30-10-2012, 04:34 PM
Noisy Password Scheme: A New One Time Password System
Noisy Password Scheme.pdf (Size: 414.84 KB / Downloads: 30)
Abstract.
The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to
restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an
unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a onetime
password, this risk can be greatly reduced. In this paper, we propose the new noisy password technique. The
proposed system attempts to alleviate the problem of shoulder surfing or eves dropping by making the replay of a
password useless. Every time a user is authenticated by totally different password. The noisy password constitute
of several parts, the actual password and additional noisy parts that are well studied to generate different
passwords almost every time a user wants to authenticate himself. The noisy parts are proven to be robust against
any hacking attacks. Experimental results give good indication of the ease of utilization of the new system with
low error rates that can be enhanced by time.
Introduction
Most current commercial websites will ask their users
to input their user identifications (IDs) and the
corresponding Passwords for authentication. Once a
user’s ID and the corresponding password are stolen by
an adversary, the Adversary can do anything with the
victim’s account, leading to a disaster for the victim.
The secure protocol SSL/TLS [1] for transmitting
private data over the web is well-known in academic
research, but most current commercial websites still
rely on the relatively weak protection mechanism of
user authentications via plaintext password and user ID.
Meanwhile, even though a password can be transferred
via a secure channel, this authentication approach is
still vulnerable to attacks. Phishers attempt to
fraudulently acquire sensitive information, such as
passwords and credit card details, by masquerading as a
trustworthy person or business in an electronic
communication. Password Stealing Trojan is a program
that contains or installs malicious code
First Algorithm Noisy Passwords with
Terminators
To authenticate a user, a system (S) needs to verify a
user (U) via the user’s password (P) which the user
provides. It is very reasonable that a password should
be constant for the purpose of easily remembering it.
However, the price of easily remembrance is a
password theft. At the same time, we cannot put P in a
randomly variant form, which will make it impossible
for a user to remember the password. To confront such
a challenge, we propose a scheme using a new concept
of password we named noisy password. A noisy
password is a password that contains the actual
password embedded in it. It cannot be applied directly
but instead a software extracts the actual password from
it and generates the password which is submitted to the
server for authentication, or compared to the one stored
on the smart card. A noisy password P is defined as a
quadruplets. It is defined with four parts, a fixed
alphanumeric F and a variable alphanumeric V, a
terminator X and a safeguard S
Experimental Results
Twelve subjects, ranging from 35 years old to 40 years
old, participated in the experiment. Eight were female
and four were male. The mean age of participants was
37.7 (SD=1.33). Most of the participants graduated
from college.
They all used PCs frequently. The noisy password
system, used in this study, has a simple interface
where four fields for ID and password choice, first
field is for user ID, the other three fields are for F, X
and S values. The interface for entering id and
database is another simple interface with two fields
one for Id and one for the password. All instructions
for the participants were described to them. Feedback
on correctness of a password input was given on
screen after the user clicked the Submit button. The
study was carried out in two sessions. Each participant
was sat at a laptop. In the experiment, which lasted
about 30 minutes, the participants first chose an ID
and a password. When the participant had chosen a
password, a valid noisy password was displayed as an
example to the participant. The display showed the
noisy password with a heavy outline of each part of
the password. When the participant had created a
valid password, the learning phase began. The
participant entered the noisy password repeatedly until
he or she achieved ten correct password inputs.
Participants received binary feedback on the
correctness of each password input and could see an
on-screen count of how many correct and incorrect
entries they had made. In the retention phase
password retention was measured at the end of the first
session (S1) and three days later (S2).
Discussion
Participants had little difficulty learning their password
via repeated password inputs, while it posed challenges
to some. Another indicator of this trend is the long trail
of participants who took many practice trials (Table 2).
Using noisy password schemes was new to the
participants and we expected errors in the learning
phase. In the S1 retention trial there were very few
incorrect password submissions. It should be noted that
the mean time for these incorrect submissions was very
low. This likely indicates that the errors were slips, in
which the participants noticed a slip immediately and
submitted it so they could start over. In the correct
submissions the time was approximately, 22 to 35
seconds. In other studies, the time for inputting
alphanumeric passwords was between 10 and 11
seconds. We found it encouraging that after a little
practice the difference was few seconds. Generally, we
expect slower input times in noisy password systems.
On the other hand, slower noisy password input in our
studies may also be related to the participants’ lack of
experience.
Conclusion
Most network applications authenticate users with an
account-name/password system. The most common
computer authentication method is to use
alphanumerical usernames and passwords. Recently
graphical password systems raise more attention to
them. Both methods have been shown to have
significant drawbacks. For example, users tend to pick
alphanumeric passwords that can be easily guessed. On
the other hand, graphical password is susceptible to
shoulder surfing and is hard to remember. To address
this problem, some researchers have developed other
authentication methods that use eye gaze as a password
entry technique. Such technique suffers from high error
rates. In this paper, we proposed the new noisy
password technique. The proposed system alleviated
the problem of shoulder surfing or eves dropping by
making the replay of a password is of no use. Every
time a user is authenticated by totally different
password.