Getting Web Authentication Right A Best-Case Protocol for the Remaining Life of Passwords

  • Joseph Bonneau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7114)


We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server’s database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.


Message Authentication Code Password Authentication User Password Passive Attacker Distribute System Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceeding of the 17th International Conference on World Wide Web, WWW 2008, pp. 517–524. ACM, New York (2008)CrossRefGoogle Scholar
  2. 2.
    Blundo, C., Cimato, S., De Prisco, R.: A Lightweight Approach to Authenticated Web Caching. In: Proceedings of the The 2005 Symposium on Applications and the Internet, pp. 157–163. IEEE Computer Society, Washington, DC, USA (2005)Google Scholar
  3. 3.
    Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS 2010: Proceedings of the Ninth Workshop on the Economics of Information Security (June 2010)Google Scholar
  4. 4.
    Fu, K., Sit, E., Smith, K., Feamster, N.: Dos and don’ts of client authentication on the web. In: Proceedings of the 10th Conference on USENIX Security Symposium, SSYM 2001, vol. 10, p. 19. USENIX Association, Berkeley, CA, USA (2001)Google Scholar
  5. 5.
    Garfinkel, S.L.: Email-Based Identification and Authentication: An Alternative to PKI? IEEE Security and Privacy 1(6), 20–26 (2003)CrossRefGoogle Scholar
  6. 6.
    Gouda, M.G., Liu, A.X., Leung, L.M., Alam, M.A.: SPP: An anti-phishing single password protocol. Computer Networks 51(13), 3715–3726 (2007)CrossRefzbMATHGoogle Scholar
  7. 7.
    Juels, A., Jakobsson, M., Stamm, S.: Active cookies for browser authentication. In: 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (2007)Google Scholar
  8. 8.
    Liu, A.X., Kovacs, J.M., Huang, C.-T., Gouda, M.G.: A secure cookie protocol. In: 14th International Conference on Computer Communications and Networks (2005)Google Scholar
  9. 9.
    Masone, C., Baek, K.-H., Smith, S.: WSKE: Web Server Key Enabled Cookies. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 294–306. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Murdoch, S.J.: Hardened Stateless Session Cookies. In: Christianson, B., Malcolm, J.A., Matyas, V., Roe, M. (eds.) Security Protocols 2008. LNCS, vol. 6615, pp. 93–101. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 161–170. ACM, New York (2002)Google Scholar
  12. 12.
    Pujolle, G., Serhrouchni, A., Ayadi, I.: Secure session management with cookies. In: Proceedings of the 7th International Conference on Information, Communications and Signal Processing, ICICS 2009, pp. 689–694. IEEE Press, Piscataway, NJ, USA (2009)Google Scholar
  13. 13.
    van der Horst, T.: pwdArmor: Protecting Conventional Password-Based Authentications. In: Annual Computer Security Applications Conference (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Joseph Bonneau
    • 1
  1. 1.University of CambridgeCambridgeUK

Personalised recommendations