Revisiting Defenses
against Large-Scale Online Password Guessing Attacks
ABSTRACT:
Brute force and dictionary attacks on
password-only remote login services are now widespread and ever increasing. Enabling
convenient login for legitimate users while preventing such attacks is a
difficult problem. Automated Turing Tests (ATTs) continue to be an effective,
easy-to-deploy approach to identify automated malicious login attempts with
reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy
of existing and proposed login protocols designed to address large scale online
dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We
propose a new Password Guessing Resistant Protocol (PGRP), derived upon
revisiting prior proposals designed to restrict such attacks. While PGRP limits
the total number of login attempts from unknown remote hosts to as low as a
single attempt per username, legitimate users in most cases (e.g., when
attempts are made from known, frequently-used machines) can make several failed
login attempts before being challenged with an ATT. We analyze the performance
of PGRP with two real-world data sets and find it more promising than existing
proposals.
EXISTING
SYSTEM:
Wire Sniffing: Most of the time when we
talk of passive online attack we consider it as sniffing the password on wired
or wireless networks. The password is captured during authentication phase and
then compared to dictionary file or word list.
The
majority of Sniffer tools are ideally suited to sniff data in hub environment.
These tools are also known as passive sniffers as they passively wait for data
to be sent before capturing the information. User account passwords are
commonly hashed or encrypted when sent on the network to prevent unauthorized
access and use. In such cases hacker uses his special tools to crack password.
Brute Force: The most time-consuming type
of attack is a brute-force attack, which tries every possible combination of
uppercase and lowercase letters, numbers, and symbols.
A
brute-force attack is the slowest of the three types of attacks because of the
many possible combination of characters in the password. However, brute force
is effective; given enough time and processing power, all passwords can
eventually be identified.
During
these attacks user can’t find the attackers.
PROPOSED
SYSTEM:
Our method of protection against online password-guessing attacks
and re-lated denial-of-service attacks, the owner and the users granted administrative
privileges are referred to as administrators. Only the owner registers with the
application provider other user accounts are created by administrators using a
Web interface.
Each user logs in with three credentials rather than the usual two:
o The application instance name, which is considered a secret shared
by the users of the application instance. The instance name can be changed by
the owner.
o A user ID, which is known only to the user and the administrators.
The user ID is chosen by the administrator who creates the user account, and
can be changed by an administrator (by any administrator if the user has no
administrative privileges, by the owner if the user is herself an
administrator).
o A password, known only to the user.
After a certain number of consecutive bad guesses against a
password, the user is locked out. Bad guesses are considered to be consecutive
if there is no intervening successfully completed login to the user's account.
All the consecutive bad guesses must be against the same password; counting
starts over if the password is changed.
A user who has been locked out is allowed to log in again once her
password has been reset.
When the user changes her password, she is not allowed to select
as the new password a password that has previously been used as a perma-nent or
temporary password on her user account.
This method provides protection against online guessing attacks
and related denial-of-service attacks, including attacks by ex-users, and other
security benefits.
MODULES:
1. Pass Points Module.
2. Cued Click
Points Module.
3. Persuasive
Cued Click- Points Module.
MODULES DESCRIPTION:
Pass Points Module:
Based on
Blonder’s original idea, Pass Points (PP) is a click-based graphical password
system where a password consists of an ordered sequence of five click-points on
a pixel-based image. To log in, a user must click within some system-defined
tolerance region for each click-point. The image acts as a cue to help users
remember their password click-points.
Cued Click Points Module:
Cued Click
Points (CCP) was developed as an alternative click based graphical password
scheme where users select one point per image for five images. The interface
displays only one image at a time; the image is replaced by the next image as
soon as a user selects a click point. The system determines the next image to
display based on the user’s click-point on the current image. The next image
displayed to users is based on a deterministic function of the point which is
currently selected. It now presents a one to-one cued recall scenario where
each image triggers the user’s memory of the one click-point on that image.
Secondly, if a user enters an incorrect click-point during login, the next
image displayed will also be incorrect. Legitimate users who see an
unrecognized image know that they made an error with their previous
click-point. Conversely, this implicit feedback is not helpful to an attacker
who does not know the expected sequence of images.
Persuasive
Cued Click- Points
Module:
To address
the issue of hotspots, Persuasive Cued Click Points (PCCP) was proposed. As
with CCP, a password consists of five click points, one on each of five images.
During password creation, most of the image is dimmed except for a small view
port area that is randomly positioned on the image. Users must select a
click-point within the view port. If they are unable or unwilling to select a
point in the current view port, they may press the Shuffle button to randomly
reposition the view port. The view port guides users to select more random
passwords that are less likely to include hotspots. A user who is determined to
reach a certain click-point may still shuffle until the view port moves to the
specific location, but this is a time consuming and more tedious process.
HARDWARE
REQUIREMENTS
•
SYSTEM : Pentium IV 2.4 GHz
•
HARD
DISK : 40 GB
•
FLOPPY
DRIVE : 1.44 MB
•
MONITOR : 15 VGA colour
•
MOUSE : Logitech.
•
RAM : 256 MB
•
KEYBOARD :
110 keys enhanced.
SOFTWARE
REQUIREMENTS
•
Operating system :- Windows XP
Professional
•
Front End :- Microsoft Visual Studio .Net 2008
•
Coding Language : - C# .NET.
•
Database :-
SQL Server 2005
REFERENCE:
Mansour Alsaleh, Mohammad Mannan, and
P.C. van Oorschot, Member, IEEE, “Revisiting Defenses against Large-Scale Online
Password Guessing Attacks”, IEEE
TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 1,
JANUARY/FEBRUARY 2012.