Authentication via keystroke dynamics
Proceedings of the 4th ACM conference on Computer and communications security
Password security: a case history
Communications of the ACM
Limitations of the Kerberos authentication system
ACM SIGCOMM Computer Communication Review
UNIX Password Security - Ten Years Later
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
A Fast New DES Implementation in Software
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Password policy: the good, the bad, and the ugly
WISICT '04 Proceedings of the winter international synposium on Information and communication technologies
An in-depth look at computer performance growth
ACM SIGARCH Computer Architecture News - Special issue: Workshop on architectural support for security and anti-virus (WASSA)
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
The design and analysis of graphical passwords
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
A future-adaptive password scheme
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Authenticated key exchange secure against dictionary attacks
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Improving text passwords through persuasion
Proceedings of the 4th symposium on Usable privacy and security
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
Testing metrics for password creation policies by attacking large sets of revealed passwords
Proceedings of the 17th ACM conference on Computer and communications security
Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks
HotSec'10 Proceedings of the 5th USENIX conference on Hot topics in security
Optimizing password composition policies
Proceedings of the fourteenth ACM conference on Electronic commerce
SAuth: protecting user accounts from password database leaks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Hi-index | 0.00 |
Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.