• Stronger Password Authentication Using Browser Extensions.

• Stronger Password Authentication Using Browser Extensions.
B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell

Citation
B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell. "• Stronger Password Authentication Using Browser Extensions.". Usenix security, 2005.

Abstract
We describe a simple browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks. Since the browser extension applies a cryptographic hash function to a combination of the plaintext password entered by the user, data associated with the web site, and (optionally) a private salt stored on the client machine, theft of the password received at one site will not yield a password that is useful at another site. While the scheme requires no changes on the server side, implementing this password method securely and transparently in a web browser extension turns out to be quite difficult. We describe the challenges we faced in implementing PwdHash and some techniques that may be useful to anyone facing similar security issues in a browser environment.

Electronic downloads

http://crypto.stanford.edu/PwdHash/pwdhash.pdf

Citation formats

HTML

B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell.
<a href="http://www.truststc.org/pubs/602.html"
>â�¢	Stronger Password Authentication Using
Browser Extensions.</a>, Usenix security, 2005.

Plain text

B. Ross, C. Jackson, N. Miyake, D. Boneh, J. C. Mitchell.
"â�¢	Stronger Password Authentication Using
Browser Extensions.". Usenix security, 2005.

BibTeX

@inproceedings{RossJacksonMiyakeBonehMitchell05_StrongerPasswordAuthenticationUsingBrowserExtensions,
    author = {B. Ross and C. Jackson and N. Miyake and D. Boneh
              and J. C. Mitchell},
    title = {â�¢	Stronger Password Authentication Using Browser
              Extensions.},
    booktitle = {Usenix security},
    year = {2005},
    abstract = {We describe a simple browser extension, PwdHash,
              that transparently produces a different password
              for each site, improving web password security and
              defending against password phishing and other
              attacks. Since the browser extension applies a
              cryptographic hash function to a combination of
              the plaintext password entered by the user, data
              associated with the web site, and (optionally) a
              private salt stored on the client machine, theft
              of the password received at one site will not
              yield a password that is useful at another site.
              While the scheme requires no changes on the server
              side, implementing this password method securely
              and transparently in a web browser extension turns
              out to be quite difficult. We describe the
              challenges we faced in implementing PwdHash and
              some techniques that may be useful to anyone
              facing similar security issues in a browser
              environment. },
    URL = {http://www.truststc.org/pubs/602.html}
}

Posted by Jessica Gamble on 16 Mar 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.