Advertisement

Scramble the Password Before You Type It

  • Jikai Li
  • Logan Stecker
  • Ethan Zeigler
  • Thomas Holland
  • Daan Liang
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 746)

Abstract

Password is widely used for digital authentication. There are a few conflicting issues about password: A strong password must be a long string without obvious patterns; The safe and convenient way to store the password is to memorize it; People cannot remember strong passwords easily. To remember their passwords, people usually create weak passwords and reuse the passwords across sites. Password server is not secure as we hope for. Millions of hashed passwords were leaked and cracked in the last few years. It is important that people increase the password strength on the client side. In this work, we propose a mechanism that increases the password strength on the client side. A password and a few simple facts remembered by the user are used as input to create a strong password. The proposed mechanism also allows user to easily create strong password which is site-unique.

Keywords

Password Authentication Hashing Scramble 

References

  1. 1.
    Molva, R., Tsudik, G.: Authentication method with impersonal token cards. In: Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, (1993)Google Scholar
  2. 2.
    De Soete, M.: Two-Factor Authentication. Encyclopedia of Cryptography and Security, p. 1341. Springer Science+Business Media, LLC, Heidelberg (2013)Google Scholar
  3. 3.
    Thomas C.: Security slip-ups in 1Password and other password managers ‘extremely worrying’ (2017). https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/
  4. 4.
    Selena, L.: Every single Yahoo account was hacked - 3 billion in all (2017). http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html
  5. 5.
    Gosney, J.M.: How LinkedIn’s password sloppiness hurts us all (2016). https://arstechnica.com/information-technology/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
  6. 6.
    Dan, G.: 6.6 million plaintext passwords exposed as site gets hacked to the bone (2016). https://arstechnica.com/information-technology/2016/09/plaintext-passwords-and-wealth-of-other-data-for-6-6-million-people-go-public/
  7. 7.
    Paul, D.: More plaintext passwords leaked, nearly 100 MILLION of them (2016). https://nakedsecurity.sophos.com/2016/09/06/more-plaintext-passwords-leaked-nearly-100-million-of-them/
  8. 8.
  9. 9.
    Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS data encryption standard. IEEE Comput. 10, 74–84 (1977)CrossRefGoogle Scholar
  10. 10.
    Shannon, C.E.: A mathematical theory of communication. Bell Syst. Techn. J. 27(3), 379–423 (1948)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Tatlı, Eİ.: Cracking more password hashes with patterns. IEEE Trans. Inf. Forensics Secur. 10(8), 1656–1665 (2015). IEEE Press, New YorkCrossRefGoogle Scholar
  12. 12.
    Han, W., Li, Z., Yuan, L., Xu, W.: Regional patterns and vulnerability analysis of chinese web passwords. IEEE Trans. Inf. Forensics Secur. 11(2), 258–272 (2016). IEEE Press, New YorkCrossRefGoogle Scholar
  13. 13.
    Lloyd, B., Simpson, W.: PPP authentication protocols (1992). https://tools.ietf.org/html/rfc1334
  14. 14.
    Simpson, W.: PPP Challenge Handshake Authentication Protocol (CHAP) (1996). https://tools.ietf.org/html/rfc1994
  15. 15.
    Rigney, C., Rigney, S., Rubens, L.A., Simpson, W.: Remote Authentication Dial In User Service (RADIUS) (2000). https://tools.ietf.org/html/rfc2865
  16. 16.
    Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H. (eds.): Extensible Authentication Protocol (EAP) (2004). https://tools.ietf.org/html/rfc3748
  17. 17.
    Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol (EAP) Key Management Framework (2008). https://tools.ietf.org/html/rfc5247
  18. 18.
    Finseth, C.: An access control protocol, sometimes called TACACS (1993). https://tools.ietf.org/html/rfc1492
  19. 19.
    Carrel, D.: The TACACS+Protocol Version 1.78 (1997). https://tools.ietf.org/html/draft-grant-tacacs-02
  20. 20.
    Kohl, J., Neuman, C.: The Kerberos network authentication service (V5) (1993). https://tools.ietf.org/html/rfc1510#section-3.2.4
  21. 21.
    Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer networks. IEEE Commun. 32(9), 33–38 (1994)CrossRefGoogle Scholar
  22. 22.
    Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), Saarbrucken (2016)Google Scholar
  23. 23.
  24. 24.
  25. 25.
    LinkedIn Revisited - Full 2012 Hash Dump Analysis (2016). https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016
  26. 26.
  27. 27.
  28. 28.
  29. 29.
  30. 30.

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Jikai Li
    • 1
  • Logan Stecker
    • 1
  • Ethan Zeigler
    • 1
  • Thomas Holland
    • 1
  • Daan Liang
    • 2
  1. 1.Computer Science DepartmentThe College of New JerseyEwingUSA
  2. 2.Department of Civil, Environmental, and Construction Engineering DepartmentTexas Tech UniversityLubbockUSA

Personalised recommendations