Login | Register

Revisiting Defenses against Large-Scale Online Password Guessing Attacks


Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Alsaleh, M., Mannan, Mohammad and van Oorschot, P. C. (2012) Revisiting Defenses against Large-Scale Online Password Guessing Attacks. IEEE Transactions on Dependable and Secure Computing, 9 (1). pp. 128-141. ISSN 1545-5971

[thumbnail of mannan2012.pdf]
Text (application/pdf)
mannan2012.pdf - Accepted Version

Official URL: http://dx.doi.org/10.1109/TDSC.2011.24


Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address largescale online dictionary attacks (e.g., from a botnet of hundreds f thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Article
Authors:Alsaleh, M. and Mannan, Mohammad and van Oorschot, P. C.
Journal or Publication:IEEE Transactions on Dependable and Secure Computing
Digital Object Identifier (DOI):10.1109/TDSC.2011.24
Keywords:Online password guessing attacks, brute force attacks, password dictionary, ATTs
ID Code:976807
Deposited By: Danielle Dennie
Deposited On:28 Jan 2013 14:02
Last Modified:18 Jan 2018 17:43


[1] Amazon Mechanical Turk. https://www.mturk.com/mturk/,
June 2010.
[2] S.M. Bellovin, “A Technique for Counting Natted Hosts,” Proc. ACM SIGCOMM Workshop Internet Measurement, pp. 267-272, 2002.
[3] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, “How Good Are Humans at Solving CAPTCHAs? A
Large Scale Evaluation,” Proc. IEEE Symp. Security and Privacy, May 2010.
[4] M. Casado and M.J. Freedman, “Peering through the Shroud: The Effect of Edge Opacity on Ip-Based Client Identification,” Proc. Fourth USENIX Symp. Networked Systems Design and Implementation (NDSS ’07), 2007.
[5] S. Chiasson, P.C. van Oorschot, and R. Biddle, “A Usability Study and Critique of Two Password Managers,” Proc. USENIX Security Symp., pp. 1-16, 2006.
[6] D. Florencio, C. Herley, and B. Coskun, “Do Strong Web Passwords Accomplish Anything?,” Proc. USENIX Workshop Hot Topics in Security (HotSec ’07), pp. 1-6, 2007.
[7] K. Fu, E. Sit, K. Smith, and N. Feamster, “Dos and Don’ts of Client Authentication on the Web,” Proc. USENIX Security Symp., pp. 251-268, 2001.
[8] P. Hansteen, “Rickrolled? Get Ready for the Hail Mary Cloud!,” http://bsdly.blogspot.com/2009/11/rickrolled-get-ready-forhail- mary.html, Feb. 2010.
[9] Y. He and Z. Han, “User Authentication with Provable Security against Online Dictionary Attacks,” J. Networks, vol. 4, no. 3, pp. 200-207, May 2009.
[10] T. Kohno, A. Broido, and K.C. Claffy, “Remote Physical Device Fingerprinting,” Proc. IEEE Symp. Security and Privacy, pp. 211-225, 2005.
[11] M. Motoyama, K. Levchenko, C. Kanich, D. Mccoy, G.M. Voelker, and S. Savage, “Re: CAPTCHAs Understanding CAPTCHASolving Services in an Economic Context,” Proc. USENIX Security Symp., Aug. 2010.
[12] C. Namprempre and M.N. Dailey, “Mitigating Dictionary Attacks with Text-Graphics Character Captchas,” IEICE Trans. Fundamentals of Electronics, Comm. and Computer Sciences, vol. E90-A, no. 1, pp. 179-186, 2007.
[13] A. Narayanan and V. Shmatikov, “Fast Dictionary Attacks on Human-Memorable Passwords Using Time-Space Tradeoff,” Proc. ACM Computer and Comm. Security (CCS ’05), pp. 364-372, Nov. 2005.
[14] Nat’l Inst. of Standards and Technology (NIST), Hashbelt. http://www.itl.nist.gov/div897/sqg/dads/HTML/hashbelt.html, Sept. 2010.
[15] “The Biggest Cloud on the Planet Is Owned by ... the
Crooks,” NetworkWorld.com., http://www.networkworld.com/community/node/58829, Mar. 2010.
[16] J. Nielsen, “Stop Password Masking,” http://www.useit.com/alertbox/passwords.html, June 2009.
[17] B. Pinkas and T. Sander, “Securing Passwords against Dictionary Attacks,” Proc. ACM Conf. Computer and Comm. Security (CCS ’02), pp. 161-170, Nov. 2002.
[18] D. Ramsbrock, R. Berthier, and M. Cukier, “Profiling Attacker Behavior following SSH Compromises,” Proc. 37th Ann. IEEE/IFIP Int’l Conf. Dependable Systems and Networks (DSN ’07), pp. 119-124, June 2007.
[19] SANS.org, “Important Information: Distributed SSH Brute Force Attacks,” SANS Internet Storm Center Handler’s Diary, http://isc.sans.edu/diary.html?storyid=9034, June 2010.
[20] “The Top Cyber Security Risks,” SANS.org, http://www.sans.org/top-cyber-security-risks/, Sept. 2009.
[21] C. Stoll, The Cuckoo’s Egg: Tracking a Spy through the Maze of Computer Espionage. Doubleday, 1989.
[22] “Botnet Pierces Microsoft Live through Audio Captchas,”
TheRegister.co.uk, http://www.theregister.co.uk/2010/03/22/microsoft_live_captcha_by pass/, Mar. 2010.
[23] P.C. van Oorschot and S. Stubblebine, “On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop,” ACM Trans. Information and System Security, vol. 9, no. 3, pp. 235-258, 2006.
[24] L. von Ahn, M. Blum, N. Hopper, and J. Langford, “CAPTCHA:Using Hard AI Problems for Security,” Proc. Eurocrypt, pp. 294- 311, May 2003.
[25] M. Weir, S. Aggarwal, M. Collins, and H. Stern, “Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords,” Proc. 17th ACM Conf. Computer and Comm. Security, pp. 162-175, 2010.
[26] Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber, “How Dynamic Are IP Addresses?,” SIGCOMM Computer Comm. Rev., vol. 37, no. 4, pp. 301-312, 2007.
[27] J. Yan and A.S.E. Ahmad, “A Low-Cost Attack on a Microsoft CAPTCHA,” Proc. ACM Computer and Comm. Security (CCS ’08), pp. 543-554, Oct. 2008.
[28] J. Yan and A.S.E. Ahmad, “Usability of CAPTCHAs or Usability Issues in CAPTCHA Design,” Proc. Symp. Usable Privacy and Security (SOUPS ’08), pp. 44-52, July 2008.
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top