Hashed Password

14,000,000 Leading Edge Experts on the ideXlab platform

Scan Science and Technology

Contact Leading Edge Experts & Companies

Scan Science and Technology

Contact Leading Edge Experts & Companies

The Experts below are selected from a list of 69 Experts worldwide ranked by ideXlab platform

Eugene H. Spafford - One of the best experts on this subject based on the ideXlab platform.

  • inhibiting and detecting offline Password cracking using ersatzPasswords
    ACM Transactions on Privacy and Security (TOPS), 2016
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah, Jeff Avery
    Abstract:

    In this work, we present a simple, yet effective and practical scheme to improve the security of stored Password hashes, increasing the difficulty to crack Passwords and exposing cracking attempts. We utilize a hardware-dependent function (HDF), such as a physically unclonable function (PUF) or a hardware security module (HSM), at the authentication server to inhibit offline Password discovery. Additionally, a deception mechanism is incorporated to alert administrators of cracking attempts. Using an HDF to generate Password hashes hinders attackers from recovering the true Passwords without constant access to the HDF. Our scheme can integrate with legacy systems without needing additional servers, changing the structure of the Hashed Password file, nor modifying client machines. When using our scheme, the structure of the Hashed Passwords file, e.g., etc/shadow or etc/master.passwd, will appear no different than traditional Hashed Password files.1 However, when attackers exfiltrate the Hashed Password file and attempt to crack it, the Passwords they will receive are ErsatzPasswords—“fake Passwords.” The ErsatzPasswords scheme is flexible by design, enabling it to be integrated into existing authentication systems without changes to user experience. The proposed scheme is integrated into the pam_unix module as well as two client/server authentication schemes: Lightweight Directory Access Protocol (LDAP) authentication and the Pythia pseudorandom function (PRF) Service [Everspaugh et al. 2015]. The core library to support ErsatzPasswords written in C and Python consists of 255 and 103 lines of code, respectively. The integration of ErsatzPasswords into each explored authentication system required less than 100 lines of additional code. Experimental evaluation of ErsatzPasswords shows an increase in authentication latency on the order of 100ms, which maybe acceptable for real world systems. We also describe a framework for implementing ErsatzPasswords using a Trusted Platform Module (TPM).

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking
    Annual Information Security Symposium, 2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ErsatzPasswords – Ending Password Cracking
    2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords — the “fake Passwords”. When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme

Mohammed H Almeshekah - One of the best experts on this subject based on the ideXlab platform.

  • inhibiting and detecting offline Password cracking using ersatzPasswords
    ACM Transactions on Privacy and Security (TOPS), 2016
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah, Jeff Avery
    Abstract:

    In this work, we present a simple, yet effective and practical scheme to improve the security of stored Password hashes, increasing the difficulty to crack Passwords and exposing cracking attempts. We utilize a hardware-dependent function (HDF), such as a physically unclonable function (PUF) or a hardware security module (HSM), at the authentication server to inhibit offline Password discovery. Additionally, a deception mechanism is incorporated to alert administrators of cracking attempts. Using an HDF to generate Password hashes hinders attackers from recovering the true Passwords without constant access to the HDF. Our scheme can integrate with legacy systems without needing additional servers, changing the structure of the Hashed Password file, nor modifying client machines. When using our scheme, the structure of the Hashed Passwords file, e.g., etc/shadow or etc/master.passwd, will appear no different than traditional Hashed Password files.1 However, when attackers exfiltrate the Hashed Password file and attempt to crack it, the Passwords they will receive are ErsatzPasswords—“fake Passwords.” The ErsatzPasswords scheme is flexible by design, enabling it to be integrated into existing authentication systems without changes to user experience. The proposed scheme is integrated into the pam_unix module as well as two client/server authentication schemes: Lightweight Directory Access Protocol (LDAP) authentication and the Pythia pseudorandom function (PRF) Service [Everspaugh et al. 2015]. The core library to support ErsatzPasswords written in C and Python consists of 255 and 103 lines of code, respectively. The integration of ErsatzPasswords into each explored authentication system required less than 100 lines of additional code. Experimental evaluation of ErsatzPasswords shows an increase in authentication latency on the order of 100ms, which maybe acceptable for real world systems. We also describe a framework for implementing ErsatzPasswords using a Trusted Platform Module (TPM).

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking
    Annual Information Security Symposium, 2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ErsatzPasswords – Ending Password Cracking
    2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords — the “fake Passwords”. When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme

Christopher N Gutierrez - One of the best experts on this subject based on the ideXlab platform.

  • inhibiting and detecting offline Password cracking using ersatzPasswords
    ACM Transactions on Privacy and Security (TOPS), 2016
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah, Jeff Avery
    Abstract:

    In this work, we present a simple, yet effective and practical scheme to improve the security of stored Password hashes, increasing the difficulty to crack Passwords and exposing cracking attempts. We utilize a hardware-dependent function (HDF), such as a physically unclonable function (PUF) or a hardware security module (HSM), at the authentication server to inhibit offline Password discovery. Additionally, a deception mechanism is incorporated to alert administrators of cracking attempts. Using an HDF to generate Password hashes hinders attackers from recovering the true Passwords without constant access to the HDF. Our scheme can integrate with legacy systems without needing additional servers, changing the structure of the Hashed Password file, nor modifying client machines. When using our scheme, the structure of the Hashed Passwords file, e.g., etc/shadow or etc/master.passwd, will appear no different than traditional Hashed Password files.1 However, when attackers exfiltrate the Hashed Password file and attempt to crack it, the Passwords they will receive are ErsatzPasswords—“fake Passwords.” The ErsatzPasswords scheme is flexible by design, enabling it to be integrated into existing authentication systems without changes to user experience. The proposed scheme is integrated into the pam_unix module as well as two client/server authentication schemes: Lightweight Directory Access Protocol (LDAP) authentication and the Pythia pseudorandom function (PRF) Service [Everspaugh et al. 2015]. The core library to support ErsatzPasswords written in C and Python consists of 255 and 103 lines of code, respectively. The integration of ErsatzPasswords into each explored authentication system required less than 100 lines of additional code. Experimental evaluation of ErsatzPasswords shows an increase in authentication latency on the order of 100ms, which maybe acceptable for real world systems. We also describe a framework for implementing ErsatzPasswords using a Trusted Platform Module (TPM).

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking
    Annual Information Security Symposium, 2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ErsatzPasswords – Ending Password Cracking
    2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords — the “fake Passwords”. When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme

Mikhail J. Atallah - One of the best experts on this subject based on the ideXlab platform.

  • inhibiting and detecting offline Password cracking using ersatzPasswords
    ACM Transactions on Privacy and Security (TOPS), 2016
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah, Jeff Avery
    Abstract:

    In this work, we present a simple, yet effective and practical scheme to improve the security of stored Password hashes, increasing the difficulty to crack Passwords and exposing cracking attempts. We utilize a hardware-dependent function (HDF), such as a physically unclonable function (PUF) or a hardware security module (HSM), at the authentication server to inhibit offline Password discovery. Additionally, a deception mechanism is incorporated to alert administrators of cracking attempts. Using an HDF to generate Password hashes hinders attackers from recovering the true Passwords without constant access to the HDF. Our scheme can integrate with legacy systems without needing additional servers, changing the structure of the Hashed Password file, nor modifying client machines. When using our scheme, the structure of the Hashed Passwords file, e.g., etc/shadow or etc/master.passwd, will appear no different than traditional Hashed Password files.1 However, when attackers exfiltrate the Hashed Password file and attempt to crack it, the Passwords they will receive are ErsatzPasswords—“fake Passwords.” The ErsatzPasswords scheme is flexible by design, enabling it to be integrated into existing authentication systems without changes to user experience. The proposed scheme is integrated into the pam_unix module as well as two client/server authentication schemes: Lightweight Directory Access Protocol (LDAP) authentication and the Pythia pseudorandom function (PRF) Service [Everspaugh et al. 2015]. The core library to support ErsatzPasswords written in C and Python consists of 255 and 103 lines of code, respectively. The integration of ErsatzPasswords into each explored authentication system required less than 100 lines of additional code. Experimental evaluation of ErsatzPasswords shows an increase in authentication latency on the order of 100ms, which maybe acceptable for real world systems. We also describe a framework for implementing ErsatzPasswords using a Trusted Platform Module (TPM).

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking and detecting Password leakage
    Annual Computer Security Applications Conference, 2015
    Co-Authors: Mohammed H Almeshekah, Christopher N Gutierrez, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes, rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server to prevent off-site Password discovery, and a deception mechanism to alert us if such an action is attempted. Our scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system. Even with an adversary who knows about the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ersatzPasswords ending Password cracking
    Annual Information Security Symposium, 2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Mikhail J. Atallah, Eugene H. Spafford
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords --- the "fake Passwords". When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme.

  • ErsatzPasswords – Ending Password Cracking
    2015
    Co-Authors: Christopher N Gutierrez, Mohammed H Almeshekah, Eugene H. Spafford, Mikhail J. Atallah
    Abstract:

    In this work we present a simple, yet effective and practical, scheme to improve the security of stored Password hashes rendering their cracking detectable and insuperable at the same time. We utilize a machine-dependent function, such as a physically unclonable function (PUF) or a hardware security module (HSM) at the authentication server. The scheme can be easily integrated with legacy systems without the need of any additional servers, changing the structure of the Hashed Password file or any client modifications. When using the scheme the structure of the Hashed Passwords file, etc/shadow or etc/master.passwd, will appear no different than in the traditional scheme.1 However, when an attacker exfiltrates the Hashed Passwords file and tries to crack it, the only Passwords he will get are the ersatzPasswords — the “fake Passwords”. When an attempt to login using these ersatzPasswords is detected an alarm will be triggered in the system that someone attempted to crack the Password file. Even with an adversary who knows the scheme, cracking cannot be launched without physical access to the authentication server. The scheme also includes a secure backup mechanism in the event of a failure of the hardware dependent function. We discuss our implementation and provide some discussion in comparison to the traditional authentication scheme

Kiran A. B - One of the best experts on this subject based on the ideXlab platform.

Hashed Password - 15 days free trial to Access Experts & Abstracts