Information Signaling: A Counter-Intuitive Defense Against Password Cracking

by   Wenjie Bai, et al.

We introduce password strength information signaling as a novel, yet counter-intuitive, defense against password cracking attacks. Recent breaches have exposed billions of user passwords to the dangerous threat of offline password cracking attacks. An offline attacker can quickly check millions (or sometimes billions/trillions) of password guesses by comparing their hash value with the stolen hash from a breached authentication server. The attacker is limited only by the resources he is willing to invest. Our key idea is to have the authentication server store a (noisy) signal about the strength of each user password for an offline attacker to find. Surprisingly, we show that the noise distribution for the signal can often be tuned so that a rational (profit-maximizing) attacker will crack fewer passwords. The signaling scheme exploits the fact that password cracking is not a zero-sum game i.e., the attacker's profit is given by the value of the cracked passwords minus the total guessing cost. Thus, a well-defined signaling strategy will encourage the attacker to reduce his guessing costs by cracking fewer passwords. We give a (heuristic) algorithm to compute the optimal signaling scheme for a defender. As a proof-of-concept, we evaluate our mechanism on several empirical password datasets and show that it can reduce the total number of cracked passwords by ≈ 10% of all users.


page 1

page 2

page 3

page 4


Cost-Asymmetric Memory Hard Password Hashing

In the past decade, billions of user passwords have been exposed to the ...

DAHash: Distribution Aware Tuning of Password Hashing Costs

An attacker who breaks into an authentication server and steals all of t...

On the Economics of Offline Password Cracking

We develop an economic model of an offline password cracker which allows...

Defending Hash Tables from Subterfuge with Depth Charge

We consider the problem of defending a hash table against a Byzantine at...

Off-Path TCP Exploits of the Mixed IPID Assignment

In this paper, we uncover a new off-path TCP hijacking attack that can b...

Advancing Network Securing Strategies with Network Algorithms for Integrated Air Defense System (IADS) Missile Batteries

Recently, the Integrated Air Defense System (IADS) has become vital for ...

TCP SYN Cookie Vulnerability

TCP SYN Cookies were implemented to mitigate against DoS attacks. It ens...

Please sign up or login with your details

Forgot password? Click here to reset