Password Policy Purgatory

Password Policy Markup Language

Password-based authentication is the most widely used authentication scheme for granting access to user accounts on the Internet. Despite this, there exists no standard implementation of passwords by services. They have different password requirements as well as interfaces and procedures for login, password change, and password reset. This situation is very challenging for users and often leads...

Zero-Knowledge Password Policy Check from Lattices

Passwords are ubiquitous and most commonly used to authenticate users when logging into online services. Using high entropy passwords is critical to prevent unauthorized access and password policies emerged to enforce this requirement on passwords. However, with current methods of password storage, poor practices and server breaches have leaked many passwords to the public. To protect one’s sen...

Christmas in purgatory: a retrospective look.

Zero-Knowledge Password Policy Checks and Verifier-Based PAKE

Zero-Knowledge Password Policy Checks (ZKPPC), introduced in this work, enable blind registration of client passwords at remote servers, i.e., client passwords are never transmitted to the servers. This eliminates the need for trusting servers to securely process and store client passwords. A ZKPPC protocol, executed as part of the registration procedure, allows clients to further prove complia...

Password Policy Effects on Entropy and Recall: Research in Progress

Passwords are commonly used for authentication. System architects generally put in place password policies that define the required length of a password, the complexity requirements of the password, and the expiration (if ever) of the password. Password policies are designed with the intent of helping users choose secure passwords, and in the case of password expiration, limit the potential dam...