49,809 research outputs found
BYPASS: RECONSIDERING THE USABILITY OF PASSWORD MANAGERS
Since passwords are an unavoidable mechanism for authenticating to online services, experts often recommend using a password manager for better password security. However, adoption of password managers is low due to poor usability, the difficulty of migrating accounts to a manager, and users' sense that a manager will not add value. In this work, we present ByPass, a novel password manager that is placed between the user and the website for secure and direct communication between the manager and websites. This direct communication allows ByPass to minimize the users' actions needed to complete various password management tasks, including account registration, logins, and password changes. ByPass is designed to minimize errors and improve usability. Our goal is to create a space where security could be the users' primary task, and allow them to focus cleanly and consistently on account management tasks. The constancy of the ByPass interface is intended to allow users a greater sense of control over their passwords and accounts. By using the API to move account interactions into this space, we hope to create an interface where users knew where to address security concerns, and access the controls to address those concerns. Current password managers hint at this functionality (and include innovative tools, such as security audits) but their placement outside the authentication interaction hampers the functionality they are able to support.
We conducted a usability evaluation of ByPass and found that this approach shows promising usability, and can help users to better manage their accounts in a secure manner.
We also conducted a security analysis of ByPass and showed the security improvements that can be achieved with the support of APIs for password managers. Our study shows that many known security vulnerabilities can be eradicated from the foundation of password managers, and significant usability can be gained with the inclusion of APIs support for password managers
Examination of a New Defense Mechanism: Honeywords
It has become much easier to crack a password
hash with the advancements in the graphicalprocessing
unit (GPU) technology. An adversary can
recover a user’s password using brute-force attack on
password hash. Once the password has been recovered
no server can detect any illegitimate user authentication
(if there is no extra mechanism used).
In this context, recently, Juels and Rivest published a
paper for improving the security of hashed passwords.
Roughly speaking, they propose an approach for user
authentication, in which some false passwords, i.e., “honeywords”
are added into a password file, in order to
detect impersonation. Their solution includes an auxiliary
secure server called “honeychecker” which can distinguish
a user’s real password among her honeywords and immediately
sets off an alarm whenever a honeyword is used. In
this paper, we analyze the security of the proposal, provide
some possible improvements which are easy to implement
and introduce an enhanced model as a solution to an open
problem
Password typo correction using discrete logarithms
As passwords remain the main online authentication method, focus has shifted from naive entropy to how usability improvements can increase security. Chatterjee et al. recently introduced the first two typotolerant password checkers, which improve usability at no security cost but are technically complex. We look at the more general problem of computing an edit distance between two strings without having direct access to those strings — by storing the equivalent of a hash. We propose a simpler algorithm for this problem that is asymptotically quasi-optimal in both bits stored and exchanged, at the cost of more computation on the server
Innovative Remote user Authentication Protocol for Multi-Server Structural Design Based on ECC
We have achieved an era where preferred web services are accessible over the networks by click of a button. In such a situation, remote user authentication performs the most part in determining the genuine users of a web service on the World Wide Web. Scientists have suggested a number of security password centered authentication techniques which depend on single server for authentication. But, with remarkable improvements in technology, it is probable to interact with several web servers in authenticating their clients to experience greater protection. In this paper, we recommend an efficient security password centered authentication protocol for multiserver structure. The method provides common authentication using intelligent card and is depending on Elliptic Curve Cryptography, thus offers best protection at a low price. In 2011, Sood et al. suggested a multi-server structure protocol utilizing smart cards. In this papers, we enhance Sood et al. plan by improving its protection and decreasing the computation cost. The protocol is in accordance with the idea of powerful identification that uses a nonce centered system and has no time synchronization issue.
DOI: 10.17762/ijritcc2321-8169.15062
State of Alaska Election Security Project Phase 2 Report
A laska’s election system is among the most secure in the country,
and it has a number of safeguards other states are now adopting. But
the technology Alaska uses to record and count votes could be improved—
and the state’s huge size, limited road system, and scattered communities
also create special challenges for insuring the integrity of the vote.
In this second phase of an ongoing study of Alaska’s election
security, we recommend ways of strengthening the system—not only the
technology but also the election procedures. The lieutenant governor
and the Division of Elections asked the University of Alaska Anchorage to
do this evaluation, which began in September 2007.Lieutenant Governor Sean Parnell.
State of Alaska Division of Elections.List of Appendices / Glossary / Study Team / Acknowledgments / Introduction / Summary of Recommendations / Part 1 Defense in Depth / Part 2 Fortification of Systems / Part 3 Confidence in Outcomes / Conclusions / Proposed Statement of Work for Phase 3: Implementation / Reference
Password Cracking and Countermeasures in Computer Security: A Survey
With the rapid development of internet technologies, social networks, and
other related areas, user authentication becomes more and more important to
protect the data of the users. Password authentication is one of the widely
used methods to achieve authentication for legal users and defense against
intruders. There have been many password cracking methods developed during the
past years, and people have been designing the countermeasures against password
cracking all the time. However, we find that the survey work on the password
cracking research has not been done very much. This paper is mainly to give a
brief review of the password cracking methods, import technologies of password
cracking, and the countermeasures against password cracking that are usually
designed at two stages including the password design stage (e.g. user
education, dynamic password, use of tokens, computer generations) and after the
design (e.g. reactive password checking, proactive password checking, password
encryption, access control). The main objective of this work is offering the
abecedarian IT security professionals and the common audiences with some
knowledge about the computer security and password cracking, and promoting the
development of this area.Comment: add copyright to the tables to the original authors, add
acknowledgement to helpe
Comments on two password based protocols
Recently, M. Hölbl et al. and I. E. Liao et al. each proposed an user
authentication protocol. Both claimed that their schemes can withstand
password guessing attack. However, T. Xiang et al. pointed out
I. E. Liao et al.\u27s protocol suffers three kinds of attacks, including
password guessing attacks. We present an improvement protocol to get
rid of password guessing attacks. In this paper, we first point out
the security loopholes of M. Hölbl et al.\u27s protocol and review
T. Xiang et al.\u27s cryptanalysis on I. E. Liao et al.\u27s protocol. Then,
we present the improvements on M. Hölbl et al.\u27s protocol and
I. E. Liao et al.\u27s protocol, respectively
- …