Abstract
While authentication has been widely studied, designing secure and efficient authentication schemes for various applications remains challenging. In this paper, we propose a self-adaptive authentication mechanism, Multi-item Passphrases, which is designed to mitigate offline password-guessing attacks. For example, “11th July 2018, Nanjing, China, San Antonio, Texas, research” is a multi-item passphrase. It dynamically monitors items and identifies frequently used items. Users will then be alerted when there is need to change their passphrases based on the observed trend (e.g., when a term used in the passphrase consists of a popular item). We demonstrate the security and effectiveness of the proposed scheme in resisting offline guessing attacks, and in particular using simulations to show that schemes based on multi-item passphrases achieve higher security and better usability than those using passwords and diceware passphrases.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. (CSUR) 44(4), 19 (2012)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: Passwords and the evolution of imperfect authentication. Commun. ACM 58(7), 78–87 (2015)
Bonneau, J., Shutova, E.: Linguistic properties of multi-word passphrases. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 1–12. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34638-5_1
Burnett, M.: Today I am releasing ten million passwords, February 2015. https://xato.net/passwords/tenmillion-passwords/
Chatterjee, R., Athayle, A., Akhawe, D., Juels, A., Ristenpart, T.: pASSWORD tYPOS and how to correct them securely. In: IEEE Symposium on Security and Privacy, pp. 799–818 (2016)
Oxford Living Dictionaries: How many words are there in the English language? (2018). https://en.oxforddictionaries.com/explore/how-many-words-are-there-in-the-english-language/
Wang, D., Cheng, H., Wang, P., Yan, J., Huang, X.: A security analysis of honeywords. In: Proceedings of the 25th Annual Network and Distributed System Security Symposium (2018)
D’Orazio, C., Choo, K.K.R., Yang, L.T.: Data exfiltration from Internet of Things devices: iOS devices as case studies. IEEE Internet Things J. 4(2), 524–535 (2017)
Habib, H., et al.: Password creation in the presence of blacklists. In: Proceedings of USEC (2017)
Komanduri, S., Shay, R., Cranor, L.F., Herley, C., Schechter, S.E.: Telepathwords: preventing weak passwords by reading users’ minds. In: USENIX Security Symposium, pp. 591–606 (2014)
Krol, K., Philippou, E., De Cristofaro, E., Sasse, M.A.: “they brought in the horrible key ring thing!” analysing the usability of two-factor authentication in UK online banking. In: Symposium on NDSS Workshop on Usable Security (2015)
Leininger, H.: Libpathwell 0.6.1 released, 2015 (2015). https://blog.korelogic.com/blog/2015/07/31/libpathwell-0_6_1
Li, Z., Han, W., Xu, W.: A large-scale empirical analysis of Chinese web passwords. In: Proceedings of 23rd USENIX Security Symposium, USENIX Security, August 2014
Mazurek, M.L., et al.: Measuring password guessability for an entire university. In: Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security, pp. 173–186. ACM (2013)
Morris, R., Thompson, K.: Password security: a case history. Commun. ACM 22(11), 594–597 (1979)
OED: Dictionary milestones: a chronology of events relevant to the history of the OED (2017). http://public.oed.com/history-of-the-oed/dictionary-milestones/
Paul: New 25 GPU monster devours passwords in seconds, December 2012. https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/
Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)
Reinhold, A.G.: The diceware passphrase home page, October 2017. http://world.std.com/~reinhold/diceware.html
Schechter, S., Herley, C., Mitzenmacher, M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX Conference on Hot Topics in Security, pp. 1–8 (2010)
Segreti, S.M., et al.: Diversify to survive: making passwords stronger with adaptive policies. In: Symposium on Usable Privacy and Security (SOUPS) (2017)
Tazawa, H., Katoh, T., Bista, B.B., Takata, T.: A user authenticaion scheme using multiple passphrases and its arrangement. In: International Symposium on Information Theory and Its Applications (ISITA), pp. 554–559. IEEE (2010)
Walpole, R.E.: One- and two-sample tests of hypotheses. In: Probability and Statistics for Engineers and Scientists, 7 edn. Pearson (2001). Chapter 10
Wang, D., Cheng, H., Wang, P., Huang, X., Jian, G.: Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 12(11), 2776–2791 (2017)
Acknowledgement
We thank the anonymous reviewers for their constructive feedback. This work has been partly supported by National NSF of China under Grant No. 61772266, 61572248, 61431008.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Shen, J., Choo, KK.R., Zeng, Q. (2019). Multi-item Passphrases: A Self-adaptive Approach Against Offline Guessing Attacks. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-05487-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05486-1
Online ISBN: 978-3-030-05487-8
eBook Packages: Computer ScienceComputer Science (R0)