Improving Usability Through Password-Corrective Hashing

Mehler, Andrew; Skiena, Steven

doi:10.1007/11880561_16

Cited by 10 publications

(3 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the input error side, there is password-corrective hashing [21]. In this approach hash functions map similar passwords to the same output, for example, passwords that differ with respect to character transpositions and substitutions.…”

Section: B Client-side Mechanismsmentioning

confidence: 99%

Knock Yourself Out: Secure Authentication with Short Re-Usable Passwords

Güldenring

Röth

Ries

2015

Proceedings 2015 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

We present Knock Yourself Out (KYO), a password generator that enables secure authentication against a computationally unbounded adversary. Master passwords can be surprisingly short and may be re-used for multiple service accounts even in the event of client compromises and multiple server compromises. At the same time, KYO is transparent to service operators and backwards-compatible. Master passwords are fully client-manageable while secrets shared with service operators can be kept constant. Likewise, secrets can be changed without having to change one's passwords. KYO does not rely on collision-resistant hash functions and can be implemented with fast non-cryptographic hash functions. We detail the design of KYO and we analyze its security mathematically in a random hash function model. In our empirical evaluation we find that KYO remains secure even if small sets of hash functions are used instead, in other words, KYO requires minimal storage and is highly practical. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: B Client-side Mechanismsmentioning

confidence: 99%

Knock Yourself Out: Secure Authentication with Short Re-Usable Passwords

Güldenring

Röth

Ries

2015

Proceedings 2015 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Several proposals have been made reduce the rate of errors, either by storing multiple hashes of a passphrase to recognise entry of nearly-correct strings [16,2] or by providing visual feedback to allow a user to notice typos when they are made [18]. Passphrases may in fact be more usable in the context of mobile phones, which have input interfaces optimised for natural language and not for pseudorandom character strings [10].…”

Section: Introductionmentioning

confidence: 99%

Linguistic Properties of Multi-word Passphrases

Bonneau

Shutova

2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon's registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three-or fourword phrases for which we see rapidly diminishing returns.

show abstract

“…(In contrast, spell-correction functionality is typically disabled on password entry, as historical policies and practices discourage use of dictionary words as passwords.) Earlier proposals allowing variability in how passwords are entered include the pass-sentences of Spector et al [40] which focus on semantic meaning allowing variable syntactic representation, the password-corrective hashing of Mehler and Skiena [29], and order-independent and errortolerant passphrases by Bard [2]; see also Brown [8], and Jakobsson's more recent fastword multi-word proposal [23].…”

mentioning

confidence: 99%

A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Biçakcı

Oorschot

2011

Proceedings of the 2011 New Security Paradigms Workshop

View full text Add to dashboard Cite

Our agenda is two-fold. First, we introduce and give a technical description of gridWord, a novel knowledge-based authentication mechanism involving elements of both text and graphical passwords. It is intended to address a new research challenge arising from the evolution of Internet access devices, and which may arguably be viewed as motivating a new paradigm: remote access password schemes which accommodate users who alternately login from devices with, and without, full physical keyboards (e.g., users alternating between desktops with easy text input, and mobile devices with tiny or touch-screen virtual keyboards). While the core ideas behind gridWord are well-formed, and may be viewed as a new variation of old (text-based) ideas of building passwords from multiple words, many aspects including recommended parameterization and configuration details, preferred platforms, and primary targets of application remain to be explored in detail. We nonetheless solicit early feedback from the community for several reasons, related to our second agenda item: we use gridWord as a concrete target to focus exploration of a number of questions involving (a) the evaluation of usable security proposals, (b) the often conflicting objectives of various parties involved in the publication of academic research, and (c) the relationship between the design and publication of new security mechanisms and the pursuit of scientific knowledge through experimentation. We believe the second agenda item is important to pursue, given our observation that experts in usability and security have widely varying expectations, and lack consensus on what is important for the evaluation, comparison, and publication of usable security proposals.

show abstract

Improving Usability Through Password-Corrective Hashing

Cited by 10 publications

References 6 publications

Knock Yourself Out: Secure Authentication with Short Re-Usable Passwords

Knock Yourself Out: Secure Authentication with Short Re-Usable Passwords

Linguistic Properties of Multi-word Passphrases

A multi-word password proposal (gridWord) and exploring questions about science in security research and usable security evaluation

Contact Info

Product

Resources

About