Password Cracking and Countermeasures in Computer Security: A Survey

With the rapid development of internet technologies, social networks, and other related areas, user authentication becomes more and more important to protect the data of the users. Password authentication is one of the widely used methods to achieve authentication for legal users and defense against intruders. There have been many password cracking methods developed during the past years, and people have been designing the countermeasures against password cracking all the time. However, we find that the survey work on the password cracking research has not been done very much. This paper is mainly to give a brief review of the password cracking methods, import technologies of password cracking, and the countermeasures against password cracking that are usually designed at two stages including the password design stage (e.g. user education, dynamic password, use of tokens, computer generations) and after the design (e.g. reactive password checking, proactive password checking, password encryption, access control). The main objective of this work is offering the abecedarian IT security professionals and the common audiences with some knowledge about the computer security and password cracking, and promoting the development of this area.Comment: add copyright to the tables to the original authors, add acknowledgement to helpe

A Protection Scheme for MoC-Enabled Smart Cards

The concept of Match-on-Card (MoC) consists of a smart card which receives an applicant's candidate template T to be compared with the stored reference template T_ref by processing the complete matching algorithm during a biometric authentication request. The smart card will then output whether this comparison is positive or not. The main argument against MoC-enabled smart cards is that it opens the way for YesCard (i.e. an attack path previously seen in Banking, a card always returning "yes"). The threat regarding Biometrics is not only YesCard, but also NoCard as we will see in this paper. We will propose a protocol to easily thwart these attacks by using simple cryptographic primitives such as symmetric encryption. This protocol will however only protect the system from malicious smart cards, but will not protect the smart card against malicious systems. Finally we will enhance this protocol to protect the smart card against its use as a so-called oracle to guess the stored reference biometric template

Analysis of real-world passwords for social media sites

Textual passwords have dominated all other entity authentication mechanisms since they were introduced in the early 1960’s. Despite an inherent weakness against social engineering, keylogging, shoulder surfing, dictionary, and brute-force attacks, password authentication continues to grow as the Internet expands. Existing research on password authentication proves that dictionary attacks are successful because users make poor choices when creating passwords. To make passwords easier to remember, users select character strings that are shorter in length and contain memorable content, like personal identity information, common words found in a dictionary, backward spellings of common words, recognizable sequences, and easily guessed mnemonic phrases. A number of these studies identify weaknesses found in passwords on social media sites [1] [2] [3] [4] [5]. However, this body of work fails to explore whether users choose more secure passwords on accounts that protect their professional online identity than they choose on accounts that are used for personal entertainment. In this study, we first cracked passwords from the over 6.4 million unsalted, SHA-1 hashed passwords stolen from the professional, social media site, LinkedIn. Next, we analyzed the length, character set composition, and entropy score of the passwords recovered. Then, we compared our results to the analysis of passwords performed by Weir, et al. on the RockYou! dataset to determine whether professionals protecting their online presence chose wiser passwords than social media site users who play online games. In our analysis we found that the users of the professional, social media site, LinkedIn, chose more secure passwords than the users of the social media gaming site, RockYou!. LinkedIn passwords contained a greater percentage of numbers, special characters, and uppercase letters than RockYou!. We also found that the LinkedIn passwords utilized special characters more frequently, but RockYou! passwords applied special character less predictably

Against spyware using CAPTCHA in graphical password scheme

Text-based password schemes have inherent security and usability problems, leading to the development of graphicalpassword schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work

Securing Plastic Money Using an RFID Based Protocol Stack

Since 2006, there have been three major systems that have been implemented in an attempt to reduce the threat of credit card fraud - Chip and PIN (United Kingdom), Chip Authentication Program - CAP (European Union), and RFID enabled credit cards (United States of America). In spite of a big effort by the EMV\footnote{EMV Co.: a body comprising of Europay, Mastercard, and Visa which develops standards for credit card interaction.}, there has been little evidence to demonstrate the success of these schemes in stopping fraudsters, scammers, and identity thieves. This may be attributed to combinations of poor usability, lack of trusted interfaces, the absence of smart-card cryptography that takes full advantage of the available computation resources, and inadequate authentication protocols. In this paper, we explain the shortcomings and vulnerabilities of each of these systems, and then explain requirements of a secure and usable cashless payment system. We also describe a new RFID based protocol stack - SECAPS (Secure Cashless Payment System), which obviates many of the attacks on the current schemes by using the newly available computation resources on modern RFID Tags

Provably Secure Identity-Based Remote Password Registration

One of the most significant challenges is the secure user authentication. If it becomes breached, confidentiality and integrity of the data or services may be compromised. The most widespread solution for entity authentication is the password-based scheme. It is easy to use and deploy. During password registration typically users create or activate their account along with their password through their verification email, and service providers are authenticated based on their SSL/TLS certificate. We propose a password registration scheme based on identity-based cryptography, i.e. both the user and the service provider are authenticated by their short-lived identity-based secret key. For secure storage a bilinear map with a salt is applied, therefore in case of an offline attack the adversary is forced to calculate a computationally expensive bilinear map for each password candidate and salt that slows down the attack. New adversarial model with new secure password registration scheme are introduced. We show that the proposed protocol is based on the assumptions that Bilinear Diffie-Hellman problem is computationally infeasible, bilinear map is a one-way function and Mac is existentially unforgeable under an adaptive chosen-message attack

Authentication Methods and Password Cracking

Na začátku této práce porovnáváme dnes běžně používané metody autentizace a také mluvíme o historii, současnosti a budoucnosti zabezpečení hesel. Později využíváme nástroj Hashcat k experimentům s útoky hrubou silou a slovníkovými útoky, které zrychlujeme s pomocí Markovových modelů a pravidel pro manipulaci se slovy. Porovnáváme také dva hardwarové přístupy --- běžný počítač a cloud computing. Nakonec na základě našich poznatků práci uzavíráme souborem doporučení na prolamování hesel s důrazem na hardware, velikost datové sady a použitou hašovací funkci.In the beginning of this thesis, we compare authentication methods commonly used today and dive into the history, state of the art as well as the future of password security. Later on, we use the tool Hashcat to experiment with brute-force and dictionary attacks accelerated with Markov models and word mangling rules. We also compare two hardware approaches --- regular computer and cloud computing. Based on our findings, we finally conclude with a set of password-cracking recommendations with focus on hardware, dataset size and used hash function

Authentication/authorization issues and fulltext document migration for the CERN Document Server

This thesis describes a master degree project, ending studies at Università degli Studi di Milano-Bicocca of Computer Science, Milano. This work has been realized at the European Organization of Nuclear Research (CERN), in Geneva. The aim of the project was to enhance CDS Invenio, a digital library software developed by CERN, in the authentication/authorization area, to develop an automatic migration tool for moving documents from the legacy architecture and to develop an extension to Python in C for solving indexing time issues