Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on dependable and secure computing 2012-01, Vol.9 (1), p.128-141
Main Authors: Alsaleh, M., Mannan, M., van Oorschot, P. C.
Format: Article
Language:English
Subjects:
Access protocols
Analysis
ATTs
Authentication
Automation
Browsers
brute force attacks
Computer networks
Computer security
Datasets
Dictionaries
Digital Object Identifier
Hackers
IP networks
Network security
Online password guessing attacks
password dictionary
Passwords
Proposals
Protocol
Protocols
Studies
Usability
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address large-scale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2011.24