IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING,
NO. 1, JANUARY/FEBRUARY 2012
Revisiting Defenses against Large-Scale Online Password Guessing Attacks Mansour Alsaleh, Mohammad Mannan, and P.C. van Oorschot, Member, IEEE Abstract—Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing. Enabling convenient login for legitimate users while preventing such attacks is a difficult problem. Automated Turing Tests (ATTs) continue to be an effective, easy-to-deploy approach to identify automated malicious login attempts with reasonable cost of inconvenience to users. In this paper, we discuss the inadequacy of existing and proposed login protocols designed to address largescale online dictionary attacks (e.g., from a botnet of hundreds of thousands of nodes). We propose a new Password Guessing Resistant Protocol (PGRP), derived upon revisiting prior proposals designed to restrict such attacks. While PGRP limits the total number of login attempts from unknown remote hosts to as low as a single attempt per username, legitimate users in most cases (e.g., when attempts are made from known, frequently-used machines) can make several failed login attempts before being challenged with an ATT. We analyze the performance of PGRP with two real-world data sets and find it more promising than existing proposals. Index Terms—Online password guessing attacks, brute force attacks, password dictionary, ATTs.
attacks on password-based systems are inevitable and commonly observed against web applications and SSH logins. In a recent report, SANS  identified password guessing attacks on websites as a top cyber security risk. As an example of SSH passwordguessing attacks, one experimental Linux honeypot setup has been reported  to suffer on average 2,805 SSH malicious login attempts per computer per day (see also ). Interestingly, SSH servers that disallow standard password authentication may also suffer guessing attacks, e.g., through the exploitation of a lesser known/used SSH server configuration called keyboard interactive authentication . However, online attacks have some inherent disadvantages compared to offline attacks: attacking machines must engage in an interactive protocol, thus allowing easier detection; and in most cases, attackers can try only limited number of guesses from a single machine before being locked out, delayed, or challenged to answer Automated Turing Tests (ATTs, e.g., CAPTCHAs ). Consequently, attackers often must employ a large number of machines to avoid detection or lock-out. On the other hand, as users generally choose common and relatively weak passwords (thus allowing effective password dictionaries , ), and attackers currently control large botnets (e.g., Conficker ), online attacks are much easier than before.
. M. Alsaleh and P.C. van Oorschot are with the School of Computer Science, Carleton University, 5145 Herzberg building, 1125 Colonel By Drive, Ottawa, ON K1S 5B6, Canada. E-mail: email@example.com, firstname.lastname@example.org. . M. Mannan is with the Concordia Institute for Information Systems Engineering, Concordia University, 1515 Ste-Catherine Street West, EV7.640, Montreal, QC, H3G 2W1 Canada. E-mail: email@example.com. Manuscript received 7 Sept. 2010; revised 17 Feb. 2011; accepted 22 Mar. 2011; published online 27 Apr. 2011. For information on obtaining reprints of this article, please send e-mail to: firstname.lastname@example.org, and reference IEEECS Log Number TDSC-2010-09-0153. Digital Object Identifier no. 10.1109/TDSC.2011.24. 1545-5971/12/$31.00 ß 2012 IEEE
One effective defense against automated online password guessing attacks is to restrict the number of failed trials without ATTs to a very small number (e.g., three), limiting automated programs (or bots) as used by attackers to three free password guesses for a targeted account, even...