Protecting poorly chosen secrets from guessing attacks

L Gong, MA Lomas, RM Needham… - IEEE journal on …, 1993 - ieeexplore.ieee.org
L Gong, MA Lomas, RM Needham, JH Saltzer
IEEE journal on Selected Areas in Communications, 1993ieeexplore.ieee.org
In a security system that allows people to choose their own passwords, people tend to
choose passwords that can be easily guessed. This weakness exists in practically all widely
used systems. Instead of forcing users to choose secrets that are likely to be difficult for them
to remember, solutions that maintain user convenience and a high level of security at the
same time are proposed. The basic idea is to ensure that data available to the attacker is
sufficiently unpredictable to prevent an offline verification of whether a guess is successful or …
In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to be difficult for them to remember, solutions that maintain user convenience and a high level of security at the same time are proposed. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an offline verification of whether a guess is successful or not. Common forms of guessing attacks are examined, examples of cryptographic protocols that are immune to such attacks are developed, and a systematic way to examine protocols to detect vulnerabilities to such attacks is suggested.< >
ieeexplore.ieee.org