Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks

Stuart Schechter, Cormac Herley, and Michael Mitzenmacher

Abstract

We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want-so long as it's not already too popular with other users. We create an oracle to identify undesirably popular passwords using an existing data structure known as a count-min sketch, which we populate with existing users' passwords and update with each new user password. Unlike most applications of probabilistic data structures, which seek to achieve only a maximum acceptable rate false-positives, we set a minimum acceptable false-positive rate to confound attackers who might query the oracle or even obtain a copy of it.

Details

Publication typeInproceedings
Published inThe 5th USENIX Workshop on Hot Topics in Security (HotSec '10)
PublisherUSENIX
> Publications > Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks