Corpus ID: 5033043

Human Computable Passwords

  title={Human Computable Passwords},
  author={Jeremiah Blocki and Manuel Blum and Anupam Datta},
An interesting challenge for the cryptography community is to design authentication protocols that are so simple that a human can execute them without relying on a fully trusted computer. We propose several candidate authentication protocols for a setting in which the human user can only receive assistance from a semi-trusted computer --- a computer that stores information and performs computations correctly but does not provide confidentiality. Our schemes use a semi-trusted computer to store… Expand
Towards Human Computable Passwords
The general hypercontractivity theorem is applied to lower bound the statistical dimension of the distribution over challenge-response pairs induced by f and $\sigma$, and lower bounds apply to arbitrary functions $f $ (not just to functions that are easy for a human to evaluate). Expand
Human-Usable Password Schemas: Beyond Information-Theoretic Security
It is proved for several specific schemas that a computer is no worse off than an infinite adversary and that it can successfully extract all information from leaked challenges and their respective responses, known as challenge-response pairs. Expand
Usable Human Authentication: A Quantitative Treatment
The thesis is that user models and security models can guide the development of password management schemes with analyzable usability and security properties and introduces Naturally Rehearsing Password schemes and Human Computable Password schemes, which leverage human capabilities for simple arithmetic operations. Expand
On the Economics of Offline Password Cracking
It is advocated that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the useof non-memory hard functions such as BCRYPT or PBKDF2. Expand
When are identification protocols with sparse challenges safe? The case of the Coskun and Herley attack
An analytical estimate of the number of challenge-response pairs required by an eavesdropper to find the secret through the Coskun and Herley attack is shown, to help protocol designers to choose safe parameter sizes for identification protocols that employ sparse challenges. Expand
Human Computable Passwords - Design and Analysis.
The conclusion from the experiment was that failure rates are indeed an important usability factor which should be investigated more thoroughly, as it may limit the scheme severely. Expand
A Neural Attack Model for Cracking Passwords in Adversarial Environments
This work presents a neural network-based attack model, which consists of a feature extraction model and a prediction model, and proposes a risk alert system based on the attack model that can issue a timely warning notice when the password in use is at high security risk. Expand
On the Security and Usability of Segment-based Visual Cryptographic Authentication Protocols
This work studies the security and usability of segment-based visual cryptographic authentication protocols (SVAPs), which include PassWindow as a special case, and finds that the protocol that offers the best security has the poorest usability. Expand
Making Code Voting Secure Against Insider Threats Using Unconditionally Secure MIX Schemes and Human PSMT Protocols
An unconditionally secure MIX based on the combinatorics of set systems is introduced, using PSMT protocols SCN 2012 where with the help of visual aids, humans can carry out mod10 addition correctly with a 99i¾?% degree of accuracy. Expand
Usability of Humanly Computable Passwords
This work presents the first usability study of humanly computable password strategies, involving a learning phase (to learn a password strategy), then a rehearsal phase, then a login to a few websites, and multiple follow-up tests. Expand


Mitigating Dictionary Attacks on Password-Protected Local Storage
This work proposes an approach for limiting off-line dictionary attacks in this setting without relying on secret storage or secure hardware, and describes a simple protocol using this approach, which raises a host of modeling and technical issues, such as new properties of human-solvable puzzles and some seemingly hard combinatorial problems. Expand
GOTCHA password hackers!
The main theorem demonstrates that GOTCHAs can be used to mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack. Expand
Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits
This work gives constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits and describes a candidate construction for blurry obfuscation for $\mathbf{NC}^1$ circuits. Expand
Of passwords and people: measuring the effect of password-composition policies
A large-scale study investigates password strength, user behavior, and user sentiment across four password-composition policies, and describes the predictability of passwords by calculating their entropy, finding that a number of commonly held beliefs about password composition and strength are inaccurate. Expand
Secure Human Identification Protocols
This paper provides definitions of what they believe to be reasonable goals for secure human identification and demonstrates that existing solutions do not meet these reasonable definitions and provides solutions which demonstrate the feasibility of the security conditions attached to these definitions, but which are impractical for use by humans. Expand
Authenticating Pervasive Devices with Human Protocols
This paper analyzes a particular human-to-computer authentication protocol designed by Hopper and Blum (HB), and shows it to be practical for low-cost pervasive devices, and proves the security of the HB+ protocol against active adversaries based on the hardness of the Learning Parity with Noise (LPN) problem. Expand
Naturally Rehearsing Passwords
This work presents Shared Cues — a new scheme in which the underlying secret is strategically shared across accounts to ensure that most rehearsal requirements are satisfied naturally while simultaneously providing strong security. Expand
Stronger Password Authentication Using Browser Extensions
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.Expand
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
  • Joseph Bonneau
  • Computer Science
  • 2012 IEEE Symposium on Security and Privacy
  • 2012
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack. Expand
No Plaintext Passwords
  • Abe Singer
  • Engineering, Computer Science
  • login Usenix Mag.
  • 2001
The San Diego Supercomputer Center (SDSC) has managed to eliminate plaintext password transmission, while continuing to deliver services to a widely distributed user base. Expand