Overcome Password Stealing By Using Opass Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Text passwords have been adopted as the primary mean for user authentication in online websites. Humans are not experts in memorizing the text passwords therefore they rely on the weak passwords and reuse the same passwords. Routine reuse of weak passwords will lead to domino effect. As they are the static passwords used for authentication there are some adversary who can launch attacks to steal passwords, and suffers quitely from few security drawbacks: such as phishing, keyloggers and malware. This major problem can be overcome by adapting a user authentication protocol named oPass which leverages a user's cellphone and an short message service to thwart password stealing and password reuse attacks. Opass can greatly avoid the man-in-middle attacks and any traping of passwords in the browser. In case of users lose their cellphones, opass system still works by reissuing the SIM cards and long-term passwords. This approach is a more efficient user authentication protocol and is at affordable cost compared to the conventional web authentication mechanism. Therefore users are free from typing any passwords into untrusted computer for login and greatly ensures independence between each login. Opass is more secure than the original systems and is also implemented to measure the performance and reduce the total execution time.

Index Terms-security, password

stealing , user authentication.


One of the ancient way to prove identity or gain access to a resource is passwords. A password may be of a secret word or string of characters that is used for authentication purpose. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving the e-mail

from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online. In websites inorder to maintain privacy to greater extent and provide high level of security we use passwords.

Over the past few decades, text password has been adopted as the primary mean of user authentication for websites. People select their username and text passwords when registering accounts on a website. In order to log into the website successfully, users must recall the selected passwords. As humans are not experts in memorizing passwords they easily forget the passwords and these users firstly often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, they will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware.

The first commonly used method is the password-based user authentication can resist brute force and dictionary attacks if users select strong password sto provide sufficient entropy. However, password-based user authentication has a major problem that humans are feel hard to keep those passwords in memory. Thus, most users would choose easy-to-remember passwords (i.e., weak passwords) even if they know the passwords might be unsafe. Another crucial problem is that users tend to reuse passwords across various websites. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack is referred to as the password reuse attack. The above problems are caused by the negative influence of human factors. Therefore, it is important to take human factors into consideration when designing a user authentication protocol.


Inorder to reduce the negative influence of human factors in the user authentication procedure, the researchers have investigated a variety of technology. Since humans are more adept in remembering graphical passwords than text passwords , many graphical password schemes were designed to address human's password recall problem. Using password management tools is an alternative. These tools automatically generate strong passwords for each website, which addresses password reuse and password recall problems. The advantage is that users only have to remember a master password to access the management tool.

Despite the assistance of these two technologies graphical password and password management tool the user authentication system still suffers from some considerable drawbacks. Although graphical password is a great idea, it is not yet mature enough to be widely implemented in practice and is still vulnerable to several attacks. Password management tools work well; however, general users doubt its security and thus feel uncomfortable about using it. Furthermore, they have trouble using these tools due to the lack of security knowledge.

Besides the password reuse attack, it is also important to consider the effects of password stealing attacks. Adversaries steal or compromise passwords and impersonate users' identities to launch malicious attacks, collect sensitive information, perform unauthorized payment actions, or leak financial secrets. Phishing is the most common and efficient password stealing attack.

2.1 Three Factor Authentication(TFA)

Some researches focus on TFA rather than password-based authentication to provide more reliable user authentication. The TFA takes advantage of a combination of three major factors of authentication which includes verification by something a user knows (such as a password), something the user has (such as a smart card or a security token), and something the user is (suh as biometrics).

Figure1:Three Factor Authentication

To pass the authentication, the user must input a password and provide a pass code generated by the token (e.g., RSA SecureID ), and scan her biometric features (e.g.,fingerprint). This provides superior security. The major drawback is though it provides high level security, because of its increased complexity and of comparatively high cost, this cannot be adopted in all environments.

2.2 Two Factor Authentication

To resolve this a more attractive and practical approach Two-factor authentication (2FA) is adopted  which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is").Although there are many banks that support two-factor authentication, it still suffers from the negative influence of human factors, such as the password reuse attack. Users have to memorize another four-digit PIN code to work together with the token, for example RSA SecureID. In this method also to remember the tokens is very difficult.

Figure2: Two Factor Authentication


A user authentication protocol named oPass which leverages a user's cellphone and short message service (SMS) to prevent password stealing and password reuse attacks. The most difficult is to thwart password reuse attacks from any protection scheme where the users have to bring something for every transaction. The main cause of stealing password attacks is when users type passwords to untrusted public computers.

Therefore, the main concept of oPass is free users from having to remember or type any passwords into conventional computers for authentication. Unlike generic user authentication, oPass involves a new component, the cellphone, which is used to generate one-time passwords and a new communication channel, SMS, which is used to transmit authentication messages to maintain a high level of security.


4.1 Login Phase:

The login phase begins when the user sends a request to the server through an untrusted browser (on a kiosk). The user uses her cell phone to produce a password, and deliver necessary information encrypted with to server via an SMS message. Based on preshared secret credential, server can verify and authenticate.

4.2 Registration Phase:

The aim of this phase is to allow a user and a server to negotiate a shared secret to authenticate succeeding logins for this user. The user begins by opening the oPass program installed on her cellphone. User enters ID (account id she prefers) and ID (usually the website url or domain name) to the program. The mobile program sends ID and ID to the telecommunication service provider (TSP) through a 3G connection to make a request of registration.

4.3 Recovery Phase:

Recovery phase is designated for some specific conditions; for example, a user may lose her cell phone. The protocol is able to recover oPass setting on her new cell phone assuming she still uses the same phone number (apply a new SIM card with old phone number).

Once user installs the oPass program on her new cellphone, the user can launch the program to send a recovery request with the specified account ID and requested server ID to predefined TSP through a 3G connection.

4.4 Architecture

The Architecture diagram of oPass system tells that it is used to greatly reduce from malware and phishing. Provides security at local and remote site. And has improved unique identity. The oPass also provides high level security which is at affordable cost.

Figure3:oPass Architecture

Also the usage of OTP(One Time Password) is valid only for 30sec or to the maximum of 1minute.Therefore hacking of the OTP is useless. Hence the features of adopting the OTP,SMS Channel and 3G Connection are to be given as:

4.1.1 OTP

The one-time passwords in oPass are generated by a secure one-way hash function. With a given input , the set of onetime passwords is established by a hash chain through multiple

hashing. Assuming we wish to prepare one-time passwords, the first of these passwords is produced by performing hashes on input

The next one-time password is obtained by performing hashes

Hence, the general formula is given as follows:

For security reasons, we use these one-time passwords in reverse order, i.e., using , then . If an old one-time password is leaked, the attacker is unable to derive the next one. In other words, she cannot impersonate a legal user without the secret shared credential . Besides, the input is derived from a long-term password , the identity of server ID , and a random seed generated by the server ID

Note that function is a hash which is irreversible in general cryptographic assumption. In practice, is realized by SHA-256 in oPass. Therefore, the bit length of is 256.

4.1.2 SMS Channel

SMS is a text-based communication service of the telecommunication systems. The oPass leverages SMS to construct a secure user authentication protocol against password stealing attacks. As SMS is a fundamental service of telecom, which belongs to 3GPP standards. SMS represents the most successful data transmission of telecom systems; hence, it is the most widespread mobile service in the world.

Besides the above advantages, the SMS channel is chosen because of its security benefits. Compared with TCP/IP network, the SMS network is a closed platform; hence, it increases the difficulty of internal attacks, e.g., tampering and manipulating attacks. Therefore, SMS is an out-of-band channel that protects the exchange of messages between users and servers. Unlike conventional authentication protocols, users securely transfer sensitive messages to servers without relying on untrusted kiosks. oPass resists password stealing attacks since it is based on SMS channels.

4.1.3 Connection Through 3G

3G connection provides data confidentiality of user data and signal data to prevent eavesdropping attacks. It also provides data integrity of signal data to avoid tampering attacks. The confidentiality and integrity algorithms are f8 and f9, respectively. Algorithm f8 and f9 are based on a block cipher named KASUMI where f8 is a synchronous binary stream cipher and f9 is a MAC algorithm. oPass utilizes the security features of 3G connection to develop the convenient account registration

and recovery procedures. Users can securely transmit and receive information to the web site through a 3G connection.


5.1 Anti-malware -Malware (e.g., keylogger) that gather sensitive information from users, especially their passwords are surprisingly common. In oPass, users are able to log into web services without entering passwords on their computers. Thus, malware cannot obtain a user's password from untrusted computers.

5.2 Phishing Protection -Adversaries often launch phishing attacks to steal users' passwords by cheating users when they connect to forged websites. As mentioned above, oPass allows users to successfully log into websites without revealing passwords to computers. Users who adopt oPass are guaranteed to withstand phishing attacks.

5.3 Secure Registration and Recovery-In oPass, SMS is an out-of-band communication interface. oPass cooperates with the telecommunication service provider (TSP) in order to obtain the correct phone numbers of websites and users respectively. SMS aids oPass in establishing a secure channel for message exchange in the registration and recovery phases. Recovery phase is designed to deal with cases where a user loses his cellphone. With the aid of new SIM cards, oPass still works on new cellphones.

5.4 Password Reuse Prevention and Weak Password Avoidance- oPass achieves one-time password approach. The cellphone automatically derives different passwords for each login. That is to say, the password is different during each login. Under this approach, users do not need to remember any password for login. They only keep a longterm password for accessing their cellphones, and leave the rest of the work to oPass.

5.5 Cellphone Protection-An adversary can steal users' cellphones and try to pass through user authentication. However, the cellphones are protected by a long-term password. The adversary cannot impersonate a legal user to login without being detected.The security of 3G connection used in the registration and recovery phases of oPass.


Confidentiality of information

Integrity of data



Independence between each login

Avoids Man-in-middle attacks


The oPass technology described is simple and effective way to keep the plain text passwords out of hands of adversary groups. There is a chance of man-in middle attacks in case of the one time password (OTP) generated by the browser and hence the hackers easily trap them. So oPass application generates the password in the users cellphone and it establishes a direct connection to the server. Also the high sms delay compared to the total execution time is greatly reduced. oPass is a user authentication protocol which is highly secure and efficient compared to the traditional web authentication protocols.