Featured Research

from universities, journals, and other organizations

Ease and security of password protections improved

Date:
February 28, 2014
Source:
University of Alabama at Birmingham
Summary:
A new article proposes and tests four two-factor schemes that require servers to store a randomized hash of the passwords and a second device, such as the user’s security token or smartphone, to store a corresponding secret code.

How two-factor authentication increases security against hacking.
Credit: UAB

Passwords guard everything from our cellphones to our bank accounts, but they often present a relatively weak challenge to hackers looking for the information that passwords should protect. New research from the University of Alabama at Birmingham, in collaboration with the University of California at Irvine, proposes and tests a variety of methods that add a strong second layer of security to a password.

Related Articles


In a paper presented at the 2014 Network and Distributed Systems Security Symposium, researchers offered innovative options to improve the security of two-factor authentication systems while also ensuring the systems’ usability.

“There have been many attacks on servers that store passwords lately, such as the breaches at PayPal and LinkedIn,” said Nitesh Saxena, Ph.D., associate professor in the Department of Computer and Information Sciences and a core member of the Center for Information Assurance and Joint Forensics Research.

Many people use the same few uncomplicated passwords repeatedly, making them easy to remember. Passwords are typically stored on servers in a hashed form. Hackers can garner passwords either by an online brute-force attack, or by hacking a server with poor security and using a “dictionary” of passwords to test offline.

“A single server break-in can lead to several of a user’s accounts being compromised, because they’re using the same password in several places,” Saxena said.

Two-factor authentication schemes, such as Google Authenticator, or hardware tokens, such as RSA SecureID, use a second device to generate a temporary personal identification number, or PIN, that the user must enter along with their password. But current two-factor schemes present the same vulnerabilities to server hacks as password-only authentication, Saxena says.

“If someone hacks into the server, they could learn the passwords via an offline dictionary attack,” he said. “Learning the passwords wouldn’t compromise the second authentication factor, but the user might be using that same password elsewhere. The hacker might not be able to log into Facebook if Facebook uses two-factor authentication, but they could log into Twitter if Twitter uses the single-factor authentication using the same password.”

The paper proposes and tests four two-factor schemes that require servers to store a randomized hash of the passwords and a second device, such as the user’s security token or smartphone, to store a corresponding secret code. The paper presents these schemes at several levels of computer system bandwidth, effectively turning four schemes into 13 security options.

“Rather than requiring the user to enter both their password and a PIN generated by an app, the user could enter a password, and their smartphone could automatically send a PIN over a Bluetooth connection or through a simple QR code,” Saxena said.

Saxena and his co-authors, UAB graduate student Maliheh Shirvanian, Stanislaw Jarecki and Naveen Nathan of the University of California at Irvine, analyze each scheme in terms of security provided, usability and deployability.

The schemes are geared toward using soft tokens, like smartphones. Using smartphones to provide secret codes can give a security system the flexibility to protect several passwords with a single soft token.

“Hard tokens are traditionally used within the context of a company that needs more security,” Saxena said. “With soft tokens in play, you can use just one token, such as your smartphone, to log into different websites securely.”

However, the proposed approaches are applicable to hardware tokens too.

“With each of our proposals, you get a high level of security with the same or better level of usability than the current two-factor authentication schemes,” Shirvanian said.


Story Source:

The above story is based on materials provided by University of Alabama at Birmingham. Note: Materials may be edited for content and length.


Cite This Page:

University of Alabama at Birmingham. "Ease and security of password protections improved." ScienceDaily. ScienceDaily, 28 February 2014. <www.sciencedaily.com/releases/2014/02/140228121132.htm>.
University of Alabama at Birmingham. (2014, February 28). Ease and security of password protections improved. ScienceDaily. Retrieved November 23, 2014 from www.sciencedaily.com/releases/2014/02/140228121132.htm
University of Alabama at Birmingham. "Ease and security of password protections improved." ScienceDaily. www.sciencedaily.com/releases/2014/02/140228121132.htm (accessed November 23, 2014).

Share This


More From ScienceDaily



More Computers & Math News

Sunday, November 23, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

European Parliament Might Call For Google's Break-Up

European Parliament Might Call For Google's Break-Up

Newsy (Nov. 22, 2014) This is the latest development in an antitrust investigation accusing Google of unfairly prioritizing own products and services in search results. Video provided by Newsy
Powered by NewsLook.com
Google Announces Improvements To Balloon-Borne Wi-Fi Project

Google Announces Improvements To Balloon-Borne Wi-Fi Project

Newsy (Nov. 21, 2014) In a blog post, Google said its balloons have traveled 3 million kilometers since the start of Project Loon. Video provided by Newsy
Powered by NewsLook.com
Is Nintendo Making A Comeback With 'Super Smash Bros.'?

Is Nintendo Making A Comeback With 'Super Smash Bros.'?

Newsy (Nov. 21, 2014) Nintendo released new "Super Smash Bros." Friday, and it's getting great reviews. Could this mean a comeback for the gaming company? Video provided by Newsy
Powered by NewsLook.com
NSA Director: China Can Damage US Power Grid

NSA Director: China Can Damage US Power Grid

AP (Nov. 20, 2014) China and "one or two" other countries are capable of mounting cyberattacks that would shut down the electric grid and other critical systems in parts of the United States, according to Adm. Michael Rogers, director of the National Security Agency and hea Video provided by AP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins