Browse > Article
http://dx.doi.org/10.30693/SMJ.2020.9.1.30

Generation and Management of Strong Passwords using an Ownership Verified Smartphone  

Park, Jun-Cheol (홍익대학교 컴퓨터공학과)
Publication Information
Smart Media Journal / v.9, no.1, 2020 , pp. 30-37 More about this Journal
Abstract
Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user's ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme's assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user's smartphone is leaked.
Keywords
password; two-factor authentication; smartphone; security;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 조우진, 김형식, "행위 유사도 기반 변종 악성코드 탐지 방법," 스마트미디어저널, 제8권 제4호, 25-32 쪽, 2019년 12월   DOI
2 Busting SIM Swappers and SIM Swap Myths(2018), https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/ (accessed Jan 30, 2020).
3 R. Grimes, "The many ways to hack 2FA," Network Security, vol. 2019, issue 9, pp. 8-13, Sept. 2019.   DOI
4 B. Ives, K.R. Walsh and H. Schneider, "The Domino Effect of Password Reuse," Comm. of the ACM, vol. 47, no. 4, pp. 75-78, April 2004.   DOI
5 C. Wang, S.T.K. Jan, H. Hu, D. Bossart, and G. Wang, "The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services," Proc. of ACM Conf. in Data and Application Security and Privacy, pp. 196-203, Tempe, USA, Mar. 2018.
6 S. Gunaratna, "Why reusing your passwords is riskier than ever," https://www.cbsnews.com/news/reusing-passwords-is-riskier-than-ever-botnet-cyber-attacks-security/, May 2016. (accessed Jan. 30, 2020).
7 S. Oesch and S. Ruoti, "That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers," Proc. of USENIX Security Symp., 2020(to appear).
8 D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," Proc. of USENIX Security Symp., pp. 449-464, San Diego, USA, Aug. 2014.
9 S. G. Lyastani, M. Schilling, S. Fahl, M. Backes, and S. Bugiel, "Better managed than memorized? Studying the impact of managers on password strength and reuse," Proc. of USENIX Security Symp., pp.203-220, Baltimore, USA, Aug. 2018.
10 M. Horsch, A. Hulsing, and J. Buchmann, "PALPAS PAsswordLess PAssword Synchronization," Proc. on Int'l Conf. on Availability, Reliability and Security, France, August 2015.
11 F.A. Maqbali and C.J. Mitchell, "AutoPass: An Automatic Password Generator," Proc. of Int'l Carnahan Conf. on SecurityTechnology, Spain, Oct. 2017.
12 Mazar Bot Android Malware Distributed via SMS Spoofing Campaign(2016), https://www.tripwire.com/state-of-security/featured/mazarbotandroid-malware-distributed-via-sms-spoofing-campaign/ (accessed Jan. 31, 2020).
13 M. Shirvanian, S. Jarecki, H. Krawczyk, and N. Saxena, "SPHINX: A Password Store that Perfectly Hides Passwords from Itself," Proc. of IEEE Int'l Conf. on Distributed Computing Systems, pp. 1094-1104, 2017.
14 Y.T. Liu, Y.B. Xia, H.B. Chen, B.Y. Zang, and Z. Liang, "SplitPass: A Mutually Distrusting Two-Party Password Manager," Jr. of Computer Science and Technology, vol. 30, no. 1, pp. 98-115, Jan. 2018.
15 B. Lee, "Multi-factor secure password manager using a secret sharing scheme," Australian National University Technical Report, May 2019.
16 K.C. Wang and M.K. Reiter, "How to End Password Reuse on the Web," Proc. of Network and Distributed System Security Symp., San Diego, USA, Feb. 2019.
17 차병래, 최명수, 박선, 김종원, "보안 강화를 위한 NFC 기반 전자결제 시스템의 2 팩터 인증 기술의 초안 설계," 스마트미디어저널, 제5권, 제2호, 77-83쪽, 2016년 6월
18 BankBot-Mazain(2017), https://github.com/bem re/bankbot-mazain (accessed Jan. 31, 2020).
19 How to Read Someone's Text Messages Without Having Their Phone?(2020), https://nexspy.com/read-someones-text-messages/ (accessed Jan. 31, 2020).
20 H. Siadati, T. Nguyen, P. Gupta, M. Jakobsson, and N. Memon, "Mind your SMSes: Mitigating social engineering in second-factor authentication," Computers & Security, vol. 65, pp. 14-28, Mar. 2017.   DOI
21 이현영, 강승식, "워드 임베딩과 딥러닝 기법을 이용한 SMS 문자 메시지 필터링," 스마트미디어저널, 제7권, 제4호, 24-29쪽, 2018년 12월   DOI
22 Hackers Hit Twitter CEO Jack Dorsey in a 'SIM Swap.' You're at Risk, Too(2019), https://nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html (accessed Jan. 31, 2020).
23 D.L. Wheeler, "zxcvbn: Low-budget password strength estimation," Proc. USENIX Security Symp., pp. 157-174, Austin, USA, Aug. 2016.
24 Z.W. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," Proc. of USENIX Security Symp., pp. 465-479, San Diego, USA, Aug. 2014.
25 X. de C. de Carnavalet and M. Mannan, "From very weak to very strong: Analyzing password-strength meters," Proc. of Network and Distributed System Security Symp., San Diego, USA, Feb. 2014.