Title: CSPS: catchy short passwords making offline and online attacks impossible

Authors: Jaryn Shen; Qingkai Zeng

Addresses: State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China ' State Key Laboratory for Novel Software Technology, and Department of Computer Science and Technology, Nanjing University, Nanjing 210023, China

Abstract: This paper proposes to address online and offline attacks to passwords without increasing users' efforts in choosing and memorising their passwords. In CSPS, a password consists of two parts, a user-chosen short password and a server-generated long password. The short password should be memorised and secured by its user while the long password be encrypted and stored on the server side. To keep the secret key for protecting the long password secure, an additional sever is introduced to store the secret key and provide encryption/decryption services. On top of balloon, CSPS integrates expensive hash with secure encryption. It is mathematically proved that computationally unbounded attackers cannot succeed in offline dictionary or brute-force attacks or a combination of offline and online attacks. The criteria of security are established, which quantifies the security. To our best knowledge, CSPS is the first technique to make security quantifiable in password authentication mechanisms.

Keywords: password; attack; password-guessing; authentication; balloon hashing; hash function; encryption; web service.

DOI: 10.1504/IJICS.2019.099434

International Journal of Information and Computer Security, 2019 Vol.11 No.3, pp.255 - 274

Available online: 10 Apr 2019 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article