A Theoretical Framework for Password Security against Offline Guessability Attacks

Abstract

Objectives: Security of textual passwords is increased against offline guessability attacks by using different encryption methods. However, even after encryption textual passwords may be guessed through brute-force or dictionary attacks. Method: In this paper, a theoretical framework is developed which provides guidelines for improving password security against offline guessability attacks such as brute force and dictionary attacks. In the proposed framework different password security layers are defined which convert a password into a form which is very difficult to crack through offline guessability attacks. The framework layers are implemented at application and database level. Findings: In the proposed framework a short and easy to remember password string is converted into a long and random string which does not provide any hint of original password. However, it is important that the methodology or logic used for implementing the framework layers should be hidden from the attackers because the layers’ methodology may provide a clue for password cracking. Layers of the proposed framework can be implemented with different logics, which are helpful in hiding the implementation details of the layers. Application/Improvements: Proposed framework is not only helpful for improving security of traditional textual password scheme but it can also improve the security for graphical password schemes against offline guessability attacks. Keywords: Authentication, Guessability Attacks, Privacy, Password Security, Textual Passwords