This disclosure relates to login security.
The prevalent use of on-line systems requires security measures to protect valuable information. One security measure is a user and password login in which a user provides login credentials, e.g., a user identifier, a password, and perhaps other information. Passwords, however, can be broken through brute-force attacks or modified forms of brute force attacks. The attacker forms tuples of the kind <u, p> where uεU is the set of user names and pεP is the set of passwords. To check whether <u, p> is valid, tuple permutations are provided by an agent, e.g., a software robot, during a brute force attack.
For a security system that is serving a large number of users, the rate of login processing is optimized by techniques such as password caches, multiple directory servers, etc. If R is the maximum achievable request rate, and N is the possible number of passwords, then the time required to break the passwords is N/R seconds or less. Assume the login processing time for one login is 1/R seconds. By increasing R, users get better login response. At the same time, the high value of R also increased the password breaking capability of the attacker.
Consider, for example, the problem of breaking a password of 5 characters over a 64 character password alphabet which gives a total password set (645=(26)5) of approximately 1 billion. Typically, R=220, yielding password breaking time of 230/220=210 seconds, which is about 17 minutes.
Defenses against such attacks include periodically resetting passwords, locking out accounts after a certain number of login failures, and using longer passwords. It is not practical to reset user passwords on a frequent basis, however. Likewise, locking out passwords does not necessarily provide a robust defense. Consider, for example, a user population of one million. The probability that a 5 symbol password belongs to one of the users is 220/230˜1/1000. The attacker can thus use a permuted password and test it across users without reaching the account lock limit.
Long passwords alone are likewise not an efficient protection scheme. By increasing the password length to 12 symbols (6412=272), for example, the password breaking time increases to 272/220=252 seconds, which is a long enough time to thwart password brute force attacks. However, remembering such long passwords is difficult for users, and enforcing this policy across many enterprises is likewise a difficult task.