Mechanism for the prevention of password reuse through Anonymized Hashes

Cloudflare Inc., San Francisco, California, United States
DOI
10.7287/peerj.preprints.3322v1
Subject Areas
Computer Networks and Communications, Security and Privacy
Keywords
k-anonymity, l-diversity, password stealing attack, user authentication, password reuse attack, password theft, online authentication, password policy
Copyright
© 2017 Ali
Licence
This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, reproduction and adaptation in any medium and for any purpose provided that it is properly attributed. For attribution, the original author(s), title, publication source (PeerJ Preprints) and either DOI or URL of the article must be cited.
Cite this article
Ali J. 2017. Mechanism for the prevention of password reuse through Anonymized Hashes. PeerJ Preprints 5:e3322v1

Abstract

Password authentication is an essential and widespread form of user authentication on the Internet with no other authentication system matching its dominance. When a password on one website is breached, if reused, the stolen password can be used to gain access to multiple other authenticated websites. Even amongst technically educated users, the security issues surrounding password reuse are not well understood and restrictive password composition rules have been unsuccessful in reducing password reuse. In response, the US NIST have published standards outlining that, when setting passwords, authentication systems should validate that user passwords have not already been compromised or breached. We propose a mechanism to allows for clients to anonymously validate whether or not a password has been identified in a compromised database, without needing to download the entire database or send their password to a third-party service. A mechanism is proposed whereby password hash data is generalized such that it holds the k-anonymity property. An implementation is constructed to identify to what extent the data should be generalized for it to hold k-anonymity and additionally to group password hashes by their generalized anonymous value. The implementation is run on a database of over 320 million leaked passwords and the results of the anonymization process are considered.

Author Comment

This is a submission to PeerJ Computer Science for review.

Supplemental Information

Scripts use to process password data

Contains scripts written in the Go programming language used to process password hashes.

DOI: 10.7287/peerj.preprints.3322v1/supp-1

Count of hashes listed by the prefix they start with

DOI: 10.7287/peerj.preprints.3322v1/supp-2

Count of Hashes by their First Charecter

DOI: 10.7287/peerj.preprints.3322v1/supp-3

Number of Hashes by their First Character

DOI: 10.7287/peerj.preprints.3322v1/supp-4