Cryptanalysis on the Head and Tail Technique for Hashing Passwords

Researchers and experts had developed numerous hash-based password authentication schemes. Inappropriately, most of them are susceptible to different attacks. This study centers on the process of performing cryptanalysis on the developed Head and Tail (HT) technique for hashing passwords. The research tested the HT technique in terms of its capacity to resist a dictionary attack, rainbow tables attack, and brute-force attack. To test the strength of the HT technique, HashCat, John the Ripper, RainbowCrack, and online cracking systems from crackstation.net and hashkiller.co.uk were used as tools for cracking. After the experiment, the result shows that the cracking tools failed to crack the HT technique. Further tests showed that generating a password-hash value pair or lookup table for MD5-HT and SHA1-HT is 16 times slower than standard MD5 and SHA1. Thus, the Head and Tail (HT) technique is a secured method for hashing passwords.

[1]  Jacob Jose,et al.  Securing passwords from dictionary attack with character-tree , 2016, 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).

[2]  Ahmad Y. Javaid,et al.  A Real-World Password Cracking Demonstration Using Open Source Tools for Instructional Use , 2018, 2018 IEEE International Conference on Electro/Information Technology (EIT).

[3]  Emin Islam Tatli Cracking More Password Hashes With Patterns , 2015, IEEE Transactions on Information Forensics and Security.

[4]  Shouling Ji,et al.  Password correlation: Quantification, evaluation and application , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[5]  Leon Bosnjak,et al.  Brute-force and dictionary attack on hashed real-world passwords , 2018, 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[6]  Zheng Huang,et al.  Optimized Password Recovery for SHA-512 on GPUs , 2017, 22017 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC).

[7]  Prathamesh P. Churi,et al.  Jumbling-Salting: An improvised approach for password encryption , 2015, 2015 International Conference on Science and Technology (TICST).

[8]  M. V. Prajitha,et al.  A secured authentication protocol which resist password reuse attack , 2015, 2015 International Conference on Innovations in Information, Embedded and Communication Systems (ICIIECS).

[9]  Blase Ur,et al.  Measuring password guessability for an entire university , 2013, CCS.

[10]  Sohaib Khan,et al.  Attempt based password , 2016, 2016 13th International Bhurban Conference on Applied Sciences and Technology (IBCAST).

[11]  Anthony Nguyen,et al.  STUMP - STalling offline password attacks Using pre-hash ManiPulations , 2015, 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS).

[12]  Ar Kar Kyaw,et al.  Dictionary attack on Wordpress: Security and forensic analysis , 2015, 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec).

[13]  Thanda Win,et al.  Improved hashing and honey-based stronger password prevention against brute force attack , 2017, 2017 International Symposium on Electronics and Smart Devices (ISESD).

[14]  Mariam M. Kassim,et al.  ProcurePass: A User Authentication Protocol to Resist Password Stealing and Password Reuse Attack , 2013, 2013 International Symposium on Computational and Business Intelligence.

[15]  M.D.A. Chawdhury,et al.  Security enhancement of MD5 hashed passwords by using the unused bits of TCP header , 2008, 2008 11th International Conference on Computer and Information Technology.

[16]  Shalini Bhaskar Bajaj,et al.  TL-SMD: Two layered secure message digest algorithm , 2015, 2015 IEEE International Advance Computing Conference (IACC).

[17]  Eliana Stavrou,et al.  Enhancing Cyber Situational Awareness: A New Perspective of Password Auditing Tools , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[18]  Jega Anish Dev,et al.  Usage of botnets for high speed MD5 hash cracking , 2013, Third International Conference on Innovative Computing Technology (INTECH 2013).

[19]  Bostjan Brumen,et al.  Resilience of students' passwords against attacks , 2017, 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[20]  Cheng Tan,et al.  An Improved Rainbow Table Attack for Long Passwords , 2017 .

[21]  Shriya S Shetty,et al.  Survey of hacking techniques and it's prevention , 2017, 2017 IEEE International Conference on Power, Control, Signals and Instrumentation Engineering (ICPCSI).

[22]  Shouling Ji,et al.  Zero-Sum Password Cracking Game: A Large-Scale Empirical Study on the Crackability, Correlation, and Security of Passwords , 2017, IEEE Transactions on Dependable and Secure Computing.

[23]  Markus Dürmuth,et al.  Useful password hashing: how to waste computing cycles with style , 2013, NSPW '13.

[24]  Michael Angelo D. Brogada,et al.  Head and Tail Technique for Hashing Passwords , 2019, 2019 IEEE 11th International Conference on Communication Software and Networks (ICCSN).

[25]  Samson Zhou,et al.  On the Economics of Offline Password Cracking , 2018, 2018 IEEE Symposium on Security and Privacy (SP).