• Corpus ID: 17035799

On The Security Evaluation of Partial Password Implementations

@article{Mourouzis2017OnTS,
  title={On The Security Evaluation of Partial Password Implementations},
  author={Theodosis Mourouzis and Marcin W{\'o}jcik and Nikos Komninos},
  journal={ArXiv},
  year={2017},
  volume={abs/1701.00104}
}
A partial password is a mode of password-based authentication that is widely used, especially in the financial sector. It is based on a challenge-response protocol, where at each login attempt, a challenge requesting characters from randomly selected positions of a pre-shared secret is presented to the user. This mode could be seen as a “cheap way” of preventing for example a malware or a keylogger installed on a user’s device to learn the full password in a single step. Despite of the… 

Figures and Tables from this paper

Partial Password Authentication using Vector Decomposition

The proposed scheme is based on a two-party protocol to securely evaluate 2DNF formula in higher dimensional vector spaces, using vector decomposition problem, and permits the user to select the arbitrary characters of the actual password to be entered, in random order.

A Shoulder-Surfing Resistant Scheme Embedded in Traditional Passwords

A shoulder-surfing resistant scheme embedded in traditional textual passwords that achieves a similar level of accuracy while only required marginal additional time to authenticate users is proposed.

Guessing PINs, One Partial PIN at a Time

This paper suggests several strategies for guessing the PIN under the assumption that the organisation assigns PINs randomly and requests random positions from the PIN at each login, and finds that the most effective strategies have a reasonable chance of recovering a PIN in tens to hundreds of guesses.

References

SHOWING 1-10 OF 19 REFERENCES

"Give Me Letters 2, 3 and 6!": Partial Password Implementations and Attacks

This paper surveys a number of online banking implementations of partial passwords, and investigates the security of the mechanism, looking at guessing attacks with a projection dictionary ranked by likelihood, and recording attacks which use previous information collected by an attacker.

A survey of password mechanisms: Weaknesses and potential improvements. Part 1

The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords

  • Joseph Bonneau
  • Computer Science
    2012 IEEE Symposium on Security and Privacy
  • 2012
It is estimated that passwords provide fewer than 10 bits of security against an online, trawling attack, and only about 20 bits ofSecurity against an optimal offline dictionary attack, when compared with a uniform distribution which would provide equivalent security against different forms of guessing attack.

Practical Human-Machine Identification over Insecure Channels

This paper develops a new scheme for human-machine identification that improves upon some of the previously proposed human- machine identification schemes and presents a vigorous security analysis of the scheme.

On the security and usability of dual credential authentication in UK online banking

  • Mike JustD. Aspinall
  • Computer Science
    2012 International Conference for Internet Technology and Secured Transactions
  • 2012
This paper presents the results of a security and usability review of the authentication implementations used by more than 10 UK banks. Our focus is on their use of dual text credentials that combine

Making Passwords Secure and Usable

In-depth analysis of the interview data revealed that the degree to which users conform to security mechanisms depends on their perception of security levels, information sensitivity and compatibility with work practices, which may undermine system security overall.

What ’ s in a Name ? Evaluating Statistical Attacks on Personal Knowledge Questions

A diverse corpus of real-world statistical distributions for likely answer categories such as the names of people, pets, and places is examined and it is found that personal knowledge questions are significantly less secure than graphical or textual passwords.

Guessing human-chosen secrets

This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration except where specifically indicated in the text. No parts of this dissertation