Single Password, Multiple Accounts

Summary:
Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of di erent and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can e ectively steal users' passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). To solve this problem, we propose a new password protocol that is simple, secure, effcient and user-friendly. In terms of simplicity, the protocol only involves three messages, and the protocol is easy to understand and implement. In terms of security, the protocol is secure against the attacks that have been discovered so far including the ones that are diffcult to defend, such as the malicious server attacks described above and the recent phishing attacks. In terms of effciency, each run of our protocol only involves a total of four computations of a one-way hash function. In terms of usability, the protocol requires a user to remember only one password consisting of eight (or more) random characters, and this password can be used for all of his accounts.

Format:
Pages : 12
Size: 113 kb
Author: Mohamed G. Gouda, Alex X. Liu, Lok M. Leung, Mohamed A. Alam

Download:
Single Password, Multiple Accounts