Improving system security via proactive password checking

Bishop, Matt; Klein, Daniel V.

doi:10.1016/0167-4048(95)00003-q

Cited by 120 publications

(82 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Weak passwords is also a widely known problem. The strength of user-chosen passwords against password guessing attacks has been studied since the early times of password-based authentication [8], [56], [40] Current techniques for password guessing are Markov models [44], [21], [37] and probabilistic context-free grammars [55]; stateof-the-art tools include John the Ripper [51] and HashCat [52]. Historically, the strength of passwords against guessing attacks has been assessed by using password crackers to find weak passwords [42].…”

Section: Related Workmentioning

confidence: 99%

“…(8), replacing N by the number of logins N h k seen from the ISP (or country) h k , and M by the number M h k of unseen IPs from ISP (or country) h k . The ML estimate of p(h k ) is kept unsmoothed, and it is thus zero for unseen ISPs (or countries).…”

Section: Smoothingmentioning

confidence: 99%

“…Historically, the strength of passwords against guessing attacks has been assessed by using password crackers to find weak passwords [42]. Recently much more precise techniques have been developed [8], [50], [13], [18], [22].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Who Are You? A Statistical Approach to Measuring User Authenticity

Jain

Freeman²,

Biggio

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

136

View full text Add to dashboard Cite

Abstract-Passwords are used for user authentication by almost every Internet service today, despite a number of wellknown weaknesses. Numerous attempts to replace passwords have failed, in part because changing users' behavior has proven to be difficult. One approach to strengthening password-based authentication without changing user experience is to classify login attempts into normal and suspicious activity based on a number of parameters such as source IP, geo-location, browser configuration, and time of day. For the suspicious attempts, the service can then require additional verification, e.g., by an additional phone-based authentication step. Systems working along these principles have been deployed by a number of Internet services but have never been studied publicly. In this work, we perform the first public evaluation of a classification system for user authentication. In particular:(i) We develop a statistical framework for identifying suspicious login attempts. (ii) We develop a fully functional prototype implementation that can be evaluated efficiently on large datasets. (iii) We validate our system on a sample of real-life login data from LinkedIn as well as simulated attacks, and demonstrate that a majority of attacks can be prevented by imposing additional verification steps on only a small fraction of users. (iv) We provide a systematic study of possible attackers against such a system, including attackers targeting the classifier itself.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Smoothingmentioning

confidence: 99%

See 1 more Smart Citation

Who Are You? A Statistical Approach to Measuring User Authenticity

Jain

Freeman²,

Biggio

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

136

View full text Add to dashboard Cite

show abstract

“…), it does not provide much security, because users typically fail to select crack-resistant passwords. Many users do not know what are good choices for passwords, and those who do know what choices are safe will often select easy-to-remember passwords, such as variations of their own names or meaningful words, because much less effort is required than to generate safe passwords (Bishop & Klein, 1995). Moreover, a user is likely to have more than one account for which a usernamepassword combination is required; having to remember several "nonmeaningful" but crack-resistant passwords will likely require much more effort on the user's part than simply remembering a single safe password.…”

mentioning

confidence: 99%

Improving computer security for authentication of users: Influence of proactive password restrictions

Proctor

Lien

et al. 2002

Behavior Research Methods, Instruments, & Computers

View full text Add to dashboard Cite

“…Pro-active password checking [Bishop and Klein 1995] can help only to a limited degree: On the one hand, the choice of passwords has to be easy and unrestricted enough to make it possible for users to remember their passwords (without having to write them down). This limits the possible entropy in such passwords.…”

Section: Passwordmentioning

confidence: 99%

Secure password-based cipher suite for TLS

Steiner

Bühler²,

Eirich³

et al. 2001

ACM Trans. Inf. Syst. Secur.

View full text Add to dashboard Cite

SSL is the de-facto standard today for securing end-to-end transport on the Internet. While the protocol itself seems rather secure, there are a number of risks that lurk in its use, e.g., in web banking. However, the adoption of password-based key-exchange protocols can overcome some of these problems. We propose the integration of such a protocol (DH-EKE) in the TLS protocol, the standardization of SSL by IETF. The resulting protocol provides secure mutual authentication and key establishment over an insecure channel. It does not have to resort to a PKI or keys and certificates stored on the users computer. Additionally, its integration in TLS is as minimal and non-intrusive as possible.

show abstract

Improving system security via proactive password checking

Cited by 120 publications

References 3 publications

Who Are You? A Statistical Approach to Measuring User Authenticity

Who Are You? A Statistical Approach to Measuring User Authenticity

Improving computer security for authentication of users: Influence of proactive password restrictions

Secure password-based cipher suite for TLS

Contact Info

Product

Resources

About