Securing Passwords Against Dictionary Attacks
Summary:
Passwords are the most common method of authenticating users, and will most likely continue to be widely used for the foreseeable future, due to their convenience and practicality for service providers and end-users. Although more secure authentication schemes have been suggested in the past, e.g., using smartcards or public key cryptography, none of them has been in widespread use in the consumer market. It is a well known problem in computer security that human chosen passwords are inherently insecure since a large fraction of the users chooses passwords that come from a small domain (see, e.g., the empirical studies in [19, 15]). A small password domain enables adversaries to attempt to login to accounts by trying all possible passwords, until they find the correct one. This attack is known as a “dictionary attack”. Successful dictionary attacks have, e.g., been recently reported against eBay user accounts, where attackers broke into accounts of sellers with good reputations in order to conduct fraudulent auctions [8].
When trying to improve the security of password based authentication, one wants to prevent attackers from
eavesdropping on passwords in transit, and from mounting offline dictionary attacks, namely attacks that enable the attacker to check all possible passwords without requiring any feedback from the server. Eavesdropping attacks can be prevented by encrypting the communication between the user and the server, for example using SSL (see also [12, 5, 16, 11]). Offline dictionary attacks are prevented by limiting access to the password file (and can be made even harder by adding well-known measures such as the use of salt)
Format:
Pages : 14
Size: 208 kb
Author: Benny Pinkasy, Tomas Sanderz