Steven M. Bellovin, Michael Merritt,
Augmented Encrypted Key Exchange: a Password-Based Protocol
Secure Against Dictionary Attacks and Password File
Abstract: The encrypted key exchange (EKE) protocol is augmented so that hosts do not store cleartext passwords. Consequently, adversaries who obtain the one-way encrypted password file may (i) successfully mimic (spoof) the host to the user, and (ii) mount dictionary attacks against the encrypted passwords, but cannot mimic the user to the host. Moreover, the im- portant security properties of EKE are preservedan active network attacker obtains insufficient information to mount dictionary attacks. Two ways to accomplish this are shown, one using digital signatures and one that relies on a family of commutative one-way functions.
Daniel V. Klein,
"Foiling the Cracker": A Survey of, and Improvements to, Password
Abstract: With the rapid burgeoning of national and international networks, the question of system security has become one of growing importance. High speed inter-machine communication and even higher speed computational processors have made the threats of system ``crackers,'' data theft, data corruption very real. This paper outlines some of the problems of current password security by demonstrating the ease by which individual accounts may be broken. Various techniques used by crackers are outlined, and finally one solution to this point of system vulnerability, a pro-active password checker, is proposed.
How to run a secure lottery
Abstract: Changing from the normal to a "security-enhanced" version of an application requires each user to expend a moderate amount of effort to learn how to operate the new program. The paper proposes that security enhanced applications be introduced in the form of a game. The intrinsic interest of playing the game will act as an inducement to read the manuals and work out how to run the software.
A Simple Scheme to Make Passwords Based on One-Way Functions Much
Harder to Crack
Keywords: password, cracking passwords, crack
Abstract: We present a simple scheme that makes guessing passwords based on one-way functions 100 to 1000 times harder. The scheme is easy to program and easy to incrementally add to existing schemes. In particular, there is no need to switch to it all at the same time. Old passwords will still work and have the same security as before (one will not be able to distinguish them from new passwords); newly-entered passwords will become much more secure. The new scheme is independent of the one-way function used and does not require changing any part of the encryption mechanism.
Robert Morris, Ken Thompson,
Password Security: A Case History
Abstract: This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.
Observing Reusable Password Choices
Abstract: The OPUS project being conducted at Purdue is an attempt to screen users' selection of passwords to prevent poor choices. The focus of the project is on using screening methods that are both time and space-efficient and to provide a mechanism that is effective for workstations with little or no disk as well as mainframes. To test this mechanism, it requires a representative sample of real passwords choices as they made by users. The challenge of such a sampling mechanism is how to protect it from attack, and how to protect the results from being used against the system. This paper discusses our approach, and some of our initial observations on the words collected.
OPUS: Preventing Weak Password Choices
Abstract: This paper describes a space-efficient method of storing a dictionary of words that are not allowed as password choices. Look ups in the dictionary are O(1)(constant time) no matter how many words are in the dictionary. The mechanism described has other interesting features, a few of which are described here.
H. Spafford, Stephen
User Authentication and Related Topics: An Annotated
Abstract: This bibliography is the result of the author's examination of the current state of user authentication, with an emphasis on password authentication.
Built by Mark Crosbie and Ivan Krsul.
Security Archive Homepage.
COAST Project (CERIAS)Page.
Purdue CS Dept page.