Revisiting defenses against large-scale online password guessing attacks

IEEE Transactions on Dependable and Secure Computing

Volumn 9, Issue 1, 2012, Pages 128-141

  Alsaleh, Mansour ^a   Mannan, Mohammad ^b   Van Oorschot, Paul C ^a  

^a CARLETON UNIVERSITY   (Canada)

^b Concordia University ^*  (Canada)

Author keywords

ATTs; brute force attacks; Online password guessing attacks; password dictionary

Indexed keywords

COMPUTER CRIME; NETWORK SECURITY;

ATTS; BRUTE-FORCE ATTACK; DICTIONARY ATTACK; LEGITIMATE USERS; ONLINE DICTIONARY ATTACKS; PASSWORD GUESSING; PASSWORD GUESSING ATTACK; TURING TESTS;

AUTHENTICATION;

EID: 81455139721     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2011.24     Document Type: Article

References (28)

1. Amazon Mechanical Turk. https://www.mturk.com/mturk/, June 2010.
2. S.M. Bellovin, "A Technique for Counting Natted Hosts," Proc. ACM SIGCOMM Workshop Internet Measurement, pp. 267-272, 2002.
3. E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, "How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation," Proc. IEEE Symp. Security and Privacy, May 2010.
4. M. Casado and M.J. Freedman, "Peering through the Shroud: The Effect of Edge Opacity on Ip-Based Client Identification," Proc. Fourth USENIX Symp. Networked Systems Design and Implementation (NDSS '07), 2007.
5. S. Chiasson, P.C. van Oorschot, and R. Biddle, "A Usability Study and Critique of Two Password Managers," Proc. USENIX Security Symp., pp. 1-16, 2006.
6. D. Florencio, C. Herley, and B. Coskun, "Do Strong Web Passwords Accomplish Anything?," Proc. USENIX Workshop Hot Topics in Security (HotSec '07), pp. 1-6, 2007.
7. K. Fu, E. Sit, K. Smith, and N. Feamster, "Dos and Don'ts of Client Authentication on the Web," Proc. USENIX Security Symp., pp. 251-268, 2001.
8. P. Hansteen, "Rickrolled? Get Ready for the Hail Mary Cloud!," http://bsdly.blogspot.com/2009/11/rickrolled-get-ready-forhail-mary.html, Feb. 2010.
9. Y. He and Z. Han, "User Authentication with Provable Security against Online Dictionary Attacks," J. Networks, vol. 4, no. 3, pp. 200-207, May 2009.
10. T. Kohno, A. Broido, and K.C. Claffy, "Remote Physical Device Fingerprinting," Proc. IEEE Symp. Security and Privacy, pp. 211-225, 2005. (Pubitemid 41543657)
11. M. Motoyama, K. Levchenko, C. Kanich, D. Mccoy, G.M. Voelker, and S. Savage, "Re: CAPTCHAs Understanding CAPTCHASolving Services in an Economic Context," Proc. USENIX Security Symp., Aug. 2010.
12. C. Namprempre and M.N. Dailey, "Mitigating Dictionary Attacks with Text-Graphics Character Captchas," IEICE Trans. Fundamentals of Electronics, Comm. and Computer Sciences, vol. E90-A, no. 1, pp. 179-186, 2007. (Pubitemid 46145220)
13. A. Narayanan and V. Shmatikov, "Fast Dictionary Attacks on Human-Memorable Passwords Using Time-Space Tradeoff," Proc. ACM Computer and Comm. Security (CCS '05), pp. 364-372, Nov. 2005. (Pubitemid 44022019)
14. Nat'l Inst. of Standards and Technology (NIST), Hashbelt. http://www.itl.nist.gov/div897/sqg/dads/HTML/hashbelt.html, Sept. 2010.
15. "The Biggest Cloud on the Planet Is Owned by . the Crooks," NetworkWorld.com., http://www.networkworld.com/community/node/58829, Mar. 2010.
16. J. Nielsen, "Stop Password Masking," http://www.useit.com/ alertbox/passwords.html, June 2009.
17. B. Pinkas and T. Sander, "Securing Passwords against Dictionary Attacks," Proc. ACM Conf. Computer and Comm. Security (CCS '02), pp. 161-170, Nov. 2002.
18. D. Ramsbrock, R. Berthier, and M. Cukier, "Profiling Attacker Behavior following SSH Compromises," Proc. 37th Ann. IEEE/IFIP Int'l Conf. Dependable Systems and Networks (DSN '07), pp. 119-124, June 2007. (Pubitemid 350080416)
19. SANS.org, "Important Information: Distributed SSH Brute Force Attacks," SANS Internet Storm Center Handler's Diary, http://isc.sans.edu/ diary.html?storyid=9034, June 2010.
20. "The Top Cyber Security Risks," SANS.org, http://www.sans. org/top-cyber-security-risks/, Sept. 2009.
21. C. Stoll, The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage. Doubleday, 1989.
22. "Botnet Pierces Microsoft Live through Audio Captchas," TheRegister.co.uk, http://www.theregister.co.uk/2010/03/22/microsoft-live- captcha-by pass/, Mar. 2010.
23. P.C. van Oorschot and S. Stubblebine, "On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop," ACM Trans. Information and System Security, vol. 9, no. 3, pp. 235-258, 2006. (Pubitemid 44728674)
24. L. von Ahn, M. Blum, N. Hopper, and J. Langford, "CAPTCHA: Using Hard AI Problems for Security," Proc. Eurocrypt, pp. 294-311, May 2003.
25. M. Weir, S. Aggarwal, M. Collins, and H. Stern, "Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords," Proc. 17th ACM Conf. Computer and Comm. Security, pp. 162-175, 2010.
26. Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber, "How Dynamic Are IP Addresses?," SIGCOMM Computer Comm. Rev., vol. 37, no. 4, pp. 301-312, 2007. (Pubitemid 350239793)
27. J. Yan and A.S.E. Ahmad, "A Low-Cost Attack on a Microsoft CAPTCHA," Proc. ACM Computer and Comm. Security (CCS '08), pp. 543-554, Oct. 2008.
28. J. Yan and A.S.E. Ahmad, "Usability of CAPTCHAs or Usability Issues in CAPTCHA Design," Proc. Symp. Usable Privacy and Security (SOUPS '08), pp. 44-52, July 2008.