Private Password Auditing - Short Paper
نویسندگان
چکیده
Passwords are the foremost mean to achieve data and computer security. Hence, choosing a strong password which may withstand dictionary attacks is crucial in establishing the security of the underlying system. In order to ensure that strong passwords are chosen, system administrators often rely on password auditors to filter weak password digests. Several tools aimed at preventing digest misuse have been designed to aid auditors. We however show that the objective remains a far cry as these tools essentially reveal the digests corresponding to weak passwords. As a case study, we discuss the issues with Blackhash, and develop the notion of Private Password Auditing— a mechanism that does not require a system administrator to reveal digests to an external auditor and symmetrically the dictionaries remain private to the auditor. We further present constructions based on Private Set Intersection and its variant, and evaluate a proof-of-concept implementation against real-world dictionaries
منابع مشابه
Strengthening Public Key Authentication Against Key Theft (Short Paper)
Authentication protocols based on an asymmetric keypair provide strong authentication as long as the private key remains secret, but may fail catastrophically if the private key is lost or stolen. Even when encrypted with a password, stolen key material is susceptible to offline brute-force attacks. In this paper we demonstrate a method for rate-limiting password guesses on stolen key material,...
متن کاملA Simple Threshold Authenticated Key Exchange from Short Secrets
This paper brings the password-based authenticated key exchange (PAKE) problem closer to practice. It takes into account the presence of firewalls when clients communicate with authentication servers. An authentication server can indeed be seen as two distinct entities, namely a gateway (which is the direct interlocutor of the client) and a back-end server (which is the only one able to check t...
متن کاملThe Bitcoin Brain Drain: A Short Paper on the Use and Abuse of Bitcoin Brain Wallets
In the cryptocurrency Bitcoin, users can deterministically derive the private keys used for transmitting money from a password. Such “brain wallets” are appealing because they free users from storing their private keys on untrusted computers. Unfortunately, they also enable attackers to conduct unlimited offline password guessing. In this paper, we report on the first large-scale measurement of...
متن کاملMulti - Factor Password - Authenticated Key Exchange ( full version )
We consider a new form of authenticated key exchange which we call multi-factor passwordauthenticated key exchange, where session establishment depends on successful authentication of multiple short secrets that are complementary in nature, such as a long-term password and a one-time response, allowing the client and server to be mutually assured of each other’s identity without directly disclo...
متن کاملPrivacy analysis and enhancements for data sharing in *nix systems
In this paper, we analyse the data sharing mechanisms of *nix systems and identify an immediate need for better privacy support. For example, using a simple insider attack we were able to access over 84 GB of private data at one organisation of 825 users, including 300 000 e-mails and 579 passwords to financial and other private services websites, without exploiting any technical vulnerability....
متن کامل