Jianxin Jeff Yan
ABSTRACT
Nowadays, proactive password checking algorithms are based on the philosophy of the dictionary attack, and they often fail to prevent some weak passwords with low entropy. In this paper, a new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive password checking.
- Steven M. Bellovin and Michael Merritt, Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks, IEEE Symposium on Research in Security and Privacy, May 1992. pp.72-84. Google Scholar
Digital Library
- F Bergadano et al. High dictionary compression for proactive password checking, ACM trans. on info and system security Vol.1, No.1, Nov. 1998 Google ScholarDigital Library
- F Bergadano et al. Proactive password checking with decision trees, 1997 ACM conference on computer and communications security, 1997, Zurich Google ScholarDigital Library
- Burton Bloom. Space/time trade-offs in hash coding with allowable errors, CACM, 13(7): 422-426, July 1979 Google ScholarDigital Library
- C. Davies and R. Ganesan. BApasswd: A new proactive password checker. In 16th National Computer Security Conference, pages 1-15, Baltimore, MD, Sept. 1993Google Scholar
- DV Klein. Foiling the Cracker; A Survey of, and Improvements to Unix Password Security, Proceedings of the USENIX Security Workshop. Portland, Oregon: USENIX Association, Summer 1990; expanded as a technical report from SEI, 1992Google Scholar
- Alec Muffett. Crack 4.0, 5.0, almost everywhere in the internetGoogle Scholar
- Alec Muffett. CrackLib: a proactive password sanity ibrary, http://www.users.dircon.co.uk/~crypto/download/cracklib,2.7.txtGoogle Scholar
- Npassword source code (Latest version: npasswd-2.X.tar.gz). at http://www.utexas.edu/cc/unix/software/npasswd/dist/npasswd-2.05.tar.gz, 2000Google Scholar
- S. Patel, Number theoretic attacks on secure password schemes. IEEE Symposium on Security and Privacy, 1997 Google ScholarDigital Library
- E. H. Spafford. OPUS: Preventing Weak Password Choices, Computers and Security 11(3), pp. 273-278, 1992 Google ScholarDigital Library
- T. Wu, The Secure Remote Password Protocol, in Proceedings of the 1998 Internet Society Symposium on Network and Distributed System Security, San Diego, CA, Mar 1998, pp. 97-111.Google Scholar
- T. Wu, A Real-World Analysis of Kerberos Password Security, Proceedings of the 1999 Network and Distributed System Security Symposium, February 3-5, 1999Google Scholar
- Jianxin (Jeff) Yan, Alan Blackwell, Ross Anderson and Alasdair Grant. The Memorability and Security of Passwords -- Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge,2000. http://www.ftp.clcamacuk/ftp/users/ja14/tr500.pdfGoogle Scholar
Index Terms
- A note on proactive password checking
Comments