Advertisement

drPass: A Dynamic and Reusable Password Generator Protocol

  • Suryakanta PandaEmail author
  • Samrat Mondal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11281)

Abstract

In general, alphanumeric passwords are used for authentication due to its simplicity and deployability. Strong and distinct alphanumeric passwords are inconvenient to memorize. So, users often pick weak passwords and reuse them. Also, users employ some simple tricks to derive passwords from a basic one. However, such weak and easy to derive passwords could not provide sufficient strength to protect users confidential resources. These passwords reduce the work of attackers to a great extent. Although the strong and distinct passwords reduce brute force attack, they are prone to theft and are often compromised under different vulnerabilities. Thus, by compromising one password, an attacker may gain access to other web-accounts where identical or similar passwords are used by the same user. In this paper, we propose drPass, a dynamic and reusable password generating protocol that generates high entropy passwords and thwarts various password stealing attacks. The proposed drPass scheme does not require any server-side change of existing websites for its implementation. It reduces the memory burden on users and also helps users to generate and maintain highly secure, distinct passwords for each site.

Keywords

Authentication Passwords Security Reusability 

References

  1. 1.
  2. 2.
  3. 3.
    The password meter. http://www.passwordmeter.com
  4. 4.
    Phishing activity trends report, second quarter (2016). http://www.antiphishing.org/
  5. 5.
    Poor password requirements of popular consumer websites. https://betanews.com/2017/08/09/consumer-websites-poor-passwords/
  6. 6.
    Yet another password meter. http://www.yetanotherpasswordmeter.com
  7. 7.
    Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)Google Scholar
  8. 8.
    Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: Usenix Security, vol. 6 (2006)Google Scholar
  9. 9.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: NDSS, vol. 14, pp. 23–26 (2014)Google Scholar
  10. 10.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)Google Scholar
  11. 11.
    Florêncio, D., Herley, C., Coskun, B.: Do strong web passwords accomplish anything? HotSec, 7(6) (2007)Google Scholar
  12. 12.
    Gao, H., Jia, W., Ye, F., Ma, L.: A survey on the use of graphical passwords in security. J. Softw. 8(7), 1678–1698 (2013)Google Scholar
  13. 13.
    Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference On World Wide Web, pp. 471–479. ACM (2005)Google Scholar
  14. 14.
    Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03549-4_14CrossRefGoogle Scholar
  15. 15.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)CrossRefGoogle Scholar
  16. 16.
    John, B.E.: Extensions of GOMS analyses to expert performance requiring perception of dynamic visual and auditory information. In: Proceedings of the SIGCHI conference on Human factors in computing systems, pp. 107–116. ACM (1990)Google Scholar
  17. 17.
    John, B.E., Gray, W.D.: CPM-GOMS: an analysis method for tasks with parallel activities. In: Conference companion on Human factors in computing systems, pp. 393–394. ACM (1995)Google Scholar
  18. 18.
    Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: Sauth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 187–198. ACM (2013)Google Scholar
  19. 19.
    Kwon, T., Shin, S., Na, S.: Covert attentional shoulder surfing: human adversaries are more powerful than expected. IEEE Trans. Systems, Man, Cybern.: Syst. 44(6), 716–727 (2014)CrossRefGoogle Scholar
  20. 20.
    Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 465–479 (2014)Google Scholar
  21. 21.
    Maheshwari, A., Mondal, S.: SPOSS: secure pin-based-authentication obviating shoulder surfing. In: Ray, I., Gaur, M.S., Conti, M., Sanghi, D., Kamakoti, V. (eds.) ICISS 2016. LNCS, vol. 10063, pp. 66–86. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-49806-5_4CrossRefGoogle Scholar
  22. 22.
    Mainka, C., Mladenov, V., Feldmann, F., Krautwald, J., Schwenk, J.: Your software at my service (2014)Google Scholar
  23. 23.
    Mannan, M., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77366-5_11CrossRefGoogle Scholar
  24. 24.
    Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006).  https://doi.org/10.1007/11889663_1CrossRefGoogle Scholar
  25. 25.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Usenix security, pp. 17–32, Baltimore, MD, USA (2005)Google Scholar
  26. 26.
    Silver, D., Jana, S., Boneh, D., Chen, E., Jackson, C.: password managers: attacks and defenses. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 449–464 (2014)Google Scholar
  27. 27.
    Sun, H.-M., Chen, Y.-H., Lin, Y.-H.: opass: a user authentication protocol resistant to password stealing and password reuse attacks. IEEE Trans. Inf. Forensics Secur. 7(2), 651–663 (2012)CrossRefGoogle Scholar
  28. 28.
    Van Bruggen, D., Liu, S., Kajzer, M., Striegel, A., Crowell, C.R., D’Arcy, J.: Modifying smartphone user locking behavior. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, pp. 10. ACM (2013)Google Scholar
  29. 29.
    Strahs, B., Yue, C., Wang, H.: Secure passwords through enhanced hashing. In: Proceedings of LISA 2009: 23rd Large Installation System Administration Conference, pp. 93 (2009)Google Scholar
  30. 30.
    Wiedenbeck, S., Waters, J., Birget, J.-C. Brodskiy, A., Memon, N.: Passpoints: design and longitudinal evaluation of a graphical password system. In: International Journal of Human-Computer Studies, 63(1), 102–127 (2005)CrossRefGoogle Scholar
  31. 31.
    Xiao, Y., Li, C.-C., Lei, M., Vrbsky, S.V.: Differentiated virtual passwords, secret little functions, and codebooks for protecting users from password theft. IEEE Syst. J. 8(2), 406–416 (2014)CrossRefGoogle Scholar
  32. 32.
    Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.H.: Leakage-resilient password entry: challenges, design, and evaluation. Comput. Secur. 48, 196–211 (2015)CrossRefGoogle Scholar
  33. 33.
    Yee, K.-P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: Proceedings of the second symposium on Usable privacy and security, pp. 32–43. ACM (2006)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Indian Institute of Technology PatnaPatnaIndia

Personalised recommendations