CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Public-key cryptography and password protocols
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
Password security: a case history
Communications of the ACM
Pseudorandomness and Cryptographic Applications
Pseudorandomness and Cryptographic Applications
Description of a New Variable-Length Key, 64-bit Block Cipher (Blowfish)
Fast Software Encryption, Cambridge Security Workshop
A Fast New DES Implementation in Software
FSE '97 Proceedings of the 4th International Workshop on Fast Software Encryption
Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks
SP '92 Proceedings of the 1992 IEEE Symposium on Security and Privacy
Number theoretic attacks on secure password schemes
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Separating key management from file system security
Proceedings of the seventeenth ACM symposium on Operating systems principles
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Cryptography in OpenBSD: an overview
ATEC '99 Proceedings of the annual conference on USENIX Annual Technical Conference
On predictive models and user-drawn graphical passwords
ACM Transactions on Information and System Security (TISSEC)
Human-seeded attacks and exploiting hot-spots in graphical passwords
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Halting password puzzles: hard-to-break encryption from human-memorable keys
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Action-based user authentication
International Journal of Electronic Security and Digital Forensics
HPAKE: Password Authentication Secure against Cross-Site User Impersonation
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Hardened stateless session cookies
Security'08 Proceedings of the 16th International conference on Security protocols
Password exhaustion: predicting the end of password usefulness
ICISS'06 Proceedings of the Second international conference on Information Systems Security
Perfectly secure password protocols in the bounded retrieval model
TCC'06 Proceedings of the Third conference on Theory of Cryptography
SAuth: protecting user accounts from password database leaks
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Efficient and secure storage of private keys for pseudonymous vehicular communication
Proceedings of the 2013 ACM workshop on Security, privacy & dependability for cyber vehicles
Useful password hashing: how to waste computing cycles with style
Proceedings of the 2013 workshop on New security paradigms workshop
| Hi-index | 0.01 |
Many authentication schemes depend on secret passwords. Unfortunately, the length and randomness of user-chosen passwords remain fixed over time. In contrast, hardware improvements constantly give attackers increasing computational power. As a result, password schemes such as the traditional UNIX user-authentication system are failing with time. This paper discusses ways of building systems in which password security keeps up with hardware speeds. We formalize the properties desirable in a good password system, and show that the computational cost of any secure password scheme must increase as hardware improves. We present two algorithms with adaptable cost--eksblowfish, a block cipher with a purposefully expensive key schedule, and bcrypt, a related hash function. Failing a major breakthrough in complexity theory, these algorithms should allow password-based systems to adapt to hardware improvements and remain secure well into the future.