Mechanism for the prevention of password reuse through Anonymized Hashes
- Published
- Accepted
- Subject Areas
- Computer Networks and Communications, Security and Privacy
- Keywords
- k-anonymity, l-diversity, password stealing attack, user authentication, password reuse attack, password theft, online authentication, password policy
- Copyright
- © 2017 Ali
- Licence
- This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, reproduction and adaptation in any medium and for any purpose provided that it is properly attributed. For attribution, the original author(s), title, publication source (PeerJ Preprints) and either DOI or URL of the article must be cited.
- Cite this article
- 2017. Mechanism for the prevention of password reuse through Anonymized Hashes. PeerJ Preprints 5:e3322v1 https://doi.org/10.7287/peerj.preprints.3322v1
Abstract
Password authentication is an essential and widespread form of user authentication on the Internet with no other authentication system matching its dominance. When a password on one website is breached, if reused, the stolen password can be used to gain access to multiple other authenticated websites. Even amongst technically educated users, the security issues surrounding password reuse are not well understood and restrictive password composition rules have been unsuccessful in reducing password reuse. In response, the US NIST have published standards outlining that, when setting passwords, authentication systems should validate that user passwords have not already been compromised or breached. We propose a mechanism to allows for clients to anonymously validate whether or not a password has been identified in a compromised database, without needing to download the entire database or send their password to a third-party service. A mechanism is proposed whereby password hash data is generalized such that it holds the k-anonymity property. An implementation is constructed to identify to what extent the data should be generalized for it to hold k-anonymity and additionally to group password hashes by their generalized anonymous value. The implementation is run on a database of over 320 million leaked passwords and the results of the anonymization process are considered.
Author Comment
This is a submission to PeerJ Computer Science for review.
Supplemental Information
Scripts use to process password data
Contains scripts written in the Go programming language used to process password hashes.
