Can “Something You Know” Be Saved?

  • Baris Coskun
  • Cormac Herley
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)


“Something you know,” in the form of passwords, has been the cornerstone of authentication for some time; however the inability to survive replay attack threatens this state of affairs. While “something you know” may always be used in addition to “something you have” we examine whether it can be salvaged as the solo factor for authentication. A recent surge of interest in Challenge Response authentication schemes raises the question whether a secret shared between the user and the server can allow secure access even in the presence of spyware.

Our conclusion is negative. Assuming only a limit on the amount that a user can remember and calculate we find that any scheme likely to be usable is too easily brute forced if the attacker observes several logins. This is true irrespective of the details of the scheme. The vital parameter is the number of bits of the secret involved in each bit of the response. When this number is too low the scheme is easily brute-forced, but making it high makes the scheme unworkable for the user. Our conclusion is that single factor “something you know” schemes have a fundamental weakness unless the number of logins the attacker observes can be restricted.


Authentication passwords challenge response 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Herley, C., Florêncio, D.: How To Login From an Internet Café without Worrying about Keyloggers. In: Symp. on Usable Privacy and Security (2006)Google Scholar
  3. 3.
    Cheswick, W.: Johnny Can Obfuscate: Beyond Mother’s Maiden Name. In: Proc. Usenix HotSec (2006)Google Scholar
  4. 4.
    Florêncio, D., Herley, C.: One-Time Password Access to Any Server Without Changing the Server. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 401–420. Springer, Heidelberg (2008)Google Scholar
  5. 5.
    Florêncio, D., Herley, C.: KLASSP: Entering Passwords on a Spyware Infected Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)Google Scholar
  6. 6.
    Florêncio, D., Herley, C., Coskun, B.: Do Strong Web Passwords Accomplish Anything? In: Proc. Usenix Hot Topics in Security (2007)Google Scholar
  7. 7.
    Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Scheme. In: Symp. on Security and Privacy (2007)Google Scholar
  8. 8.
    Haller, N.: The S/KEY One-Time Password System. In: Proc. ISOC Symposium on Network and Distributed System Security (1994)Google Scholar
  9. 9.
    Herley, C., Florêncio, D.: Phishing as a Tragedy of the Commons. In: NSPW 2008, Lake Tahoe, CA (2008)Google Scholar
  10. 10.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The Design and Analysis of Graphical Passwords. In: Usenix Security (1999)Google Scholar
  11. 11.
    Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM (1981)Google Scholar
  12. 12.
    Lei, M., Xiao, Y., Vrbsky, S., Li, C.-C., Liu, L.: A Virtual Password Scheme to Protect Passwords. In: Proceedings of IEEE ICC (2008)Google Scholar
  13. 13.
    Lim, J.: Defeat spyware with anti-screen capture technology using visual persistence. In: SOUPS (2007)Google Scholar
  14. 14.
    Pashalidis, A., Mitchell, C.J.: Impostor: A single sign-on system for use from untrusted devices. In: Proceedings of IEEE Globecom (2004)Google Scholar
  15. 15.
    Pering, T., Sundar, M., Light, J., Want, R.: Photographic Authentication through Untrusted Terminals. IEEE Security and Privacy (2003)Google Scholar
  16. 16.
    Suo, X., Zuo, Y., Owen, G.S.: Graphical Passwords: a Survey. In: ACSAC (2005)Google Scholar
  17. 17.
    Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware. In: Symp. on Security and Privacy (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Baris Coskun
    • 1
  • Cormac Herley
    • 2
  1. 1.Polytechnic UniversityBrooklyn, NY 
  2. 2.Microsoft ResearchRedmond 

Personalised recommendations