13-11-2012, 03:10 PM
Revisiting Defenses against Large-Scale Online Password Guessing Attacks
Abstract
Brute force and dictionary attacks on password-only
remote login services are now widespread and ever
increasing.Enabling convenient login for legitimate users
while preventing such attacks is a difficult problem.
Automated Turing Tests (ATTs) continue to be an
effective, easy-to-deploy approach to identify automated
malicious login attempts with reasonable cost of
inconvenience to users. In this paper, we discuss the
inadequacy of existing and proposed login protocols
designed to address large-scale online dictionary attacks
(e.g., from a botnet of hundreds of thousands of nodes).
We propose a new Password Guessing Resistant Protocol
(PGRP), derived upon revisiting prior proposals designed
to restrict such attacks. While PGRP limits the total
number of login attempts from unknown remote hosts to
as low as a single attempt per username, legitimate users
in most cases (e.g., when attempts are made from known,
frequently-used machines) can make several failed login
attempts before being challenged with an ATT. We
analyze the performance of PGRP with two real-world
data sets and find it more promising than existing
proposals .