Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Students and Grants
  • Program
    • At a Glance
    • Symposium Program
    • 2nd Workshop on Security Information Workers
    • Who Are You?! Adventures in Authentication
    • Workshop on Privacy Indicators
    • Workshop on Security Fatigue
    • Workshop on the Future of Privacy Notices and Indicators: Will Drones Deliver My Privacy Policy?
  • Activities
    • Poster Session
    • Birds-of-a-Feather Sessions
  • Sponsorship
  • Participate
    • Instructions for Authors and Speakers
    • Call for Nominations
    • Call for Papers
    • Call for Posters and Proposals
      • Call for Papers: 2nd Workshop on Security Information Workers
      • Call for Papers: Who are you?! Adventures in Authentication
      • Call for Papers: Workshop on Privacy Indicators
      • Call for Papers: Workshop on Security Fatigue
      • Workshop: Will Drones Deliver My Privacy Policy?
  • About
    • Organizers
    • Past Symposia

sponsors

Gold Sponsor
Silver Sponsor
Silver Sponsor
Bronze Sponsor
Media Sponsor
Media Sponsor
Industry Partner
  • Home
  • Attend
  • Program
  • Activities
  • Sponsorship
  • Participate
  • About

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home ยป Strengthening Password-based Authentication
Tweet

connect with us

Strengthening Password-based Authentication

Authors: 

Scott Ruoti, Jeff Andersen, and Kent Seamons, Brigham Young University

Abstract: 

Even with years of research into new authentication technologies, passwords still dominate the authentication landscape. This is due primarily to a combination of security, deployability, and usability that has been difficult to match. While password alternatives exist, their lack of widespread adoption indicates that for the foreseeable future passwords are here to stay.

Our research goal is to strengthen, not replace, password-based authentication. We focus on two serious problems with password-based authentication. First, poor security practices at the web servers leads to stolen password files that are easily compromised using an offline attack. Second, passwords are too easily stolen via phishing attacks.

Both of these problems arise because for the vast majority of authentication flows, servers require users to provide their plaintext passwords. In the case of a legitimate server receiving this password, the user must blindly trust that the server correctly salts and hashes the password. Experience, though, has shown that many websites do not follow proper password storage. Moreover, there is a disconnect between perceived best practices for password storage and actual best practices.

Even if websites were to safely store users' passwords, users would still be at risk to phishing attacks. Phishers impersonate legitimate websites in order to trick users into sending their authentication credentials to the phishing website. The problem of phishing is only compounded by password reuse, allowing a single stolen password to potentially compromise many of the user's sites.

In this paper, we describe two methods for strengthening existing password-based authentication: strong password protocols and safe password entry.

Scott Ruoti, Brigham Young University

Jeff Andersen, Brigham Young University

Kent Seamons, Brigham Young University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Ruoti PDF
View the Slides
  • Log in or    Register to post comments

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Media Sponsors & Industry Partners

© USENIX

  • Privacy Policy
  • Contact Us