Total views : 115

A Theoretical Framework for Password Security against Offline Guessability Attacks


  • Department of Information Technology, Quaid-e-Awam University of Engineering, Science and Technology, Sakrand Road, Nawabshah – 67450, India
  • Department of Computer Systems Engineering, Quaid-e-Awam University of Engineering, Science and Technology, Sakrand Road, Nawabshah – 67450, India


Objectives: Security of textual passwords is increased against offline guessability attacks by using different encryption methods. However, even after encryption textual passwords may be guessed through brute-force or dictionary attacks. Method: In this paper, a theoretical framework is developed which provides guidelines for improving password security against offline guessability attacks such as brute force and dictionary attacks. In the proposed framework different password security layers are defined which convert a password into a form which is very difficult to crack through offline guessability attacks. The framework layers are implemented at application and database level. Findings: In the proposed framework a short and easy to remember password string is converted into a long and random string which does not provide any hint of original password. However, it is important that the methodology or logic used for implementing the framework layers should be hidden from the attackers because the layers’ methodology may provide a clue for password cracking. Layers of the proposed framework can be implemented with different logics, which are helpful in hiding the implementation details of the layers. Application/Improvements: Proposed framework is not only helpful for improving security of traditional textual password scheme but it can also improve the security for graphical password schemes against offline guessability attacks.


Authentication, Guessability Attacks, Privacy, Password Security, Textual Passwords

Full Text:

 |  (PDF views: 61)


  • Zhao H, Li X. S3PAS: a scalable shoulder-surfing resistant textual-graphical password authentication scheme. In the Proceedings of the Institute of Electrical and Electronics Engineers (IEEE) 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW), Canada. 2007 May 21–23; 2:467–72.Crossref.
  • Weinshall D. Cognitive authentication schemes safe against spyware. In Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy, USA; 2006 May 21–24. p. 1–6. Crossref.
  • Das A, Bonneau J, Caesar M, Borisov N, Wang X. The tangled web of password reuse. In the Proceedings of the NDSS, San Diego, CA, USA; 2014 Feb 23–26. p. 1–15.
  • Consumer Survey: Password Habits. CSID; 2012. Accessed on 08 January 2017 Available from FullReport_FINAL.pdf
  • Preneel B. Cryptographic hash functions. Transactions on Emerging Telecommunications Technologies. 1994 Jul; 5(4):431–48. Crossref
  • Coron JS, Dodis Y, Malinaud C, Puniya P. Merkle-Damgard revisited: how to construct a hash function. In the Proceeding of the Annual International Cryptology Conference, Lecture Notes in Computer Science, Springer. 2005; 3621:430–48.Crossref
  • Klein DV. Foiling the cracker: a survey of and improvements to, password security. In the Proceedings of the 2nd USENIX Security Workshop; 1990. p. 5–14.
  • Suo X, Zhu Y, Owen GS. Graphical passwords: a survey.In the Proceedings of the Institute of Electrical and Electronics Engineers (IEEE) 21st Annual Computer Security Applications Conference, USA; 2005 Dec 5–9.p. 1–10.
  • Schneier B. Inside risks: the uses and abuses of biometrics.Communications of the Association for Computing Machinery (ACM). 1999 Aug; 42(8):136. Crossref
  • Morris R, Thompson K. Password security: a case history. Communications of the Association for Computing Machinery (ACM). 1979 Nov; 22(11):594–7.Crossref
  • Cisar P, Cisar SM. Password-a form of authentication. In the Proceedings of the Institute of Electrical and Electronics Engineers (IEEE) 5th International Symposium on Intelligent Systems and Informatics, Serbia; 2007 Aug 24–25. p. 29–32.Crossref
  • Zviran M, Haga WJ. Password security: an empirical study. Journal of Management Information Systems. 1999; 15(4):161–85. Crossref
  • Dierks T. The transport layer security (TLS) protocol version 1.2. Rescorla E editor, RTFM Inc; 2008 Aug.p. 4–63.
  • Freier A, Karlton P, Kocher P. The secure sockets layer (SSL) protocol version 3.0. Internet Engineering Task Force (IETF); 2011 Aug. p. 5–67.
  • Xiao-ling W. Research and application of MD5 encryption algorithm [J]. Information Technology; 2010.
  • Provos N, Mazieres D. Bcrypt algorithm. USENIX; 1999 Apr 28. p. 1–13.
  • Florencio D, Herley C, Oorschot PCV. An administrator’s guide to internet password research. In the Proceedings of the Association for Computing Machinery (ACM) 28th USENIX conference on Large Installation System Administration (LISA), WA; 2014 Nov 9–14. p. 35–52.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.