Popularity is Everything: A New Approach to Protecting Passwords from Statistical-Guessing Attacks
Publication: Proceedings of the 5th USENIX conference on Hot topics in security, HotSec'10
Source 1: http://research.microsoft.com/pubs/132859/popularityISeverything.pdf
Source 2: http://www.eecs.harvard.edu/~michaelm/postscripts/hotsec2010.pdf
Source 3: http://static.usenix.org/events/hotsec10/tech/full_papers/Schechter.pdf
We propose to strengthen user-selected passwords against statistical-guessing attacks by allowing users of Internet-scale systems to choose any password they want--so long as it's not already too popular with other users. We create an oracle to identify undesirably popular passwords using an existing data structure known as a count-min sketch, which we populate with existing users' passwords and update with each new user password. Unlike most applications of probabilistic data structures, which seek to achieve only a maximum acceptable rate false-positives, we set a minimum acceptable false-positive rate to confound attackers who might query the oracle or even obtain a copy of it.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.