13
views
0
recommends
+1 Recommend
0 collections
    0
    shares
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      Information Signaling: A Counter-Intuitive DefenseAgainst Password Cracking

      Preprint
      , ,

      Read this article at

      Bookmark
          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.

          Abstract

          We introduce password strength information signaling as a novel, yet counter-intuitive, defense against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack {\em fewer} passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker's profit is given by the value of the cracked passwords {\em minus} the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We give a (heuristic) algorithm to compute the optimal signaling scheme for a defender. As a proof-of-concept, we evaluate our mechanism on several empirical password datasets and show that it can reduce the total number of cracked passwords by \(\approx 10\%\) of all users.

          Related collections

          Author and article information

          Journal
          21 September 2020
          Article
          2009.10060
          f3ca5460-48b7-480b-8b00-193456ee1c9e

          http://arxiv.org/licenses/nonexclusive-distrib/1.0/

          History
          Custom metadata
          19 pages, 5 figures, 5 algorithms
          cs.CR cs.GT

          Theoretical computer science,Security & Cryptology
          Theoretical computer science, Security & Cryptology

          Comments

          Comment on this article