Password authentication with insecure communication
Communications of the ACM
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Cognitive Authentication Schemes Safe Against Spyware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Johnny can obfuscate: beyond mother's maiden name
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Defeat spyware with anti-screen capture technology using visual persistence
Proceedings of the 3rd symposium on Usable privacy and security
Do strong web passwords accomplish anything?
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
One-Time Password Access to Any Server without Changing the Server
ISC '08 Proceedings of the 11th international conference on Information Security
A profitless endeavor: phishing as tragedy of the commons
Proceedings of the 2008 workshop on New security paradigms
One-Time Password Access to Any Server without Changing the Server
ISC '08 Proceedings of the 11th international conference on Information Security
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Designing leakage-resilient password entry on touchscreen mobile devices
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Hi-index | 0.00 |
"Something you know," in the form of passwords, has been the cornerstone of authentication for some time; however the inability to survive replay attack threatens this state of affairs. While "something you know" may always be used in addition to "something you have" we examine whether it can be salvaged as the solo factor for authentication. A recent surge of interest in Challenge Response authentication schemes raises the question whether a secret shared between the user and the server can allow secure access even in the presence of spyware.Our conclusion is negative. Assuming only a limit on the amount that a user can remember and calculate we find that any scheme likely to be usable is too easily brute forced if the attacker observes several logins. This is true irrespective of the details of the scheme. The vital parameter is the number of bits of the secret involved in each bit of the response. When this number is too low the scheme is easily brute-forced, but making it high makes the scheme unworkable for the user. Our conclusion is that single factor "something you know" schemes have a fundamental weakness unless the number of logins the attacker observes can be restricted.