|
Over the last fifty years, computer security professionals
have lamented the poor security provided by passwords, and have
proposed many alternative authentication methods. But passwords have
compelling practical benefits, and they have survived all attempts at
eliminating them. Not only have they survived, they have become
ubiquitous, being as they are the almost exclusive means of
user authentication on the Web.
Since passwords are here to stay, is it possible to improve their
security? It may be hard to believe that anything new could be
invented concerning password security, but we are actually proposing
two new techniques that make passwords more secure. These techniques
are applicable in the context of any Web application that allows a
user to create a user-administered multi-user application instance.
The first technique addresses the threat of anonymous
password-guessing attacks over the Internet, by enforcing a hard limit
on the total number of guesses against a password. It is described in
the white paper:
The second technique provides improved security for the transmission
of a new password to the user after it has been reset by an
administrator. It is described in the white paper:
Since password-guessing attacks and weaknesses of password reset
methods are arguably the main security issues with Web passwords, we
believe that these two techniques can substantially strengthen the
security provided by passwords in the context of multiuser instances
of Web applications.
|
