STUMP - STalling offline password attacks Using pre-hash ManiPulations

Offline password cracking has seen significant advances in recent years. This is mainly due to a dramatic increase in accessible computational speeds and the increased exploitation of GPUs for parallel processing. Cheaper and faster hardware, combined with new techniques, have allowed inexpensive GPUs to crack passwords at rates which only supercomputers could achieve previously. One inexpensive mitigation technique that we have uncovered is built on the core idea of pre-hash password manipulations. Our technique is named STUMP. Through rigorous empirical analysis, we demonstrate that STUMP can prevent offline parallel attacks - including pre-computed attacks utilizing rainbow tables - from cracking 99.718% of passwords that are <;8-characters in length; STUMP has also shown to completely prevent the attacker from cracking passwords that are ≥ 8 characters in length i.e., (100% secure). Finally, for all cases, STUMP can be employed to stall the attacks - regardless of whether the attack is a laborious brute-force technique or a more intelligent dictionary attack - as neither will return the user's original password.

[1]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[2]  Joshua Cook,et al.  Improving password security and memorability to protect personal and organizational information , 2007, Int. J. Hum. Comput. Stud..

[3]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[4]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[5]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[6]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[7]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[8]  Martin Gilje Jaatun,et al.  All in a day's work: Password cracking for the rest of us , 2009 .

[9]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[10]  Michael K. Reiter,et al.  The security of modern password expiration: an algorithmic framework and empirical analysis , 2010, CCS '10.

[11]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[12]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[13]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.