Foundations of statistical natural language processing
Foundations of statistical natural language processing
Communications of the ACM
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Password management strategies for online accounts
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
OpenID 2.0: a platform for user-centric identity management
Proceedings of the second ACM workshop on Digital identity management
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Déjà Vu: a user study using images for authentication
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A future-adaptive password scheme
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
Beamauth: two-factor web authentication with a bookmark
Proceedings of the 14th ACM conference on Computer and communications security
It's No Secret. Measuring the Security and Reliability of Authentication via "Secret Questions
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Password Cracking Using Probabilistic Context-Free Grammars
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Characterizing user behavior in online social networks
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Parallel browsing behavior on the web
Proceedings of the 21st ACM conference on Hypertext and hypermedia
Encountering stronger password requirements: user attitudes and behaviors
Proceedings of the Sixth Symposium on Usable Privacy and Security
The security of modern password expiration: an algorithmic framework and empirical analysis
Proceedings of the 17th ACM conference on Computer and communications security
Kamouflage: loss-resistant password management
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
A billion keys, but few locks: the crisis of web single sign-on
Proceedings of the 2010 workshop on New security paradigms
Using Fingerprint Authentication to Reduce System Security: An Empirical Study
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Password-protected secret sharing
Proceedings of the 18th ACM conference on Computer and communications security
Password exhaustion: predicting the end of password usefulness
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Perfectly secure password protocols in the bounded retrieval model
TCC'06 Proceedings of the Third conference on Theory of Cryptography
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
Practical yet universally composable two-server password-authenticated secret sharing
Proceedings of the 2012 ACM conference on Computer and communications security
Communications of the ACM
Statistical metrics for individual password strength
SP'12 Proceedings of the 20th international conference on Security Protocols
Hi-index | 0.00 |
Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms. In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.