Paper 2022/792

Reliable Password Hardening Service with Opt-Out

Chunfu Jia, Nankai University
Shaoqiang Wu, Nankai University
Ding Wang, Nankai University
Abstract

As the most dominant authentication mechanism, password-based authentication suffers catastrophic offline password guessing attacks once the authentication server is compromised and the password database is leaked. Password hardening (PH) service, an external/third-party crypto service, has been recently proposed to strengthen password storage and reduce the damage of authentication server compromise. However, all existing schemes are unreliable because they overlook the important restorable property: PH service opt-out. In existing PH schemes, once the authentication server has subscribed to a PH service, it must adopt this service forever, even if it wants to stop the external/third-party PH service and restore its original password storage (or subscribe to another PH service). To fill the gap, we propose a new PH service called PW-Hero that equips its PH service with an option to terminate its use (i.e., opt-out). In PW-Hero, password authentication is strengthened against offline attacks by adding external secret spices to password records. With the opt-out property, authentication servers can proactively request to end the PH service after successful authentications. Then password records can be securely migrated to their traditional salted hash state, ready for subscription to other PH services. Besides, PW-Hero achieves all existing desirable properties, such as comprehensive verifiability, rate limits against online attacks, and user privacy. We define PW-Hero as a suite of protocols that meet desirable properties and build a simple, secure, and efficient instance. Moreover, we develop a prototype implementation and evaluate its performance, which shows the practicality of our PW-Hero service.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Password-based authentication Password hardening service Opt-out option Offline password guessing attack
Contact author(s)
wangding @ nankai edu cn
History
2022-06-30: last of 3 revisions
2022-06-20: received
See all versions
Short URL
https://ia.cr/2022/792
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/792,
      author = {Chunfu Jia and Shaoqiang Wu and Ding Wang},
      title = {Reliable Password Hardening Service with Opt-Out},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/792},
      year = {2022},
      url = {https://eprint.iacr.org/2022/792}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.