Title: Delayed password disclosure

Authors: Markus Jakobsson, Steven Myers

Addresses: Palo Alto Research Center, 3333 Coyote Hill Road, Palo Alto, CA 94303, USA. ' School of Informatics, Indiana University, Bloomington, IN, USA

Abstract: We present a new authentication protocol called Delayed Password Disclosure (DPD). Based on the traditional username and password paradigm, the protocol|s goal is aimed at reducing the effectiveness of phishing/spoofing attacks that are becoming increasingly problematic for Internet users. This is done by providing the user with dynamic feedback while password entry occurs. While this is a process that would normally be frowned upon by the cryptographic community, we argue that it may result in more effective security than that offered by currently proposed |cryptographically acceptable| alternatives. While the protocol cannot prevent partial disclosure of one|s password to the phisher, it does provide a user with the tools necessary to recognise an ongoing phishing attack, and prevent the disclosure of his/her entire password, providing graceful security degradation.

Keywords: decisional Diffie-Hellman; static Diffie-Hellman; doppelganger; oblivious transfer; password authenticated key exchange; PAKE; phishing; secure user interfaces; delayed password disclosure; authentication protocols; spoofing attacks; applied cryptography; security degradation.

DOI: 10.1504/IJACT.2008.017051

International Journal of Applied Cryptography, 2008 Vol.1 No.1, pp.47 - 59

Published online: 06 Feb 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article