ABSTRACT
Nowadays, proactive password checking algorithms are based on the philosophy of the dictionary attack, and they often fail to prevent some weak passwords with low entropy. In this paper, a new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive password checking.
- Steven M. Bellovin and Michael Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, IEEE Symposium on Research in Security and Privacy, May 1992. pp.72-84. Google ScholarDigital Library
- F Bergadano et al. High dictionary compression for proactive password checking, ACM trans. on info and system security Vol.1, No.1, Nov. 1998 Google ScholarDigital Library
- F Bergadano et al. Proactive password checking with decision trees, 1997 ACM conference on computer and communications security, 1997, Zurich Google ScholarDigital Library
- Burton Bloom. Space/time trade-offs in hash coding with allowable errors, CACM, 13(7): 422-426, July 1979 Google ScholarDigital Library
- C. Davies and R. Ganesan. BApasswd: A new proactive password checker. In 16th National Computer Security Conference, pages 1-15, Baltimore, MD, Sept. 1993Google Scholar
- DV Klein. Foiling the Cracker; A Survey of, and Improvements to Unix Password Security, Proceedings of the USENIX Security Workshop. Portland, Oregon: USENIX Association, Summer 1990; expanded as a technical report from SEI, 1992Google Scholar
- Alec Muffett. Crack 4.0, 5.0, almost everywhere in the internetGoogle Scholar
- Alec Muffett. CrackLib: a proactive password sanity ibrary, http://www.users.dircon.co.uk/~crypto/download/cracklib,2.7.txtGoogle Scholar
- Npassword source code (Latest version: npasswd-2.X.tar.gz). at http://www.utexas.edu/cc/unix/software/npasswd/dist/npasswd-2.05.tar.gz, 2000Google Scholar
- S. Patel, Number theoretic attacks on secure password schemes. IEEE Symposium on Security and Privacy, 1997 Google ScholarDigital Library
- E. H. Spafford. OPUS: Preventing Weak Password Choices, Computers and Security 11(3), pp. 273-278, 1992 Google ScholarDigital Library
- T. Wu, The Secure Remote Password Protocol, in Proceedings of the 1998 Internet Society Symposium on Network and Distributed System Security, San Diego, CA, Mar 1998, pp. 97-111.Google Scholar
- T. Wu, A Real-World Analysis of Kerberos Password Security, Proceedings of the 1999 Network and Distributed System Security Symposium, February 3-5, 1999Google Scholar
- Jianxin (Jeff) Yan, Alan Blackwell, Ross Anderson and Alasdair Grant. The Memorability and Security of Passwords -- Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge,2000. http://www.ftp.clcamacuk/ftp/users/ja14/tr500.pdfGoogle Scholar
Index Terms
- A note on proactive password checking
Comments