Electronic authentication guideline

Burr, W E; Dodson, D F; Polk, Tim

doi:10.6028/nist.sp.800-63v1.0.1

Cited by 38 publications

(55 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is also echoed by Loge et al's work on a PPC for Android unlock patterns [14], in which they observed that the password strength could be influenced by individual features such as age and gender. (2) to highlight the complexity of password security by externalizing inconsistencies between different PPCs and more advanced attacks on passwords; (3) to engage users actively so that the process of learning is enjoyable, (4) to produce an open system that can be easily executed and customized by users on different platforms. To achieve those design goals, we decided to follow some well-established design principles to design and implement PSV.…”

Section: Related Workmentioning

confidence: 99%

“…The second type covers PPCs. The current version incorporates four PPCs based on the common 1-D bar design: a PPC we developed based on the NIST password entropy [2] as the underlying PSM, the open-source password checker zxcvbn (which has been deployed by Dropbox) [33] 5 , the PPCs used by Microsoft and Yahoo! (for which we implemented our own versions).…”

Section: -D Canvas and Overall Look A 2-d Canvas Is Used As The Conmentioning

confidence: 99%

See 1 more Smart Citation

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

Abstract. This paper presents the Password Security Visualizer (PSV), an interactive visualization system specifically designed for password security education. PSV can be seen as a reconfigurable "box" containing different proactive password checkers (PPCs) and visualizers of password security information, allowing it to be used like a "many in one" or "hybrid" PPC. PSV can provide many new features that do not exist in traditional PPCs, thus having a greater potential to achieve its goals of educating users. Using purely client-side Web-based technologies, we implemented a prototype of PSV as an open-source software tool on a 2-D animated canvas. To evaluate the actual performance of our implemented PSV prototype against traditional PPCs, we conducted a semistructured interview involving 20 human participants. Our qualitative analysis of the results showed that PSV was considered the most informative and recommended by most participants as a good educational tool. To the best of our knowledge, PSV is the first system combining different PPCs together for user education, and the user study is the first of this kind on comparing educational effectiveness of different PPCs (and PPC-like password security tools such as PSV).

show abstract

Section: Related Workmentioning

confidence: 99%

Section: -D Canvas and Overall Look A 2-d Canvas Is Used As The Conmentioning

confidence: 99%

PSV (Password Security Visualizer): From Password Checking to User Education

Aljaffan

Yuan

2017

Human Aspects of Information Security, Privacy and Trust

View full text Add to dashboard Cite

show abstract

“…Note though, that we have to abort the game after the i-th setup session even if no ciphertext got replaced, as B does not know the secret keys of the honest servers, and thus could not correctly simulate a retrieval for that account. GAME 9 We now change the way the challenger performs the threshold encryption and decryption steps whenever dealing with an account that was created by an honest user with at most t corrupt servers. At setup, the challenger (as honest user) replaces the threshold encryptions C p and C K of p and K , respectively, by encryptions of 1, i.e C p = TEnc tpk (1), C K = TEnc tpk (1).…”

Section: F1 Sequence Of Gamesmentioning

confidence: 99%

“…Storing passwords in hashed form offers hardly any protection due to the efficiency of brute-force offline attacks using dictionaries. According to NIST [9], sixteen-character human-memorizable passwords only have 30 bits of entropy on average. With current graphical processors testing more than three hundred billion passwords per second [33], security must be considered lost as soon as an offline attack against the password data can be performed.…”

Section: Introductionmentioning

confidence: 99%

Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment

Camenisch

Lehmann

Lysyanskaya

et al. 2014

Advances in Cryptology – CRYPTO 2014

View full text Add to dashboard Cite

Passwords are inherently vulnerable to dictionary attacks, but are quite secure if guessing attempts can be slowed down, for example by an online server. If this server gets compromised, however, the attacker can again perform an offline attack. The obvious remedy is to distribute the password verification process over multiple servers, so that the password remains secure as long as no more than a threshold of the servers are compromised. By letting these servers additionally host shares of a strong secret that the user can recover upon entering the correct password, the user can perform further cryptographic tasks using this strong secret as a key, e.g., encrypting data in the cloud. Threshold password-authenticated secret sharing (TPASS) protocols provide exactly this functionality, but the two only known schemes by Bagherzandi et al. (CCS 2011) and Camenisch et al. (CCS 2012) leak the password if a user mistakenly executes the protocol with malicious servers. Authenticating to the wrong servers is a common scenario when users are tricked in phishing attacks. We propose the first t-out-of-n TPASS protocol for any n > t that does not suffer from this shortcoming. We prove our protocol secure in the UC framework, which for the particular case of password-based protocols offers important advantages over property-based definitions, e.g., by correctly modeling typos in password attempts.

show abstract

“…An attacker can identify the correct password pw in a reasonable time by running the program because the password space |D| is usually less than 2 30 as stated in [10].…”

Section: Off-line Dictionary Attacksmentioning

confidence: 99%

Cryptanalysis of a SIP Authentication Scheme

Liu

Koenig

2011

Communications and Multimedia Security

View full text Add to dashboard Cite

Abstract. SIP (Session Initiation Protocol) is becoming the mostly deployed signaling protocol for VoIP (Voice over IP). Security is of utmost importance for its usage due to the open architecture of the Internet. Recently, Yoon et al. proposed a SIP authentication scheme based on elliptic curve cryptography (ECC) that claimed to provide higher security than other schemes. However, as demonstrated in this paper, it is still vulnerable to off-line dictionary and partition attacks.

show abstract

Electronic authentication guideline

Cited by 38 publications

References 0 publications

PSV (Password Security Visualizer): From Password Checking to User Education

PSV (Password Security Visualizer): From Password Checking to User Education

Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment

Cryptanalysis of a SIP Authentication Scheme

Contact Info

Product

Resources

About