Practical Password Hardening Based on TLS

  • Constantinos DiomedousEmail author
  • Elias Athanasopoulos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11543)


Text-based passwords are still the dominant form of user authentication in remote services. Beyond the many usability issues associated with handling several text-based passwords, security is also an important dimension. Through the years, a significant amount of on-line services has been compromised and their stored passwords have been leaked. Once the database is compromised, it takes little time for a program to crack the cryptographically hashed (weak) passwords, no matter the algorithm used.

In response to this problem, researchers have proposed cryptographic services for hardening all stored passwords. These services perform several sessions of cryptographic hashing combined with message authentication codes. The goal of these services is to coerce adversaries to use them while cracking the passwords. This essentially transforms off-line password cracking to on-line.

Although these services incorporate elaborate cryptographic schemes for password hardening, it is unclear how easily typical web sites can utilize them without outsourcing the functionality to large providers. In this paper, we take a systems approach for making any web site that is serviced through TLS capable of strongly hardening their passwords. We observe that any TLS-enabled web server is already equipped with strong cryptographic functions. We modify mod_ssl, the module that offers TLS to any Apache web server, to act as a password-hardening service. Our evaluation shows that with an overhead similar to adapting hash functions (such as scrypt and bcrypt), our proposal can protect even the weakest passwords, once they are leaked.



We thank the anonymous reviewers and Jelena Mirkovic for helping us to improve the final version of this paper. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe), and No. 826278 (SERUMS), and by the RESTART programmes of the research, technological development and innovation of the Research Promotion Foundation, under grant agreement ENTERPRISES/0916/0063 (PERSONAS).


  1. 1.
    Bible References Make Very Weak Passwords. Accessed Jan 2019
  2. 2.
    Drupal - Open Source CMS. Accessed Jan 2019
  3. 3.
    Hacker Posts 6.4 Million LinkedIn Passwords.
  4. 4.
    \({\text{mod}}_{\text{ ssl }}\): The apache interface to OpenSSL. Accessed Jan 2019
  5. 5.
    Online Hash Crack. Accessed Jan 2019
  6. 6.
    Plain Text Offenders. Accessed Jan 2019
  7. 7.
    Protecting Basecamp from Breached Passwords. Accessed Feb 2019
  8. 8.
  9. 9.
  10. 10.
    WordPress - Create a Website in Minutes. Accessed Jan 2019
  11. 11.
    Muffet, A.: Facebook: password hashing and authentication. Accessed Jan 2019
  12. 12.
    Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S.: Scrypt is maximally memory-hard. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 33–62. Springer, Cham (2017). Scholar
  13. 13.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). Scholar
  14. 14.
    Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)Google Scholar
  15. 15.
    Burr, W.E., Dodson, D.F., Polk, W.T., et al.: Electronic authentication guideline. Commonly known as: Draft NIST Special Publication 800-63-2 (2004)Google Scholar
  16. 16.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The tangled web of password reuse. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, 23–26 February 2014Google Scholar
  17. 17.
    Dhamija, R., Tygar, J., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, SIGCHI (2006)Google Scholar
  18. 18.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.2. Technical report (2008)Google Scholar
  19. 19.
    Everspaugh, A., Chaterjee, R., Scott, S., Juels, A., Ristenpart, T.: The Pythia PRF service. In: 24th USENIX Security Symposium (USENIX Security 2015), pp. 547–562. USENIX Association, Washington, D.C. (2015)Google Scholar
  20. 20.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2006)Google Scholar
  21. 21.
    Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: IEEE Symposium on Security and Privacy (SP), vol. 00, pp. 251–267, May 2017Google Scholar
  22. 22.
  23. 23.
    Karapanos, N., Capkun, S.: On the effective prevention of TLS man-in-the-middle attacks in web applications. In: USENIX Security Symposium, vol. 23, pp. 671–686 (2014)Google Scholar
  24. 24.
    Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 187–198. ACM, New York (2013)Google Scholar
  25. 25.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. Technical report (1997)Google Scholar
  26. 26.
    Lai, R.W.F., Egger, C., Reinert, M., Chow, S.S.M., Maffei, M., Schröder, D.: Simple password-hardened encryption services. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1405–1421. USENIX Association, Baltimore (2018)Google Scholar
  27. 27.
    Lai, R.W.F., Egger, C., Schröder, D., Chow, S.S.M.: Phoenix: rebirth of a cryptographic password-hardening service. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 899–916. USENIX Association, Vancouver (2017)Google Scholar
  28. 28.
    U.S. Department of Commerce, National Institute of Standards, and Technology: Secure Hash Standard - SHS: Federal Information Processing Standards Publication 180-4. CreateSpace Independent Publishing Platform, USA (2012)Google Scholar
  29. 29.
    Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)Google Scholar
  30. 30.
    Rivest, R.: The MD5 message-digest algorithm. Technical report (1992)Google Scholar
  31. 31.
    Schneider, J., Fleischhacker, N., Schröder, D., Backes, M.: Efficient cryptographic password hardening services from partially oblivious commitments. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1192–1203. ACM, New York (2016)Google Scholar
  32. 32.
    Ur, B., et al.: How does your password measure up? The effect of strength meters on password creation. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security 2012, p. 5. USENIX Association, Berkeley (2012)Google Scholar
  33. 33.
    von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321(5895), 1465–1468 (2008)MathSciNetCrossRefGoogle Scholar
  34. 34.
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). Scholar
  35. 35.
    Wu, T.D., et al.: The secure remote password protocol. In: NDSS, vol. 98, pp. 97–111. Citeseer (1998)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.University of CyprusNicosiaCyprus

Personalised recommendations