Researchers, including
those of Indian-origin, have proposed a variety of innovative methods that can
add a strong second layer of security to your password, protecting it from
hackers.
Researchers from the
University of Alabama at Birmingham, along with the University of California at
Irvine, offered new options to increase password security against hacking.
"There have been many
attacks on servers that store passwords lately, such as the breaches at PayPal
and LinkedIn," said Nitesh Saxena, associate professor in the Department
of Computer and Information Sciences at UAB.
Many people use the same
few uncomplicated passwords repeatedly, making them easy to remember. Passwords
are typically stored on servers in a hashed form.
Hackers can garner
passwords either by an online brute-force attack, or by hacking a server with
poor security and using a 'dictionary' of passwords to test offline.
Two-factor authentication
schemes, such as Google Authenticator, or hardware tokens, such as RSA
SecureID, use a second device to generate a temporary personal identification
number, or PIN, that the user must enter along with their password.
But current two-factor
schemes present the same vulnerabilities to server hacks as password-only
authentication, Saxena said.
"If someone hacks into
the server, they could learn the passwords via an offline dictionary
attack," he said.
"Learning the
passwords wouldn't compromise the second authentication factor, but the user
might be using that same
password elsewhere. The
hacker might not be able to log into Facebook if Facebook uses two-factor
authentication, but they could log into Twitter if Twitter uses the
single-factor authentication using the same password," he said.
Researchers proposed and
tested four two-factor schemes that require servers to store a randomised hash
of the passwords and a second device, such as the user's security token or
smartphone, to store a corresponding secret code.
They present these schemes
at several levels of computer system bandwidth, effectively turning four
schemes into 13 security options.
"Rather than requiring
the user to enter both their password and a PIN generated by an app, the user
could enter a password, and their smartphone could automatically send a PIN
over a Bluetooth connection or through a simple QR code," Saxena said.
Saxena and his co-authors,
UAB graduate student Maliheh Shirvanian, Stanislaw Jarecki and Naveen Nathan of
the University of California at Irvine, have analysed each scheme in terms of
security provided, usability and deployability.
"With each of our
proposals, you get a high level of security with the same or better level of
usability than the current two-factor authentication schemes," researchers
said.
0 comments:
Post a Comment