2,189 research outputs found
Towards a metric for recognition-based graphical password security
Recognition-based graphical password (RBGP) schemes are not easily compared in terms of security. Current research uses many different measures which results in confusion as to whether RBGP schemes are secure against guessing and capture attacks. If it were possible to measure all RBGP schemes in a common way it would provide an easy comparison between them, allowing selection of the most secure design. This paper presents a discussion of potential attacks against recognition-based graphical password (RBGP) authentication schemes. As a result of this examination a preliminary measure of the security of a recognition-based scheme is presented. The security measure is a 4-tuple based on distractor selection, shoulder surfing,
intersection and replay attacks. It is aimed to be an initial proposal and is designed in a way which is extensible and adjustable as further research in the area develops. Finally, an example is provided by application to the PassFaces scheme
Password Cracking and Countermeasures in Computer Security: A Survey
With the rapid development of internet technologies, social networks, and
other related areas, user authentication becomes more and more important to
protect the data of the users. Password authentication is one of the widely
used methods to achieve authentication for legal users and defense against
intruders. There have been many password cracking methods developed during the
past years, and people have been designing the countermeasures against password
cracking all the time. However, we find that the survey work on the password
cracking research has not been done very much. This paper is mainly to give a
brief review of the password cracking methods, import technologies of password
cracking, and the countermeasures against password cracking that are usually
designed at two stages including the password design stage (e.g. user
education, dynamic password, use of tokens, computer generations) and after the
design (e.g. reactive password checking, proactive password checking, password
encryption, access control). The main objective of this work is offering the
abecedarian IT security professionals and the common audiences with some
knowledge about the computer security and password cracking, and promoting the
development of this area.Comment: add copyright to the tables to the original authors, add
acknowledgement to helpe
A Protected Single Sign-On Technique Using 2D Password in Distributed Computer Networks
Single Sign-On (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, a new SSO scheme providing well-organized security argument failed to meet credential privacy and soundness of authentication. The main goal of this project is to provide security using Single Sign-On scheme meeting at least three basic security requirements, i.e., unforgetability, credential privacy, and soundness. User identification is an important access control mechanism for client–server networking architectures. The concept of Single Sign-On can allow legal users to use the unitary token to access different service providers in distributed computer networks. To overcome few drawbacks like not preserving user anonymity when possible attacks occur and extensive overhead costs of time-synchronized mechanisms, we propose a secure Single Sign-On mechanism that is efficient, secure, and suitable for mobile devices in distributed computer networks. In a real-life application, the mobile user can use the mobile device, e.g., a cell phone, with the unitary token to access multiservice, such as downloading music; receive/reply electronic mails etc. Our scheme is based on one-way hash functions and random nonce to solve the weaknesses described above and to decrease the overhead of the system. The proposed scheme is more secure with two types of password scheme namely, Text password and Graphical Password referred as 2D password in distributed computer networks that yields a more efficient system that consumes lower energy. The proposed system has less communication overhead. It eliminates the need for time synchronization and there is no need of holding multiple passwords for different services
Combating shoulder-surfing: a hidden button gesture based scheme
This project describes an authentication technique that is shoulder-surfing
resistant. Shoulder surfing is an attack in which an attacker can get access to
private information by observing the user’s interaction with a terminal, or by
using recording tools to record the user interaction and study the obtained
data, with the objective of obtaining unauthorized access to a target user’s
personal information. The technique described here relies on gestural analysis
coupled with a secondary channel of authentication that uses button pressing.
The thesis presents and evaluates multiple alternative algorithms for gesture
analysis, and furthermore assesses the effectiveness of the technique.Universidade da Madeir
Charpattern : Rethinking android lock pattern to adapt to remote authentication
Android “Şekilli Ekran Kilidi, mobil cihazları nı n ekranları kilitlemede yaygı n olarak kullan ılması na rağmen doğrudan Internet kimlik doğrulamas ında kullanı lamamaktadı r. Bu tezde, Android “Şekilli Ekran Kilidini özenli bir şekilde güncelleyerek uzaktan kimlik doğrulama için uygun bir hale getirdik ve yeni bir şekil tabanlı kimlik doğrulama olarak charPattern ismini verdiğimiz sistemi önerdik. Geliştirilen yeni metot, çift giriş (parola yazma ve şekil çizme) imkanı vererek kullan ıcı lara aynı zamanda hem fiziksel klavye ile hem de dokunmatik ekranda oturum açmaya olanak sağlamaktadı r. Bu metot, 10^6 seviyesine kadar saldı rı lara karşı güçlü şifreler oluşturmak için ikna etme teknolojisini (persuasive technology) kullanı r (çoğu uzman bunun çevrimiçi sald ırı lara karşı yeterli olduğunu düşünmektedirler). Yeni yöntemin kullan ılabilirliğini değerlendirmek amacı yla bir hibrit laboratuvar ve web çal ışması yapı larak, mobil cihazlarda charPattern ile oturum açman ın metin şifreleri ile olanlardan çok daha h ızlı olduğu gözlemlenmiştir.Android Lock Pattern is popular as a screen lock method on mobile devices but it cannot be used directly over the Internet for user authentication. In this thesis, we carefully adapt Android Lock Pattern to satisfy the requirements of remote authentication and introduce a new pattern based method called charPattern. Our new method allows dual mode of input (typing a password and drawing a pattern) hence accommodate users who login alternately with a physical keyboard and a touchscreen device. It uses persuasive technology to create strong passwords which withstand attacks involving up to 10^6 guesses; an amount many experts believe su cient against online attacks. We conduct a hybrid lab and web study to evaluate the usability of the new method and observe that logins with charPattern are signi cantly faster than the ones with text passwords on mobile devices
PALPAS - PAsswordLess PAssword Synchronization
Tools that synchronize passwords over several user devices typically store
the encrypted passwords in a central online database. For encryption, a
low-entropy, password-based key is used. Such a database may be subject to
unauthorized access which can lead to the disclosure of all passwords by an
offline brute-force attack. In this paper, we present PALPAS, a secure and
user-friendly tool that synchronizes passwords between user devices without
storing information about them centrally. The idea of PALPAS is to generate a
password from a high entropy secret shared by all devices and a random salt
value for each service. Only the salt values are stored on a server but not the
secret. The salt enables the user devices to generate the same password but is
statistically independent of the password. In order for PALPAS to generate
passwords according to different password policies, we also present a mechanism
that automatically retrieves and processes the password requirements of
services. PALPAS users need to only memorize a single password and the setup of
PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES
201
- …