Abstract: Nowadays, proactive password checking algorithms are based on the philosophy of the dictionary attack, and they often fail to prevent some weak passwords with low entropy. In this paper, a new approach is proposed to deal with this new class of weak passwords by (roughly) measuring entropy. A simple example is given to exploit effective patterns to prevent low-entropy passwords as the first step of entropy-based proactive password checking.

Abstract: A remote computer access facility uses two dedicated computers outside the firewall. To ensure security the system makes use of biometrics features and a one-time password mechanism on top of secure socket layer (SSL) to authenticate a user. The system also provides three layers of security levels for transmission. The first layer establishes an SSL connection, the second layer periodically asks for a one-time password (OTP), and the third layer uses any kind of conventional encryption. The combination of the biometric, OTP and encryption key forms a strong password. The system also uses a mechanism for secure file accesses within the organization based on the security privileges assigned to various users. Based on the user's access privileges, the server side software module sends the requested file in an encrypted form along with the key to decrypt that file—this key is encrypted by the user's strong password.

Abstract: Storing information securely is one of the most important roles expected for computer systems, but it is difficult to achieve with current commodity computers The computers may yield secrets through physical breach, software bug exploitation, or password guessing attack Even file systems that provide strong security, such as the cryptographic file system, are not perfect against these attacks We have developed SC-CFS, a file system that encrypts files and takes advantage of a smartcard for per-file key generation SC-CFS counters password guessing attack, and minimizes the damage caused by physical attack and bug exploitation The performance of the system is not yet satisfactory, taking 300 ms for accessing a file

Abstract: A device that performs private key operations (signatures or decryptions), and whose private key operations are protected by a password, can be immunized against offline dictionary attacks in case of capture by forcing the device to confirm a password guess with a designated remote server in order to perform a private key operation. Recent proposals for achieving this allow untrusted servers and require no server initialization per device. In this paper we extend these proposals to enable dynamic delegation from one server to another; i.e., the device can subsequently use the second server to secure its private key operations. One application is to allow a user who is traveling to a foreign country to temporarily delegate to a server local to that country the ability to confirm password guesses and aid the user's device in performing private key operations, or in the limit, to temporarily delegate this ability to a token in the user's possession. Another application is proactive security for the device's private key, i.e., proactive updates to the device and servers to eliminate any threat of offline password guessing attacks due to previously compromised servers.

Abstract: We show that the enhanced version of the generalized key agreement and password authentication protocol, proposed by Kwon and Song (see IEICE Trans. Commun., vol.E83-B, no.9, p.2044-50, Sept. 2000), is insecure against off-line password guessing attacks.