Affordable Access

Access to the full text

A Password Meter without Password Exposure

Authors
  • Kim, Pyung1
  • Lee, Younho2
  • Hong, Youn-Sik1
  • Kwon, Taekyoung3
  • 1 (Y.-S.H.)
  • 2 ITM Programme, Department of Industrial Engineering, Seoul National University of Science and Technology, Seoul 01811, Korea
  • 3 Graduate School of Information, Yonsei University, Seoul 03722, Korea
Type
Published Article
Journal
Sensors
Publisher
MDPI AG
Publication Date
Jan 06, 2021
Volume
21
Issue
2
Identifiers
DOI: 10.3390/s21020345
PMID: 33419094
PMCID: PMC7825399
Source
PubMed Central
Keywords
License
Green

Abstract

To meet password selection criteria of a server, a user occasionally needs to provide multiple choices of password candidates to an on-line password meter, but such user-chosen candidates tend to be derived from the user’s previous passwords—the meter may have a high chance to acquire information about a user’s passwords employed for various purposes. A third party password metering service may worsen this threat. In this paper, we first explore a new on-line password meter concept that does not necessitate the exposure of user’s passwords for evaluating user-chosen password candidates in the server side. Our basic idea is straightforward; to adapt fully homomorphic encryption (FHE) schemes to build such a system but its performance achievement is greatly challenging. Optimization techniques are necessary for performance achievement in practice. We employ various performance enhancement techniques and implement the NIST (National Institute of Standards and Technology) metering method as seminal work in this field. Our experiment results demonstrate that the running time of the proposed meter is around 60 s in a conventional desktop server, expecting better performance in high-end hardware, with an FHE scheme in HElib library where parameters support at least 80-bit security. We believe the proposed method can be further explored and used for a password metering in case that password secrecy is very important—the user’s password candidates should not be exposed to the meter and also an internal mechanism of password metering should not be disclosed to users and any other third parties.

Report this publication

Statistics

Seen <100 times