Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Alsaleh, Mansour; Mannan, Mohammad; Oorschot, Paul C. van

doi:10.1109/tdsc.2011.24

Cited by 71 publications

(35 citation statements)

References 17 publications

(36 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…User devices may be whitelisted by IP addresses, cookies, geolocation services as enabled in popular browsers including Google Chrome 1 and Mozilla Firefox, 2 or through other web-based device fingerprinting mechanisms (see e.g., [34]). Assuming that most legitimate users access their accounts from a relatively fixed set of devices (computers at home or office, or mobile devices), such exemptions from fake sessions may aid usability; similar mechanisms have been explored in prior work (see e.g., [38,1]; more in Section 6). However, to counter guessing attacks from infected whitelisted devices and cookie theft, such exemptions must be limited (e.g., by the number of allowed attempts without fake sessions).…”

Section: Additional Login Help For Legitimate Usersmentioning

confidence: 99%

“…For example, the password guessing resistant protocol (PGRP [1]), where more RTTs are imposed on unknown (possibly attack) machines than known (possibly legitimate) ones; machines are categorized using source IP addresses and cookies. As discussed in Section 3.1.2, item (e), the use of known devices may reduce the number of fake sessions for legitimate users.…”

Section: Related Workmentioning

confidence: 99%

“…As a result, service providers often leave with no option but to deploy more complex captchas. These limitations are known and several proposals in the past attempted to address the security-usability trade-off in captcha schemes (e.g., [38,1]). …”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Explicit authentication response considered harmful

Zhao

Mannan

2013

Proceedings of the 2013 New Security Paradigms Workshop

View full text Add to dashboard Cite

Automated online password guessing attacks are facilitated by the fact that most user authentication techniques provide a yes/no answer as the result of an authentication attempt. These attacks are somewhat restricted by Automated Turing Tests (ATTs, e.g., captcha challenges) that attempt to mandate human assistance. ATTs are not very difficult for legitimate users, but always pose an inconvenience. Several current ATT implementations are also found to be vulnerable to improved image processing algorithms. ATTs can be made more complex for automated software, but that is limited by the trade-off between user-friendliness and effectiveness of ATTs. As attackers gain control of large-scale botnets, relay the challenge to legitimate users at compromised websites, or even have ready access to cheap, sweat-shop human solvers for defeating ATTs, online guessing attacks are becoming a greater security risk. Using deception techniques (as in honeypots), we propose the user-verifiable authentication scheme (Uvauth) that tolerates, instead of detecting or counteracting, guessing attacks. Uvauth provides access to all authentication attempts; the correct password enables access to a legitimate session with valid user data, and all incorrect passwords lead to fake sessions. Legitimate users are expected to learn the authentication outcome implicitly from the presented user data, and are relieved from answering ATTs; the authentication result never leaves the server and thus remains (directly) inaccessible to attackers. In addition, we suggest using adapted distorted images and pre-registered images/text as a complement to convey an authentication response, especially for accounts that do not host much personal data.

show abstract

Section: Additional Login Help For Legitimate Usersmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Explicit authentication response considered harmful

Zhao

Mannan

2013

Proceedings of the 2013 New Security Paradigms Workshop

View full text Add to dashboard Cite

show abstract

“…[1][2]The two most common online password guessing attacks are Brute Force attacks and Dictionary attacks.…”

Section: Introductionmentioning

confidence: 99%

Defences to Curb Online Password Guessing Attacks

Pokkathayil¹,

Rajmane²,

Mhatre³

et al. 2015

International Journal of Advanced Research in Computer and Comm

View full text Add to dashboard Cite

Abstract:In this digital world, where huge amount of information is available online, illegitimate access to sensitive information is on the increase. This information is accessed using online password guessing attacks like brute force and dictionary attacks. In this paper we depict the inadequacy of existing protocols and we propose the Password Guessing Resistant Protocol (PGRP) which can effectively prevent these attacks. The system is very stringent for attackers and at the same time is very user friendly for legitimate users. The system prevents cookie theft related issues as it uses IP addresses to track known and unknown machines. It also makes use of ATTs to conquer the guessing attacks

show abstract

“…Straightforwardly, a typing username and password authentication mechanism can be added on the platform. But this is not reasonable that attacker can easily use brute-force way, or dictionary attack [2] way to guess the password. In addition, biometrics [3], e.g., face [4], voice [5], palmprint [6], finger vein [7], or iris [8] authentication seems to be a good way to protect user privacy information.…”

Section: Introductionmentioning

confidence: 99%

A Two Factor User Authentication Scheme for Medical Registration Platform

Liu¹,

Zhang²,

Zhang³

2013

Proceedings of the 2nd International Conference on Computer Science and Electronics Engineering (ICCSEE 2013)

View full text Add to dashboard Cite

Abstract-This paper proposes a two factors user authentication scheme for Beijing medical registration platform, in order to protect user personal information on the platform. This scheme overcomes the shortcoming that there is no authentication process during user log on the platform. The reason that builds a two factor authentication scheme for the system is that this way is safer than traditional single factor user authentication methods, e.g., typing username and password, or biometric authentication. For the proposed two factor user authentication scheme, we give three different solutions, including SMS-OTP solution, NFC-enabled device solution, and biometrics based solution. Finally, an optimal solution is chosen as the formal one to the platform through comparisons at a different angle among these three solutions.

show abstract

Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Cited by 71 publications

References 17 publications

Explicit authentication response considered harmful

Explicit authentication response considered harmful

Defences to Curb Online Password Guessing Attacks

A Two Factor User Authentication Scheme for Medical Registration Platform

Contact Info

Product

Resources

About