Stronger Password Authentication Using Browser Extensions
Authors: B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell
Abstract:
We describe a simple browser extension, PwdHash, that transparently
produces a different password for each site, improving web
password security and defending against password phishing and other attacks.
Since the browser extension applies a cryptographic hash function to a
combination of the plaintext password entered by the user,
data associated with the web site, and (optionally) a
private salt stored on the client machine, theft of the password
received at one site will not yield a password that is useful at
another site. While the scheme requires no changes on the
server side, implementing this password method securely and
transparently in a web browser extension turns out to be quite difficult.
We describe the challenges we faced in
implementing PwdHash and some techniques that may be useful to
anyone facing similar security issues in a browser environment.
Reference:
In proceedings of Usenix security 2005
Full paper: pdf [first posted 10/2005 ]
Related papers: See the PwdHash web site. We developed a number of other anti-phishing tools.