Abstract
A human’s e-life needs multiple offline and online accounts. It is a balance between usability and security to set keys or passwords for these multiple accounts. Password reuse has to be avoided due to the domino effect of malicious administrators and crackers. However, human memorability constrains the number of keys. Single sign-on server, key hashing, key strengthening and petname system are used in the prior arts to use only one key for multiple online accounts. The unique site keys are derived from the common master secret and specific domain name. These methods cannot be applied to offline accounts such as file encryption. We invent a new method and system applicable to offline and online accounts. It does not depend on HTTP server and domain name, but numeric 4-digit passcode, key hashing, key strengthening and hash truncation. Domain name is only needed to resist spoofing and phishing attacks of online accounts.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abadi, M., Lomas, T.M.A., Needham, R., 1997. Strengthening Passwords. Technical Reports of SRC (Systems Research Center) SRC-1997-033. Palo Alto, CA, USA, p.1–11.
Adams, A., Sasse, M.A., 1999. Users are not the enemy. Commun. ACM, 42(12):40–46. [doi:10.1145/322796.322806]
Borenstein, N., Freed, N., 1992. Base64 Content-Transfer-Encoding. MIME (Multipurpose Internet Mail Extensions): Mechanisms for Specifying and Describing the Format of Internet Message Boides. RFC 1341. IETF, Sterling, Virginia, USA, p.17–19.
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L., 1999. HTTP Authentication: Basic and Digest Access Authentication. RFC 2617. IETF, Sterling, Virginia, USA, p.1–34.
Gabber, E., Gibbons, P., Matias, Y., Mayer, A., 1997. How to make personalized web browsing simple, secure, and anonymous. LNCS, 1318:17–31. [doi:10.1007/3-540-63594-7]
Gouda, M.G., Liu, A.X., Leung, L.M., Alam, M.A., 2005. Single Password, Multiple Accounts. Proc. 3rd Int. Conf. on Applied Cryptography and Network Security. New York City, NY, USA, p.1–12.
Halderman, J.A., Waters, B., Felten, E.W., 2005. A Convenient Method for Securely Managing Passwords. Proc. 14th Int. Conf. on World Wide Web 2005. Chiba, Japan, p.471–479. [doi:10.1145/1060745.1060815]
Ives, B., Walsh, K.R., Schneider, H., 2004. The domino effect of password reuse. Commun. ACM, 47(4):75–78. [doi:10.1145/975817.975820]
Kanaley, R., 2001. Login Error Trouble Keeping Track of All Your Sign-ons? Here’s a Place to Keep Your Electronic Keys, but You’d Better Remember the Password. San Jose Mercury News, Feb. 4, 2001.
Karp, A.H., 2003. Site-Specific Passwords. Technical Report of HP Laboratories Palo Alto HPL-2002-39 (R.1). Palo Alto, CA, USA, p.1–9.
Karp, A.H., Poe, D.T., 2004. System-Specific Passwords. USPTO Published Application for Patent US2004/0025026. Alexandria, VA, USA, p.1–6.
Kelsey, J., Schneier, B., Hall, C., Wagner, D., 1997. Secure applications of low-entropy keys. LNCS, 1396:121–134. [doi:10.1007/BFb0030404]
Kormann, D.P., Rubin, A.D., 2000. Risks of the passport single signon protocol. Computer Networks, 33:51–58. [doi:10.1016/S1389-1286(00)00048-7]
Lilly, G.M., 2004. Device for and Method of One-Way Cryptographic Hashing. USPTO Patent US6829355. Alexandria, VA, USA, p.1–8.
Luo, H., Henry, P., 2003. A Common Password Method for Protection of Multiple Accounts. Proc. 14th IEEE 2003 Int. Symp. on Personal, Indoor and Mobile Radio Communication (PIMRC 2003). Beijing, China, 3:2749–2754. [doi:10.1109/PIMRC.2003.1259242]
Manber, U., 1996. A simple scheme to make passwords based on one-way functions much harder to crack. Computers and Security, 15(2):171–176. [doi:10.1016/0167-4048(96)00003-X]
Matias, Y., Mayer, A., Silberschatz, A., 1997. Lightweight Security Primitives for E-commerce. Proc. USENIX Symposium on Internet Technologies and Systems. Monterey, California, USA, p.95–102.
NIST, 2002. FIPS PUB 180-2: Secure Hash Standard. CSRC, NIST. Gaithersburg, MD, USA, p.1–79.
Rivest, R., 1992. The MD5 Message-Digest Algorithm. RFC 1321. IETF, Sterling, Virginia, USA, p.1–21.
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C., 2005. Stronger Password Authentication Using Browser Extensions. Proc. 14th USENIX Security Symposium (SEC’05). Baltimore, MD, USA, p.17–32.
Wikipedia, 2007a. MD5. Wikipedia the Free Encyclopedia. Accessed on Feb. 1, 2007, 〈http://en.wikipedia.org/w/index.php?title=MD5&oldid=142373953〉
Wikipedia, 2007b. SHA Hash Functions. Wikipedia the Free Encyclopedia. Accessed on Feb. 1, 2007, 〈http://en.wikipedia.org/w/index.php?title=SHA_hash_functions&oldid=141311777〉
Wikipedia, 2007c. Petname. Wikipedia the Free Encyclopedia. Accessed on Feb. 1, 2007, 〈http://en.wikipedia.org/w/index.php?title=Petname&oldid=93050718〉
Wikipedia, 2007d. Moore’s Law. Wikipedia the Free Encyclopedia. Accessed on Feb. 1, 2007, 〈http://en.wikipedia.org/w/index.php?title=Moore%27s_Law&oldid=142016849〉
Yee, K.P., Sitaker, K., 2006. Passpet: Convenient Password Management and Phishing Protection. Proc. Symposium on Usable, Privacy and Security. Pittsburgh, PA, USA, p.32–43. [doi:10.1145/1143120.1143126]
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lee, Kw., Ewe, Ht. Multiple hashes of single key with passcode for multiple accounts. J. Zhejiang Univ. - Sci. A 8, 1183–1190 (2007). https://doi.org/10.1631/jzus.2007.A1183
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.2007.A1183