With the advent of technology, several systems (softwares, social networks, shopping platforms, etc.) are being developed as the days goes by, and these systems are specifically designed for the convenience of users (humans). This has made computer security a pressing issue since data of users are supposed to be protected and secured. These systems do implement several strategies to protect and secure user data and one that plays a very major role and is implemented in almost every system is a Password Authentication, which allows legal users into the system while it defends the system from illegal users.
Unfortunately, this widely used strategy tends to be the strategy with the biggest flaw and susceptible to various kinds of attacks. In this research, we will take a look into password authentication, the dictionary-based attack approach on password authentication systems, measures put in place to secure both the system and users and finally propose a system that gives a user the best type of passwords that is more secured, difficult (nearly impossible to guess) and also easy to remember.
Passwords especially text-based passwords, are the most common authentication methods across all websites and services like computers, web, network and mobile services. Existing password evaluators and online services providers (Gmail, Yahoo, PayPal, Twitter, etc.) password strength estimators determine the effectiveness of passwords chosen by user based on entropy techniques or a similar function of the parameters: length, complexity and predictability (Madiraju, 2014). Such implementations often ignore a vast number of publicly known passwords which are used in password dictionaries of attackers.
This still gives chance for users to always use easy to guess passwords which in turn makes them fall prey to dictionary attacks which is now relatively easy to conduct especially with the advent of computers with high computing power and speed to actively try several number of possible dictionary passwords in a short amount of time.
Passwords are the most commonly used method for online or system authentication, and the use is estimated to increase exponentially due to its convenience and ease of use and implementation for both system designers and users. (Han, Wong & Chao, n.d).
Although several secure authentication methods have been proposed through the past years (smart cards, public key cryptography, etc.), none of them seem to replace the password authentication method. And this is a problem in computer security, since Human chosen passwords are inherently not secure since these passwords are chosen from a small domain such as (dates of special times in life, names of relatives, etc.). (Pinkas & Sander, n.d). This small domain allows attackers to compile lists of possible passwords used by several people called a dictionary and allows them to try logging in into accounts by trying all the possible passwords using their compiled dictionaries till they find the correct password match. This attack is known as the dictionary attack and several attacks launched with this attack tend to be successful though time consuming.
Several works have been done when it comes to dictionary-based attacks in computer security throughout the past years, ranging from several methods compiled in books such as Information Security, Principles and Practice (Stamp, 2011). and works done in articles such as the Password Based Authentication: Preventing Dictionary Attacks (Chakrabarti & Singhal, 2007)., where they outline several dictionary attack prevention techniques and their draw backs. They talk about Encrypted Key Exchange (EKE) as initiated by Steven Bellovin and Michael Merritt to prevent offline dictionary attacks. And for curbing online dictionary attacks, they discuss about account locking, delayed response, performing extra computations and reverse turing tests. The offline dictionary attack prevention technique using EKE uses a combination of symmetric and asymmetric cryptography but a vulnerability was later noticed that could make an attacker disguise himself as a victim by using his hashed password captured during eavesdropping.
For online dictionary attack prevention, delayed response and account locking are the most common counter measures implemented in systems since they reduce the number of passwords that can be guessed in a stipulated time and lock user accounts after exceeding a threshold set for failed logins. However, an article and research titled Securing Passwords Against Dictionary Attacks makes mention of the problems associated with these counter measures which either result in denial of service or increased customer service costs as a result of account locking (Pinkas & Sander, n.d).
Similar works have also been featured in the article, Advances of Password Cracking and Countermeasures in Computer Security where counter measures are divided into two stages thus, the password design stage and post or after password generation stage.
The password generation stage mainly discusses user education, use of tokens, dynamic passwords and computer-generated passwords whiles the after generation of passwords delves into reactive password checking, access control, password encryption using salting and hashing (Wong et al, n.d).
These works have been beneficial both to contribute strategies to help curb dictionary attacks and also to this research. But most of the research done in this field are mainly geared towards system security to make the systems stronger. But this still leaves users with choices to use lose passwords which is a greater vulnerability. This research therefore focuses on implementing a system that produces strong and easy to remember passphrases which are the best type of passwords.
Dictionary attacks have been found mostly suitable for penetrating into systems due to the fact that they are relatively easy to conduct, hard to avoid and also gives great privileges and control when successful. Some counter measures taken to curb these kinds of attacks are delayed response, account locking, password encryption, password salting, etc. which does to some extent, reduce dictionary-based attacks. The measures also listed are also always implemented in the designed system which still makes the notion of human chosen passwords still not secured. In this research, we aim to propose a mitigation system geared towards users of computer systems that makes the dictionary-based attack very difficult if not impossible to guess the passwords of users.
This research is aimed at improving security especially when it comes to password authenticated systems. But how can we improve on people’s problems when they don’t know they have a problem. Unfortunately, security isn’t a factor most people consider when using any system, being it a new social site, a portal, or online shopping mart. And this makes them most users susceptible to several kinds of cyber-attacks. In this research, we set out to answer the following questions when it comes to security.
Are users well educated about security as account users of online services or are they aware of security of the services they use?
Are there types of passwords and which is the best among them?
What system can be developed to mitigate the problem of weak or easy to guess passwords?
This research would take a closer look into Password Authentication, as we focus mainly on Dictionary-based attacks, how effective and damaging they can be and how to secure one’s self from this kind of attack. The research’s main objectives are to:
Create awareness of security when it comes to password authenticated systems.
Encourage the use of passphrases by users and
Creating a system that generates passphrases using a mixture of user’s native language (local languages such as Ga, Twi or Dagbani) and user answered questions. This system does not only make passwords more secure for dictionary attacks but also makes it easy to users to remember their passwords by the use of clues in questions answered.
In this section, we expatiate on the methodologies and strategies used to collect and analyze data used in this research. This study is related to cyber security, hence we adopt the experimental methodology to carry out this research. Also, for our data analysis, we adopt the quantitative research methodology which is based on data analysis to generate reliability as compared to the qualitative research methodology which emphasizes on words rather than quantification in the collection and analysis of data. (Bryman, 2008)
This research also uses the Design science methodology which focuses on the development and performance of (designed) artifacts with the explicit intention of improving the functional performance of the artifact. Design science research is typically applied to categories of artifacts including algorithms, human/computer interfaces, design methodologies (including process models) and languages. Its application is most notable in the Engineering and Computer Science disciplines, though is not restricted to these and can be found in many disciplines and fields. In design science research, as opposed to explanatory science research, academic research objectives are of a more pragmatic nature. Research in these disciplines can be seen as a quest for understanding and improving human performance. (Design Science (Methodology), n.d). This methodology will aid in the development of our proposed mitigation system to solve the vulnerabilities discovered in the results of our penetration testing.
In our experiments and analysis, we will be using a Kali Linux, a variant of the Linux Distribution operating system, scripts, password dictionaries and programs like John the ripper and Ophcrack, and analytics softwares like Wireshark to mount ethical attacks, (thus approved requests to test systems and certain accounts). In our experiments, a number of networks, web and computer systems will be tested to determine average strengths of human chosen passwords and results and trends found in results will help us develop our mitigation system.
This research is aimed at providing preventive measures for dictionary attacks by targeting the success of dictionary attacks only on few websites and networks. And a successful implementation of the mitigation system will be of huge impact to people who have either been victims of online cyber-attacks or people who are conscious of security risks of the systems they do use.
This research mainly focuses on dictionary-based attacks hence not all experiments might be successful since there are quite a number of ways to get passwords from victims but ours has been narrowed only to dictionary attacks.
The intended mitigation system uses local dialect of users in addition to user added vocabularies as a passphrase or password generator. In this research, we do limit the languages to only Twi and Ga. This is due to the fact that there are no pre-compiled dictionaries in most of the local languages which in turn makes it a very effective way of securing one’s password.
The table below indicates the activity schedule of my research project that would be carried out throughout the project. This activity schedule is my time schedule towards the project and might be altered at any time due to the nature of our second trimester academic work.
This research is entirely going to be carried out using internet services, printing and other services that might come with some costs. This is therefore a breakdown of the proposed budget for this research.
The following are the results expected from the experiment to be carried out in the research:
A mitigation application (either web or mobile) to generate passphrases in user chosen language that uses special methods to generate difficult yet able to remember passwords for users.
To make awareness of the vulnerabilities when it comes to the human aspect of password-based systems.
To help in a large extent, secure user from dictionary-based kind of attacks.
This research aims at securing user accounts, networks and user data on web services by creating secured passwords which will be difficult if not impossible to crack by developing a system that generates these passwords based on user preference.