drPass: A Dynamic and Reusable Password Generator Protocol

In general, alphanumeric passwords are used for authentication due to its simplicity and deployability. Strong and distinct alphanumeric passwords are inconvenient to memorize. So, users often pick weak passwords and reuse them. Also, users employ some simple tricks to derive passwords from a basic one. However, such weak and easy to derive passwords could not provide sufficient strength to protect users confidential resources. These passwords reduce the work of attackers to a great extent. Although the strong and distinct passwords reduce brute force attack, they are prone to theft and are often compromised under different vulnerabilities. Thus, by compromising one password, an attacker may gain access to other web-accounts where identical or similar passwords are used by the same user. In this paper, we propose drPass, a dynamic and reusable password generating protocol that generates high entropy passwords and thwarts various password stealing attacks. The proposed drPass scheme does not require any server-side change of existing websites for its implementation. It reduces the memory burden on users and also helps users to generate and maintain highly secure, distinct passwords for each site.

[1]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[2]  Hung-Min Sun,et al.  oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks , 2012, IEEE Transactions on Information Forensics and Security.

[3]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[4]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[5]  Haichang Gao,et al.  A survey on the use of graphical passwords in security , 2013, J. Softw..

[6]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[7]  Aaron Striegel,et al.  Modifying smartphone user locking behavior , 2013, SOUPS.

[8]  Samrat Mondal,et al.  SPOSS: Secure Pin-Based-Authentication Obviating Shoulder Surfing , 2016, ICISS.

[9]  Haining Wang,et al.  Secure Passwords Through Enhanced Hashing , 2009, LISA.

[10]  Paul C. van Oorschot,et al.  Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer , 2007, Financial Cryptography.

[11]  Robert H. Deng,et al.  Leakage-resilient password entry: Challenges, design, and evaluation , 2015, Comput. Secur..

[12]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[13]  Bonnie E. John Extensions of GOMS analyses to expert performance requiring perception of dynamic visual and auditory information , 1990, CHI '90.

[14]  Nikita Borisov,et al.  The Tangled Web of Password Reuse , 2014, NDSS.

[15]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[16]  Bonnie E. John,et al.  CPM-GOMS: an analysis method for tasks with parallel activities , 1995, CHI '95.

[17]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[18]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[19]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[20]  Paul C. van Oorschot,et al.  Passwords: If We're So Smart, Why Are We Still Using Them? , 2009, Financial Cryptography.

[21]  Jörg Schwenk,et al.  Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud , 2014, CCSW.

[22]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Angelos D. Keromytis,et al.  SAuth: protecting user accounts from password database leaks , 2013, CCS.

[24]  Taekyoung Kwon,et al.  Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[25]  Yang Xiao,et al.  Differentiated Virtual Passwords, Secret Little Functions, and Codebooks for Protecting Users From Password Theft , 2014, IEEE Systems Journal.

[26]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.