This Article 
 Bibliographic References 
 Add to: 
Neural Network Techniques for Proactive Password Checking
October-December 2006 (vol. 3 no. 4)
pp. 327-339
This paper deals with the access control problem. We assume that valuable resources need to be protected against unauthorized users and that, to this aim, a password-based access control scheme is employed. Such an abstract scenario captures many applicative settings. The issue we focus our attention on is the following: Password-based schemes provide a certain level of security as long as users choose good passwords, i.e., passwords that are hard to guess in a reasonable amount of time. In order to force the users to make good choices, a proactive password checker can be implemented as a submodule of the access control scheme. Such a checker, any time the user chooses/changes his own password, decides on the fly whether to accept or refuse the new password, depending on its guessability. Hence, the question is: How can we get an effective and efficient proactive password checker? By means of neural networks and statistical techniques, we answer the above question, developing suitable proactive password checkers. Through a series of experiments, we show that these checkers have very good performance: Error rates are comparable to those of the best existing checkers, implemented on different principles and by using other methodologies, and the memory requirements are better in several cases. It is the first time that neural network technology has been fully and successfully applied to designing proactive password checkers.

[1] F. Bergadano, B. Crispo, and G. Ruffo, “High Dictionary Compression for Proactive Password Checking,” ACM Trans. Information and System Security, vol. 1, no. 1, pp. 3-25, 1998.
[2] S.M. Bellovin and M. Merritt, “Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks,” Proc. IEEE Symp. Research in Security and Privacy, pp. 72-84, 1992.
[3] C.M. Bishop, Neural Networks for Pattern Recognition. Oxford Univ. Press, 1995.
[4] M. Bishop, “Proactive Password Checking,” Proc. Fourth Workshop Computer Security Incident Handling, pp. 1-9, 1992.
[5] C. Blundo, P. D'Arco, A. De Santis, and C. Galdi, “Hyppocrates: A New Proactive Password Checker,” J. Systems and Software, vol. 71, nos. 1-2, pp. 163-175, Apr. 2004.
[6] C. Blundo, P. D'Arco, A. De Santis, and C. Galdi, “A Novel Approach to Proactive Password Checking,” Proc. Infrastructure Security (INFRASEC '02), pp. 30-39, 2002.
[7] M.K. Boyarsky, “Public-Key Cryptography and Password Protocols: The Multi-User Case,” ACM Conf. Computer and Comm. Security, pp. 63-72, 1999.
[8] V. Boyko, P. MacKenzie, and S. Patel, “Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman,” Proc. Eurocrypt 2000, pp. 156-171, 2000.
[9] A. Ciaramella, R. Tagliaferri, W. Pedrycz, and A. Di Nola, “Fuzzy Relational Neural Network,” Int'l J. Approximate Reasoning, vol. 41, pp. 146-163, 2006.
[10] C. Davies and R. Ganesan, “Bapasswd: A New Proactive Password Checker,” Proc. 16th Nat'l Conf. Computer Security, pp.1-15, 1993.
[11] N.M. Haller, “The S/KEY One-Time Password System,” Proc. ISOC Symp. Networks and Distributed Systems Security, 1994.
[12] N. Haller, C. Metz, P. Nesser, and M. Straw, A One-Time Password System, Request for Comments 2289, 1998.
[13] L.C. Jain, U. Halici, I. Hayashi, S.B. Lee, and S. Tsutsui, Intelligent Biometric Techniques in Fingerprint and Face Recognition. CRC Press, 1999.
[14] “John the Ripper” password cracker, http://www.openwall. comjohn, 2006.
[15] A.D. Muffett, “Crack 5.0,”, 1997.
[16] A.D. Muffett, “Cracklib v2.7: A Proactive Password Sanity Library,”, 1997.
[17] J.B. Nagle, “An Obvious Password Detector,” Usenet News, 1988.
[18] J. Katz, R. Ostrovsky, and M. Yung, “Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords,” Proc. Eurocrypt '01, pp. 475-495, 2001.
[19] D.V. Klein, “Foiling the Cracker–A Survey of, and Improvements to, Password Security,” Proc. Second USENIX Workshop Security, pp. 5-14, 1990.
[20] R. de Luis-García, C. Alberola-López, O. Aghzout, and J. Ruiz-Alzola, “Biometric Identification Systems,” Signal Processing, vol. 83, no. 12, pp. 2539-2557, 2003.
[21] I.T. Nabney, NETLAB-Algorithms for Pattern Recognition. Springer-Verlag, 2002.
[22] C. Schnorr, “Efficient Identification and Signature for Smart-Cards,” Proc. Eurocrypt '89, pp. 239-252, 1989.
[23] E. Spafford, “Opus: Preventing Weak Password Choices,” Computers and Security 3, 1992.
[24] R. Stalling, Network and Internetwork Security Principles and Practice. Prentice Hall, 1995.
[25] T. Wu, “The Secure Remote Password Protocol,” Proc. ISOC Network and Distributed System Security Symp., pp. 97-111, 1998.
[26] J. Yan, “A Note on Proactive Password Checking,” Proc. ACM New Security Paradigms Workshop, Sept. 2001.

Index Terms:
System security, access control, passwords, machine learning, neural networks.
Angelo Ciaramella, Paolo D'Arco, Alfredo De Santis, Clemente Galdi, Roberto Tagliaferri, "Neural Network Techniques for Proactive Password Checking," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 327-339, Oct.-Dec. 2006, doi:10.1109/TDSC.2006.53
Usage of this product signifies your acceptance of the Terms of Use.