen, Halting password puzzles: hard-to-break encryption from human-memorable keys, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
Collin Jackson , Dan Boneh , John Mitchell, Transaction generators: root kits for web, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-4, August 07, 2007, Boston, MA
Ka-Ping Yee , Kragen Sitaker, Passpet: convenient password management and phishing protection, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania
Kim-Phuong L. Vu , Robert W. Proctor , Abhilasha Bhargav-Spantzel , Bik-Lam (Belin) Tai , Joshua Cook , E. Eugene Schultz, Improving password security and memorability to protect personal and organizational information, International Journal of Human-Computer Studies, v.65 n.8, p.744-757, August, 2007
Yue Zhang , Jason I. Hong , Lorrie F. Cranor, Cantina: a content-based approach to detecting phishing web sites, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
ChangHee Lee , Heejo Lee, A password stretching method using user specific salts, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
Troy Ronda , Stefan Saroiu , Alec Wolman, Itrustpage: a user-assisted anti-phishing tool, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
P. C. van Oorschot , Julie Thorpe, On predictive models and user-drawn graphical passwords, ACM Transactions on Information and System Security (TISSEC), v.10 n.4, p.1-33, January 2008
Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Dinei Florencio , Cormac Herley, Evaluating a trial deployment of password re-use for phishing prevention, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.26-36, October 04-05, 2007, Pittsburgh, Pennsylvania
Alain Forget , Sonia Chiasson , P. C. van Oorschot , Robert Biddle, Improving text passwords through persuasion, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)
          Subjects: Authentication

Additional Classification:
  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.4 Electronic Commerce
          Subjects: Security


General Terms:
Design, Human Factors, Security


Keywords:
password security, website user authentication

Collaborative Colleagues:
J. Alex Halderman: colleagues
Brent Waters: colleagues
Edward W. Felten: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player