A Protocol to Strengthen Password-Based Authentication

  • Itzel Vazquez Sandoval
  • Borce Stojkovski
  • Gabriele LenziniEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11263)


We discuss a password-based authentication protocol that we argue to be robust against password-guessing and off-line dictionary attacks. The core idea is to hash the passwords with a seed that comes from an OTP device, making the resulting identity token unpredictable for an adversary. We believe that the usability of this new protocol is the same as that of password-based methods with OTP, but has the advantage of not burdening users with having to choose strong passwords.


Password-based authentication Cryptographic protocols 


  1. 1.
    Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.96: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial (2016)Google Scholar
  2. 2.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 538–552. IEEE (2012)Google Scholar
  3. 3.
    Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011). Scholar
  4. 4.
    Genç, Z.A., Lenzini, G., Ryan, P.Y.A., Vázquez Sandoval, I.: A security analysis, and a fix, of a code-corrupted honeywords system. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), pp. 83–95 (2018)Google Scholar
  5. 5.
    Juels, A., Rivest, R.L.: Honeywords: making password-cracking detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 145–160. ACM (2013)Google Scholar
  6. 6.
    Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)CrossRefGoogle Scholar
  7. 7.
    Malone, D., Maher, K.: Investigating the distribution of password choices. In: Proceedings of the 21st International Conference on World Wide Web, WWW 2012, pp. 301–310. ACM, New York (2012)Google Scholar
  8. 8.
    Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). Scholar
  9. 9.
    Ur, B., Bees, J., Segreti, S.M., Bauer, L., Christin, N., Cranor, L.F.: Do users’ perceptions of password security match reality? In: Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI 2016), pp. 3748–3760 (2016)Google Scholar
  10. 10.
    von Zezschwitz, E., De Luca, A., Hussmann, H.: Survival of the shortest: a retrospective analysis of influencing factors on password composition. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013. LNCS, vol. 8119, pp. 460–467. Springer, Heidelberg (2013). Scholar
  11. 11.
    Wash, R., Rader, E., Berman, R., Wellmer, Z.: Understanding password choices: how frequently entered passwords are re-used across websites. In: Proceedings of 12th Symposium on Usable Privacy and Security (SOUPS 2016), pp. 175–188. USENIX Association, Denver, CO (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Itzel Vazquez Sandoval
    • 1
  • Borce Stojkovski
    • 1
  • Gabriele Lenzini
    • 1
    Email author
  1. 1.SnT/University of LuxembourgLuxembourg CityLuxembourg

Personalised recommendations