1 research outputs found
On The Limitation of Some Fully Observable Multiple Session Resilient Shoulder Surfing Defense Mechanisms
Using password based authentication technique, a system maintains the login
credentials (username, password) of the users in a password file. Once the
password file is compromised, an adversary obtains both the login credentials.
With the advancement of technology, even if a password is maintained in hashed
format, then also the adversary can invert the hashed password to get the
original one. To mitigate this threat, most of the systems nowadays store some
system generated fake passwords (also known as honeywords) along with the
original password of a user. This type of setup confuses an adversary while
selecting the original password. If the adversary chooses any of these
honeywords and submits that as a login credential, then system detects the
attack. A large number of significant work have been done on designing
methodologies (identified as ) that can
protect password against observation or, shoulder surfing attack. Under this
attack scenario, an adversary observes (or records) the login information
entered by a user and later uses those credentials to impersonate the genuine
user. In this paper, we have shown that because of their design principle, a
large subset of (identified as
) cannot afford to store honeywords in
password file. Thus these methods, belonging to
, are unable to provide any kind of
security once password file gets compromised. Through our contribution in this
paper, by still using the concept of honeywords, we have proposed few generic
principles to mask the original password of
category methods. We also consider few
well-established methods like S3PAS, CHC, PAS and COP belonging to
, to show that proposed idea is
implementable in practice