CSPS: Catchy Short Passwords Making Offline and Online Attacks Impossible

Abstract

This paper proposes to address online and offline attacks to passwords without increasing users' efforts in choosing and memorising their passwords. In CSPS, a password consists of two parts, a user-chosen short password and a server-generated long password. The short password should be memorised and secured by its user while the long password be encrypted and stored on the server side. To keep the secret key for protecting the long password secure, an additional sever is introduced to store the secret key and provide encryption/decryption services. On top of balloon, CSPS integrates expensive hash with secure encryption. It is mathematically proved that computationally unbounded attackers cannot succeed in offline dictionary or brute-force attacks or a combination of offline and online attacks. The criteria of security are established, which quantifies the security. To our best knowledge, CSPS is the first technique to make security quantifiable in password authentication mechanisms.