Dynamic key password authentication

Abstract

Passwords still remain the most popular method of user authentication. Passwords appear to be the easiest way of registration and logging into remote services such as websites. However, passwords also appear to be the most insecure authentication method. One of the most popular attack techniques aimed at compromising passwords is to leak their hashes directly from their storage location to be cracked offline. The paper presents an authentication method with passwords, which complicates carrying out the attacks that succeed in extracting information sufficient for password cracking. The authentication method is called dynamic key password authentication (DKAuth). The method is based on a password 'blurring' using a number of network hosts. The 'blurring' is performed by encryption of password hash with a key that is not stored anywhere. The key is divided into parts and distributed among a number of different hosts. The key is modified for every password and changes due to change of the number of hosts in the system. Storage and authentication of a dynamic key is arranged so that it can never be recovered completely, that is even assuming cracking or rearrangement of each and every host where DKAuth key data is stored, an adversary will not be able to recover hashes and will have to crack them by brute-force attack. Practical implementation of DKAuth as an authentication service for external websites demonstrated low time and computational requirements for user registration and authentication.