A Critical appraisal on Password based Authentication

Full Text (PDF, 544KB), PP.47-61

Views: 0 Downloads: 0


Amanpreet A. Kaur 1,* Khurram K. Mustafa 1

1. Jamia Millia Islamia/Department of Computer Science, Delhi, 110025, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2019.01.05

Received: 7 Nov. 2018 / Revised: 12 Nov. 2018 / Accepted: 21 Nov. 2018 / Published: 8 Jan. 2019

Index Terms

Password, Authentication, User Level Authentication, Machine Level Authentication, Cryptographic schemes


There is no doubt that, even after the development of many other authentication schemes, passwords remain one of the most popular means of authentication. A review in the field of password based authentication is addressed, by introducing and analyzing different schemes of authentication, respective advantages and disadvantages, and probable causes of the ‘very disconnect’ between user and password mechanisms. The evolution of passwords and how they have deep-rooted in our life is remarkable. This paper addresses the gap between the user and industry perspectives of password authentication, the state of art of password authentication and how the most investigated topic in password authentication changed over time. The author’s tries to distinguish password based authentication into two levels ‘User Centric Design Level’ and the ‘Machine Centric Protocol Level’ under one framework. The paper concludes with the special section covering the ways in which password based authentication system can be strengthened on the issues which are currently holding-in the password based authentication.

Cite This Paper

Amanpreet A. Kaur, Khurram K. Mustafa, "A Critical appraisal on Password based Authentication", International Journal of Computer Network and Information Security(IJCNIS), Vol.11, No.1, pp.47-61, 2019. DOI:10.5815/ijcnis.2019.01.05


[1]Bruns, R., Dunkel, J. and von Helden, J., 2003. Secure Smart Card-Based Access to an E-Learning Portal. In ICEIS (4) (pp. 167-172).
[2]Kaur, A. and Mustafa, K., 2016, March. Qualitative assessment of authentication measures. In Computing for Sustainable Global Development (INDIACom), 2016 3rd International Conference on (pp. 694-698). IEEE.
[3]Chen, H., Shen, X. and Lv, Y., 2010. A New Digital Signature Algorithm Similar to ELGamal Type. J. Softw, 5, pp.320-327.
[4]Bonneau, J., Herley, C., Van Oorschot, P.C. and Stajano, F., 2012, May. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 553-567) IEEE.
[5]Gil, C., Castro, M. and Wyne, M., 2010, October. Identification in web evaluation in learning management system by fingerprint identification system. In Frontiers in Education Conference (FIE), 2010 IEEE (pp. T4D-1). IEEE.
[6]Sahoo, S.K., Choubisa, T. and Prasanna, S.M., 2012. Multimodal biometric person authentication: A review. IETE Technical Review, 29(1), pp.54-75
[7]Jobusch, D.L. and Oldehoeft, A.E., 1989. A survey of password mechanisms: Weaknesses and potential improvements. part 1. Computers & Security, 8(7), pp.587-604.
[8]Kelsey, J., Schneier, B., Hall, C. and Wagner, D., 1997, September. Secure applications of low-entropy keys. In International Workshop on Information Security (pp. 121-134). Springer Berlin Heidelberg
[9]Manber, U., 1996. A simple scheme to make passwords based on one-way functions much harder to crack. Computers & Security, 15(2), pp.171-176.
[10]Schneier, B., 2011. Secrets and lies: digital security in a networked world. John Wiley & Sons.
[11]Hitchings, J., 1995. Deficiencies of the traditional approach to information security and the requirements for a new methodology. Computers & Security, 14(5), pp.377-383.
[12]Davis, D. and Price, W. Security for Computer Networks. Wiley, Chichester, 1987
[13]Adams, A. and Sasse, M.A., 1999. Users are not the enemy. Communications of the ACM, 42(12), pp.40-46.
[14]Wood, C.C., 1983. Effective information system security with password controls. Computers & Security, 2(1), pp.5- 10.
[15]Perrig, A., 2000, September. Shortcomings of password-based authentication. In 9th USENIX Security Symposium
[16]Inglesant, P.G. and Sasse, M.A., 2010, April. The true cost of unusable password policies: password use in the wild. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 383-392). ACM.
[17]Albrechtsen, E. and Hovden, J., 2009. The information security digital divide between information security managers and users. Computers & Security, 28(6), pp.476-490.
[18]Beautement, A., Sasse, M.A. and Wonham, M., 2009, August. The compliance budget: managing security behavior in organizations. In Proceedings of the 2008 workshop on new security paradigms (pp. 47-58) ACM.
[19]Morris, R. and Thompson, K., 1979. Password security: A case history. Communications of the ACM, 22(11), pp.594-597.
[20]L., 1981. Password authentication with insecure communication. Communications of the ACM, 24(11), pp.770-772.
[21]Shamir, A., 1984, August. Identity-based cryptosystems and signature schemes. In Workshop on the Theory and Application of Cryptographic Techniques (pp. 47-53). Springer Berlin Heidelberg
[22]ElGamal, T., 1985. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE transactions on information theory, 31(4), pp.469-472
[23]Denning, D.E. and Sacco, G.M., 1981. Timestamps in key distribution protocols. Communications of the ACM, 24(8), pp.533-536.
[24]Peyret, P., Lisimaque, G. and Chua, T.Y., 1990. Smart cards provide very high security and flexibility in subscriber’s management. IEEE Transactions on Consumer Electronics, 36(3), pp.744-752.
[25]Dhamija, R. and Perrig, A., 2000, August. Deja Vu-A User Study: Using Images for Authentication. In USENIX Security Symposium (Vol. 9, pp. 4-4).
[26]Ahmad, A.M. and Abdullah, N.N., 2000, September. User authentication via neural network. In International Conference on Artificial Intelligence: Methodology, Systems, and Applications (pp. 310-320). Springer, Berlin, Heidelberg.
[27]Bellovin, S.M. and Merritt, M., 1992, May. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Research in Security and Privacy, 1992. Proceedings. 1992 IEEE Computer Society Symposium on (pp. 72-84) IEEE
[28]Zviran, M. and Haga, W.J., 1999. Password security: an empirical study. Journal of Management Information Systems, 15(4), pp.161-185.
[29]Wiedenbeck, S., Waters, J., Birget, J.C., Brodskiy, A. and Memon, N., 2005, July. Authentication using graphical passwords: Effects of tolerance and image choice. In Proceedings of the 2005 symposium on Usable privacy and security (pp. 1-12). ACM.
[30]Campisi, P., Maiorana, E., Bosco, M.L. and Neri, A., 2009. User authentication using keystroke dynamics for cellular phones. IET Signal Processing, 3(4), pp.333-341.
[31]Kumar, M., 2004. On the Weaknesses and Improvements of an Efficient Password Based Remote User Authentication Scheme Using Smart Cards. IACR Cryptology ePrint Archive, 2004, p.163.
[32]Renaud, Karen. "Quantifying the quality of web authentication mechanisms: a usability perspective." Journal of Web Engineering 3.2 (2004): 95-123.
[33]Chiasson, S., van Oorschot, P.C. and Biddle, R., 2006, August. A Usability Study and Critique of Two Password Managers. In Usenix Security (Vol. 6).
[34]Riley, S., 2006. Password security: What users know and what they actually do. Usability News, 8(1), pp.2833-2836.
[35]Bresson, E., Chevassut, O. and Pointcheval, D., 2007. A security solution for IEEE 802.11's ad hoc mode: password-authentication and group DiffieHellman key exchange. International Journal of Wireless and Mobile Computing, 2(1), pp.4-13.
[36]Leonhard, M.D. and Venkatakrishnan, V.N., 2007, May. A comparative study of three random password generators. In Electro/Information Technology, 2007 IEEE International Conference on (pp. 227-232). IEEE
[37]Ma, W., Campbell, J., Tran, D. and Kleeman, D., 2007. A conceptual framework for assessing password quality. International Journal of Computer Science and Network Security, 7(1), pp.179-185.
[38]Florencio, D. and Herley, C., 2007, May. A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web (pp. 657-666). ACM.
[39]Furnell, S., 2007. An assessment of website password practices. Computers & Security, 26(7), pp.445-451
[40]Shimshon, T., Moskovitch, R., Rokach, L. and Elovici, Y., 2010, December. Continuous verification using keystroke dynamics. In Computational Intelligence and Security (CIS), 2010 International Conference on (pp. 411-415). IEEE.
[41]Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F. and Egelman, S., 2011, May. Of passwords and people: measuring the effect of password-composition policies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 2595-2604). ACM
[42]Houshmand, S. and Aggarwal, S., 2012, December. Building better passwords using probabilistic techniques. In Proceedings of the 28th Annual Computer Security Applications Conference (pp. 109-118). ACM
[43]Baboo, S.S. and Gokulraj, K., 2010. A secure dynamic authentication scheme for smart card based networks. International Journal of Computer Applications, 11(8), pp.5-12.
[44]Ramasamy, R. and Muniyandi, A.P., 2012. An Efficient Password Authentication Scheme for Smart Card. IJ Network Security, 14(3), pp.180-186.
[45]Khan, M.K. and Alghathbar, K., 2010. Cryptanalysis and security improvements of ‘two-factor user authentication in wireless sensor networks’. Sensors, 10(3), pp.2450-2459.
[46]Stebila, D., Udupi, P. and Chang, S., 2010, January. Multi-factor password-authenticated key exchange. In Proceedings of the Eighth Australasian Conference on Information Security-Volume 105 (pp. 56-66). Australian Computer Society, Inc
[47]Katz, J. and Vaikuntanathan, V., 2011, March. Round-optimal password-based authenticated key exchange. In Theory of Cryptography Conference (pp. 293-310). Springer Berlin Heidelberg.
[48]Yeh, H.L., Chen, T.H., Liu, P.C., Kim, T.H. and Wei, H.W., 2011. A secured authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors, 11(5), pp.4767-4779.
[49]Qian, H., Gong, J. and Zhou, Y., 2012. Anonymous password‐based key exchange with low resources consumption and better user‐friendliness. Security and Communication Networks, 5(12), pp.1379-1393
[50]Han, W., Sun, C., Shen, C., Lei, C. and Shen, S., 2014. Dynamic combination of authentication factors based on quantified risk and benefit. Security and Communication Networks, 7(2), pp.385-396.
[51]Ruoti, S., Andersen, J. and Seamons, K., 2016, June. Strengthening Password-based Authentication. In Symposium on Usable Privacy and Security (SOUPS).
[52]Cheswick, W.R., Bellovin, S.M. and Rubin, A.D., 2003. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc.
[53]Herley, C. and Van Oorschot, P., 2012. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1), pp.28-36.
[54]Yahoo (2012). Yahoo says it’s investigating security breach. [online] (July 12, 2012). http://www.bloomberg.com/news/2012-07-12/yahoospokeswoman-says-company-investigating-security-breach.html.(Accessed September 15, 2014)
[55]Schneier, B. (2006) MySpace passwords aren’t so dumb [online] (Dec. 14, 2006). http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300. (Accessed January 15, 2015)
[56]Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N. and Cranor, L.F., 2010, July. Encountering stronger password requirements: user attitudes and behaviors. In Proceedings of the Sixth Symposium on Usable Privacy and Security (p. 2). ACM.
[57]Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K. and Herley, C., 2013, April. Does my password go up to eleven? the impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 2379-2388). ACM
[58]Van Acker, S., Hausknecht, D., Joosen, W. and Sabelfeld, A., 2015, March. Password meters and generators on the web: From large-scale empirical study to getting it right. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (pp. 253-262). ACM.
[59]Vossaert, J., Lapon, J. and Naessens, V., 2014. Out-of-Band Password Based Authentication towards Web Services. In ECUMICT 2014 (pp. 181-191). Springer International Publishing.
[60]Teh, P.S., Teoh, A.B.J. and Yue, S., 2013. A survey of keystroke dynamics biometrics. The Scientific World Journal, 2013.
[61]Villatte, N. (2015) Data Breach Investigations Report, Verizon RISK Team [online] www.verizonenterprise.com/ DBIR/2015/ (Accessed Jan 2016)
[62]Ganesan, Rajesh. "Stepping up security with password management control." Network Security 2016.2 (2016): 18-19.
[63]Villarrubia, C., Fernandez-Medina, E. and Piattini, M., 2006, April. Quality of password management policy. In Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on (pp. 7-pp). IEEE.
[64]Ruffo, G. and Bergadano, F., 2005, September. Enfilter: a password enforcement and filter tool based on pattern recognition techniques. In International Conference on Image Analysis and Processing (pp. 75-82). Springer Berlin Heidelberg.
[65]Smith, S.L., 1987. Authenticating users by word association. Computers & Security, 6(6), pp.464-470.
[66]Schoen, S., Hofmann, M. and Reynolds, R., 2011. Defending Privacy at the US Border.
[67]Das, A., Bonneau, J., Caesar, M., Borisov, N. and Wang, X., 2014, February. The Tangled Web of Password Reuse. In NDSS (Vol. 14, pp. 23-26).
[68]Weir, M., Aggarwal, S., Collins, M. and Stern, H., 2010, October. Testing metrics for password creation policies by attacking large sets of revealed passwords. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 162-175). ACM.
[69]Yan, J., Blackwell, A., Anderson, R. and Grant, A., (2000). The memorability and security of passwords–some empirical results [online] Technical report (No. UCAM-CL-TR-500). University of Cambridge, Computer Laboratory. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf (Accessed January 15, 2016).
[70]Taha, M.M., Alhaj, T.A., Moktar, A.E., Salim, A.H. and Abdullah, S.M., 2013, August. On password strength measurements: Password entropy and password quality. In Computing, Electrical and Electronics Engineering (ICCEEE), 2013 International Conference on (pp. 497-501). IEEE.
[71]Yan, J.J., 2001, September. A note on proactive password checking. In Proceedings of the 2001 workshop on New security paradigms (pp. 127-135). ACM.
[72]Menezes, A.J., Van Oorschot, P.C. and Vanstone, S.A., 1996. Handbook of applied cryptography. CRC press.
[73]Gong, L., Lomas, M.A., Needham, R.M. and Saltzer, J.H., 1993. Protecting poorly chosen secrets from guessing attacks. IEEE journal on Selected Areas in Communications, 11(5), pp.648-656.
[74]Kehne, A., Sch?nw?lder, J. and Langend?rfer, H., 1992. A nonce-based protocol for multiple authentications. ACM SIGOPS Operating Systems Review, 26(4), pp.84-89.
[75]Neuman, B.C. and Stubblebine, S.G., 1993. A note on the use of timestamps as nonces. ACM SIGOPS Operating Systems Review, 27(2), pp.10-14.
[76]Syverson, P., 1993. On key distribution protocols for repeated authentication. ACM SIGOPS Operating Systems Review, 27(4), pp.24-30.
[77]Watro, R., Kong, D., Cuti, S.F., Gardiner, C., Lynn, C. and Kruus, P., 2004, October. TinyPK: securing sensor networks with public key technology. In Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks (pp. 59-64). ACM.
[78]Xu, J., Zhu, W.T. and Feng, D.G., 2009. An improved smart card based password authentication scheme with provable security. Computer Standards & Interfaces, 31(4), pp.723-728.
[79]Song, R., 2010. Advanced smart card based password authentication protocol. Computer Standards & Interfaces, 32(5), pp. 321-325.
[80]Yang, F.Y., Hsu, C.W. and Chiu, S.H., 2014, January. Password authentication scheme preserving identity privacy. In Measuring Technology and Mechatronics Automation (ICMTMA), 2014 Sixth International Conference on (pp. 443-447). IEEE.
[81]Garrett, K., Talluri, S.R. and Roy, S., 2015. On vulnerability analysis of several password authentication protocols. Innovations in Systems and Software Engineering, 11(3), pp.167-176.
[82]Peyravian, M. and Zunic, N., 2000. Methods for protecting password transmission. Computers & Security, 19(5), pp.466-469
[83]Hwang, J.J. and Tzu-Chang, Y.E.H., 2002. Improvement on Peyravian-Zunic's password authentication schemes. IEICE Transactions on Communications, 85(4), pp.823-825.
[84]Wong, K.H., Zheng, Y., Cao, J. and Wang, S., 2006, June. A dynamic user authentication scheme for wireless sensor networks. In Sensor Networks, Ubiquitous, and Trustworthy Computing, 2006. IEEE International Conference on (Vol. 1, pp. 8-pp). IEEE.
[85]Das, M.L., 2009. Two-factor user authentication in wireless sensor networks. IEEE Transactions on Wireless Communications, 8(3), pp.1086-1090.
[86]Li, C.T. and Lee, C.C., 2012. A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Mathematical and Computer Modelling, 55(1), pp.35-44.
[87]Jiang, Q., Ma, J., Li, G. and Ma, Z., 2013. An improved password-based remote user authentication protocol without smart cards. Information Technology and Control, 42(2), pp.113-123.
[88]Shamir, A., 1984, August. Identity-based cryptosystems and signature schemes. In Workshop on the Theory and Application of Cryptographic Techniques (pp. 47-53). Springer Berlin Heidelberg.
[89]Shiuh-Jeng, W. and Jin-Fu, C., 1996. Smart card based secure password authentication scheme. Computers & Security, 15(3), pp.231-237.
[90]Jarecki, S., Krawczyk, H., Shirvanian, M. and Saxena, N., 2016, May. Device-enhanced password protocols with optimal online-offline protection. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (pp. 177-188). ACM.
[91]Petsas, T., Tsirantonakis, G., Athanasopoulos, E. and Ioannidis, S., 2015, April. Two-factor authentication: is the world ready? quantifying 2FA adoption. In Proceedings of the Eighth European Workshop on System Security (p. 4). ACM.
[92]Jablon, D.P., 1996. Strong password-only authenticated key exchange. ACM SIGCOMM Computer Communication Review, 26(5), pp.5-26.
[93]Katz, J., Ostrovsky, R. and Yung, M., 2002, September. Forward secrecy in password-only key exchange protocols. In International Conference on Security in Communication Networks (pp. 29-44). Springer Berlin Heidelberg.
[94]Yang, W.H. and Shieh, S.P., 1999. Password authentication schemes with smart cards. Computers & Security, 18(8), pp.727-733.
[95]Abdalla, M., Benhamouda, F. and Pointcheval, D., 2017, March. Removing erasures with explainable hash proof systems. In IACR International Workshop on Public Key Cryptography (pp. 151-174). Springer, Berlin, Heidelberg.
[96]Gennaro, R., 2008, March. Faster and shorter password-authenticated key exchange. In Theory of Cryptography Conference (pp. 589-606). Springer Berlin Heidelberg.
[97]Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D. and Vergnaud, D., 2013. New techniques for SPHFs and efficient one-round PAKE protocols. In Advances in Cryptology–CRYPTO2013 (pp. 449-475). Springer Berlin Heidelberg.
[98]Manulis, M., Stebila, D., Kiefer, F. and Denham, N., 2016. Secure modular password authentication for the web using channel bindings. International Journal of Information Security, 15(6), pp.597-620.
[99]Abdalla, M., Chevassut, O., Fouque, P.A. and Pointcheval, D., 2005, December. A simple threshold authenticated key exchange from short secrets. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 566-584). Springer, Berlin, Heidelberg.
[100]Tsai, H.C. and Chang, C.C., 2013. Provably secure three party encrypted key exchange scheme with explicit authentication. Information Sciences, 238, pp.242-249.
[101]Yoneyama, K., 2008, December. Efficient and strongly secure password-based server aided key exchange. In International Conference on Cryptology in India (pp. 172-184). Springer Berlin Heidelberg.
[102]Boyen, X., 2009, March. Hidden credential retrieval from a reusable password. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (pp. 228-238). ACM.
[103]Ford, W. and Kaliski, B.S., 2000. Server-assisted generation of a strong secret from a password. In Enabling Technologies: Infrastructure for Collaborative Enterprises, 2000. (WET ICE 2000). Proeedings. IEEE 9th International Workshops on (pp. 176-180). IEEE.
[104]Bagherzandi, A., Jarecki, S., Saxena, N. and Lu, Y., 2011, October. Password-protected secret sharing. In Proceedings of the 18th ACM conference on Computer and Communications Security (pp. 433-444). ACM.
[105]Messerges, T.S., Dabbish, E.A. and Sloan, R.H., 2002. Examining smart-card security under the threat of power analysis attacks. IEEE transactions on computers, 51(5), pp.541-552.
[106]Jaspher, G., Katherine, W., Kirubakaran, E. and Prakash, P., 2012, July. Smart card based remote user authentication schemes—survey. In Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on (pp. 1-5). IEEE.
[107]Yang, C.C., Wang, R.C. and Chang, T.Y., 2005. An improvement of the Yang-Shieh password authentication schemes. Applied Mathematics and Computation, 162(3), pp.1391-1396.
[108]Sun, D.Z., Huai, J.P., Sun, J.Z. and Li, J.X., 2009. Cryptanalysis of a mutual authentication scheme based on nonce and smart cards. Computer Communications, 32(6), pp.1015-1017.
[109]Liu, J.Y., Zhou, A.M. and Gao, M.X., 2008. A new mutual authentication scheme based on nonce and smart cards. Computer Communications, 31(10), pp.2205-2209.
[110]Hwang, M.S. and Li, L.H., 2000. A new remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, 46(1), pp.28-30.
[111]Diffie, W. and Hellman, M., 1976. New directions in cryptography. IEEE transactions on Information Theory, 22(6), pp.644-654.
[112]Wang, Y.Y., Liu, J.Y., Xiao, F.X. and Dan, J., 2009. A more efficient and secure dynamic ID-based remote user authentication scheme. Computer communications, 32(4), pp.583-585.
[113]Halderman, J.A., Waters, B. and Felten, E.W., 2005, May. A convenient method for securely managing passwords. In Proceedings of the 14th international conference on World Wide Web (pp. 471-479). ACM.
[114]Syed Zulkarnain Syed Idrus, Estelle Cherrier, Christophe Rosenberger, Jean-Jacques Schwartzmann. A Review on Authentication Methods. Australian Journal of Basic and Applied Sciences, 2013, 7 (5), pp.95-107. <hal-00912435>.
[115]Czeskis, A., Dietz, M., Kohno, T., Wallach, D. and Balfanz, D., 2012, October. Strengthening user authentication through opportunistic cryptographic identity assertions. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 404-414). ACM.