Enhanced Security Solution to Prevent Online Password Guessing Attacks

International Journal of Computer Science and Engineering
© 2014 by SSRG - IJCSE Journal
Volume 1 Issue 6
Year of Publication : 2014
Authors : Nikitha Bhasu, Raju. K. Gopal

pdf
How to Cite?

Nikitha Bhasu, Raju. K. Gopal, "Enhanced Security Solution to Prevent Online Password Guessing Attacks," SSRG International Journal of Computer Science and Engineering , vol. 1,  no. 6, pp. 1-11, 2014. Crossref, https://doi.org/10.14445/23488387/IJCSE-V1I6P101

Abstract:

Brute force and dictionary attacks on password-only remote login service are very common and it is on the rise. Preventing such attacks by hackers is a complex problem. Automated Turing Test is an effective solution to identify and prevent automated malicious login attempts with minimal difficulties to users. In this paper, we discuss the insufficiency of existing and proposed login protocol designed to address extensive online dictionary attacks. We propose a new Enhanced Password Guessing Resistant Protocol (EPGRP), derived from revisiting prior proposals designed to restrict such attacks. While EPGRP limit the total number of login attempts from unknown remote hosts to as low as single attempt before being challenged with ATT. For enhancing the security, a One Time Password is also used in addition to ATT.

Keywords:

Online password guessing attacks,brute force attacks, dictionary attacks, ATTs, OTP.

References:

[1] B. Pinkas and T. Sander, “Securing Passwords against Dictionary Attacks,” Proc. ACM Conf. Computer and Comm. Security (CCS ’02), pp. 161-170, Nov. 2002. 
[2] P.C. van Oorschot and S. Stubblebine, “On Countering Online Dictionary Attacks with Login Histories and Humans-inthe- Loop,” ACM Trans. Information and System Security, vol. 9, no. 3, pp. 235-258, 2006. 
[3] Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber, “How Dynamic Are IP Addresses?,” SIGCOMM Computer Comm. Rev., vol. 37, no. 4, pp. 301-312, 2007. 
[4] J. Yan and A.S.E. Ahmad, “Usability of CAPTCHAs or Usability Issues in CAPTCHA Design,” Proc. Symp. Usable Privacy and Security (SOUPS ’08), pp. 44-52, July 2008. 
[5] J. Yan and A.S.E. Ahmad, “A Low-Cost Attack on a Microsoft CAPTCHA,” Proc. ACM Computer and Comm. Security (CCS ’08), pp. 543-554, Oct. 2008. 
[6] “The Top Cyber Security Risks,” SANS.org, http://www.sans. org/top-cyber-security-risks/, Sept. 2009. 
[7] E. Bursztein, S. Bethard, J.C. Mitchell, D. Jurafsky, and C. Fabry, “How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation,” Proc. IEEE Symp. Security and Privacy, May 2010.
[8] Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot, Member, IEEE, “Revisiting Defenses against Large- Scale Online Password Guessing Attacks”,January/February 2012.