Defenses to curb online password guessing attacks

Abstract

Passwords are the most commonly used means of authentication as passwords are very convenient for users, easier to implement and user friendly. Password based systems suffer from two types of attacks: i) offline attacks ii) online attacks. Eavesdropping the communication channel and recording the conversations taking place on the communication channel is an example for offline attack. Brute force and dictionary attacks are the two types of online attacks which are widespread and increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. The proposed protocol called Password Guessing Resistant Protocol (PGRP), helps in preventing such attacks and provides a pleasant login experience for legitimate users. PGRP limits the number of login attempts for unknown users to one, and then challenges the unknown user with an Automated Turing Test (ATT). There are different kinds of ATT tests such as CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart), security questions etc. In this system, a distorted text-based CAPTCHA is used. If the ATT test is correctly answered, the user is granted access else the user is denied access. The proposed algorithm analyzes the efficiency of PGRP based on three conditions: i) number of successful login attempts ii) number of failed login attempts with invalid password iii) number of failed login attempts with invalid password and ATT test. PGRP log files are used as data sets. The analysis helps in determining the efficiency of PGRP protocol.