Team for Research in
Ubiquitous Secure Technology

• Stronger Password Authentication Using Browser Extensions.
B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell

Citation
B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell. "• Stronger Password Authentication Using Browser Extensions.". Usenix security, 2005.

Abstract
We describe a simple browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks. Since the browser extension applies a cryptographic hash function to a combination of the plaintext password entered by the user, data associated with the web site, and (optionally) a private salt stored on the client machine, theft of the password received at one site will not yield a password that is useful at another site. While the scheme requires no changes on the server side, implementing this password method securely and transparently in a web browser extension turns out to be quite difficult. We describe the challenges we faced in implementing PwdHash and some techniques that may be useful to anyone facing similar security issues in a browser environment.

Electronic downloads

Citation formats  
  • HTML
    B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell.
    <a href="http://www.truststc.org/pubs/602.html"
    >•	Stronger Password Authentication Using
    Browser Extensions.</a>, Usenix security, 2005.
  • Plain text
    B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell.
    "•	Stronger Password Authentication Using
    Browser Extensions.". Usenix security, 2005.
  • BibTeX
    @inproceedings{RossJacksonMiyakeBonehMitchell05_StrongerPasswordAuthenticationUsingBrowserExtensions,
        author = {B. Ross and C. Jackson and N. Miyake and D. Boneh
                  and J. C. Mitchell},
        title = {•	Stronger Password Authentication Using Browser
                  Extensions.},
        booktitle = {Usenix security},
        year = {2005},
        abstract = {We describe a simple browser extension, PwdHash,
                  that transparently produces a different password
                  for each site, improving web password security and
                  defending against password phishing and other
                  attacks. Since the browser extension applies a
                  cryptographic hash function to a combination of
                  the plaintext password entered by the user, data
                  associated with the web site, and (optionally) a
                  private salt stored on the client machine, theft
                  of the password received at one site will not
                  yield a password that is useful at another site.
                  While the scheme requires no changes on the server
                  side, implementing this password method securely
                  and transparently in a web browser extension turns
                  out to be quite difficult. We describe the
                  challenges we faced in implementing PwdHash and
                  some techniques that may be useful to anyone
                  facing similar security issues in a browser
                  environment. },
        URL = {http://www.truststc.org/pubs/602.html}
    }
    

Posted by Jessica Gamble on 16 Mar 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.