Skip to main content
Disciplines
Automotive Business IT + Informatics Construction + Real Estate Electrical Engineering + Electronics Energy + Sustainability Insurance + Risk Finance + Banking Management + Leadership Marketing + Sales Mechanical Engineering + Materials
Events
DE
EN
Books
Journals
Topic Page
Marketing
Start single access now
Access for companies
EXTENDED SEARCH
Log in
Top

2015 | Book

Overview of the Candidates for the Password Hashing Competition Read chapter Read first chapter

Technology and Practice of Passwords

International Conference on Passwords, PASSWORDS'14, Trondheim, Norway, December 8-10, 2014, Revised Selected Papers

Editor: Stig F. Mjølsnes

Publisher: Springer International Publishing

Book Series : Lecture Notes in Computer Science

Part of: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Login to get access
insite
SEARCH

About this book

This book constitutes the thoroughly refereed post-conference proceedings of the 7th International Conference on Passwords, PASSWORDS 2014, held in Trondheim, Norway, in December 2014. The 8 revised full papers presented together with 2 revised short papers were carefully reviewed and selected from 30 initial submissions. The papers are organized in topical sections on hash functions, usability, analyses and new techniques.

Table of Contents

Frontmatter

Hash Functions

Frontmatter
Overview of the Candidates for the Password Hashing Competition
And Their Resistance Against Garbage-Collector Attacks
Abstract
In this work we provide an overview of the candidates of the Password Hashing Competition (PHC) regarding to their functionality, e.g., client-independent update and server relief, their security, e.g., memory-hardness and side-channel resistance, and its general properties, e.g., memory usage and flexibility of the underlying primitives. Furthermore, we formally introduce two kinds of attacks, called Garbage-Collector and Weak Garbage-Collector Attack, exploiting the memory management of a candidate. Note that we consider all candidates which are not yet withdrawn from the competition.
Christian Forler, Eik List, Stefan Lucks, Jakob Wenzel
On Password Guessing with GPUs and FPGAs
Abstract
Passwords are still by far the most widely used form of user authentication, for applications ranging from online banking or corporate network access to storage encryption. Password guessing thus poses a serious threat for a multitude of applications. Modern password hashes are specifically designed to slow down guessing attacks. However, having exact measures for the rate of password guessing against determined attackers is non-trivial but important for evaluating the security for many systems. Moreover, such information may be valuable for designing new password hashes, such as in the ongoing password hashing competition (PHC).
In this work, we investigate two popular password hashes, bcrypt and scrypt, with respect to implementations on non-standard computing platforms. Both functions were specifically designed to only allow slow-rate password derivation and, thus, guessing rates. We develop a methodology for fairly comparing different implementations of password hashes, and apply this methodology to our own implementation of scrypt on GPUs, as well as existing implementations of bcrypt and scrypt on GPUs and FPGAs.
Markus Dürmuth, Thorsten Kranz
Cryptographic Module Based Approach for Password Hashing Schemes
Abstract
Password Hashing is the technique of performing one-way transformation of the password. One of the requirements of password hashing algorithms is to be memory demanding to provide defense against hardware attacks. In practice, most Cryptographic designs are implemented inside a Cryptographic module, as suggested by NIST in a set of standards (FIPS 140). A cryptographic module has a limited memory and this makes it challenging to implement a password hashing scheme (PHS) inside it.
In this work, we propose a novel approach to allow a limited memory cryptographic module to be used in the implementation of a high memory password hashing algorithm. We also analyze all the first round entries of the Password Hashing Competition (PHC) to evaluate the suitability of the submitted algorithms to be implemented with a Cryptographic module. We graphically show that the submissions to the PHC can be securely implemented in a crypto-module following our suggestion. To the best of our knowledge, this is the first attempt in the direction of secure implementation of password hashing algorithms.
Donghoon Chang, Arpan Jati, Sweta Mishra, Somitra Kumar Sanadhya

Usability

Frontmatter
Password-Manager Friendly (PMF): Semantic Annotations to Improve the Effectiveness of Password Managers
Abstract
Subtle and sometimes baffling variations in the implementation of password-based authentication are widespread on the web. Despite being imperceptible to end users, such variations often require that password managers implement complex heuristics in order to act on the user’s behalf. These heuristics are inherently brittle. As a result, password managers are unnecessarily complex and yet they still occasionally fail to work properly on some websites. In this paper we propose PMF, a specification of simple semantic labels for password-related web forms. These semantic labels allow a software agent such as a password manager to extract meaning, such as which site the login form is for and what field in the form corresponds to the username. Our spec also allows the agent to generate a strong password on the user’s behalf. PMF reduces a password manager’s dependency on complex heuristics, making its operation more effective and dependable and bringing usability and security advantages to users and website operators.
Frank Stajano, Max Spencer, Graeme Jenkinson, Quentin Stafford-Fraser
charPattern: Rethinking Android Lock Pattern to Adapt to Remote Authentication
Abstract
Android Lock Pattern is popular as a screen lock method on mobile devices but it cannot be used directly over the Internet for user authentication. In our work, we carefully adapt Android Lock Pattern to satisfy the requirements of remote authentication and introduce a new pattern based method called charPattern. Our new method allows dual-mode of input (typing a password and drawing a pattern) hence accommodate users who login alternately with a physical keyboard and a touchscreen device. It uses persuasive technology to create strong passwords which withstand attacks involving up to \(10^6\) guesses; an amount many experts believe sufficient against online attacks. We conduct a hybrid lab and web study to evaluate the usability of the new method and observe that logins with charPattern are significantly faster than the ones with text passwords on mobile devices.
Kemal Bicakci, Tashtanbek Satiev

Analyses

Frontmatter
Unrevealed Patterns in Password Databases Part One: Analyses of Cleartext Passwords
Abstract
In this paper we present a regression based analyses of cleartext passwords moving towards an efficient password cracking methodology. Hundreds of available databases were examined and it was observed that they had similar behavior regardless of their size: password length distribution, entropy, letter frequencies form similar characteristics in each database. Exploiting these characteristics a huge amount of cleartext passwords were analyzed in order to be able to design more sophisticated brute-force attack methods. New patterns are exposed by analyzing millions of cleartext passwords.
Norbert Tihanyi, Attila Kovács, Gergely Vargha, Ádám Lénárt
Gathering and Analyzing Identity Leaks for Security Awareness
Abstract
The amount of identity data leaks in recent times is drastically increasing. Not only smaller web services, but also established technology companies are affected. However, it is not commonly known, that incidents covered by media are just the tip of the iceberg. Accordingly, more detailed investigation of not just publicly accessible parts of the web but also deep web is imperative to gain greater insight into the large number of data leaks. This paper presents methods and experiences of our deep web analysis. We give insight in commonly used platforms for data exposure, formats of identity related data leaks, and the methods of our analysis. On one hand a lack of security implementations among Internet service providers exists and on the other hand users still tend to generate and reuse weak passwords. By publishing our results we aim to increase awareness on both sides and the establishment of counter measures.
David Jaeger, Hendrik Graupner, Andrey Sapegin, Feng Cheng, Christoph Meinel

New Techniques

Frontmatter
PassCue: The Shared Cues System in Practice
Abstract
Shared Cues is a password management system proposed by Blocki, Blum and Datta at Asiacrypt 2013. Unlike the majority of password management systems Shared Cues passwords are never stored, even on the management device. The idea of the Shared Cues system is to help users choose and remember passwords in a manner proven to avoid brute force searching under reasonable assumptions.
Blocki et al. analysed Shared Cues theoretically but did not describe any practical tests. We report on the design and implementation of an iOS application based on Shared Cues, which we call PassCue. This enables us to consider the practicality of Shared Cues in the real world and address important issues of user interface, parameter choices and applicability on popular web sites. PassCue demonstrates that the Shared Cues password management system is useable and secure in practice as well as in theory.
Mats Sandvoll, Colin Boyd, Bjørn B. Larsen
Private Password Auditing
Short Paper
Abstract
Password is the foremost mean to achieve data and computer security. Hence, choosing a strong password which may withstand dictionary attacks is crucial. In order to ensure that strong passwords are chosen, system administrators often rely on password auditors to filter weak password digests. Several tools aimed at preventing digest misuse have been designed to aid auditors in their task. We however show that the objective remains a far cry as these tools essentially reveal the digests corresponding to weak passwords. As a case study, we discuss the issues with Blackhash, and develop the notion of Private Password Auditing — a mechanism that does not require a system administrator to reveal password digests to an external auditor and symmetrically the dictionaries remain private to the auditor. We further present constructions based on Private Set Intersection and its variant, and evaluate a proof-of-concept implementation against real-world dictionaries.
Amrit Kumar, Cédric Lauradoux
SAVVIcode: Preventing Mafia Attacks on Visual Code Authentication Schemes (Short Paper)
Abstract
Most visual code authentication schemes in the literature have been shown to be vulnerable to relay attacks: the attacker logs into the victim’s “account A” using credentials that the victim provides with the intent of logging into “account B”. Visual codes are not human-readable and therefore the victim cannot distinguish between the codes for A and B; on the other hand, codes must be machine-readable in order to automate the login process. We introduce a new type of visual code, the SAVVIcode, that contains an integrity-validated human-readable bitmap. With SAVVIcode, attackers have a harder time swapping visual codes surreptitiously because the integrity check prevents them from modifying or hiding the human-readable distinguisher.
Jonathan Millican, Frank Stajano
Backmatter
Metadata
Title
Technology and Practice of Passwords
Editor
Stig F. Mjølsnes
Copyright Year
2015
Electronic ISBN
978-3-319-24192-0
Print ISBN
978-3-319-24191-3
DOI
https://doi.org/10.1007/978-3-319-24192-0

Premium Partner

    Image Credits