Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing rapidly in Day to day life. Enabling users convenient login for legitimate users while preventing such attacks is a difficult problem and not Much convenient Automated Turing Tests (ATTs) are effective and easy to implement but cause reasonable amount of inconvenience to the user.We discuss the existing and proposed login protocols designed to prevent large scale online dictionary attacks. We propose Password Guessing Resistant Protocol (PGRP), which is derived upon revisiting prior proposals designed to restrict such attacks. PGRP reduces the total number of login attempts from unknown remote host while trusted or legitimate users can make several failed login attempts before being challenged by ATT

[1]  Chris Kanich,et al.  Re: CAPTCHAs-Understanding CAPTCHA-Solving Services in an Economic Context , 2010, USENIX Security Symposium.

[2]  John C. Mitchell,et al.  How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Zhen Han,et al.  User Authentication with Provable Security against Online Dictionary Attacks , 2009, J. Networks.

[4]  Jeff Yan,et al.  Usability of CAPTCHAs or usability issues in CAPTCHA design , 2008, SOUPS '08.

[5]  Cormac Herley,et al.  Do Strong Web Passwords Accomplish Anything? , 2007, HotSec.

[6]  Robin Berthier,et al.  Profiling Attacker Behavior Following SSH Compromises , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[7]  Martín Casado,et al.  Peering Through the Shroud: The Effect of Edge Opacity on IP-Based Client Identification , 2007, NSDI.

[8]  Chanathip Namprempre,et al.  Mitigating Dictionary Attacks with Text-Graphics Character Captchas , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[9]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[10]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[11]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Benny Pinkas,et al.  Securing passwords against dictionary attacks , 2002, CCS '02.

[13]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[14]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .