Paper:

1
Paper Stronger Pwd. Auth. with Browser
Extensions (USENIX Security 05) PORTIA PIs D.
Boneh, J. Mitchell Institution Stanford
UniversityAuthors B. Ross, C. Jackson, N.
Miyake, D. Boneh, J. Mitchell
Research Objectives Significant Results Graphic
Approach Broader Impact Significant Results Graphic
Approach Broader Impact

Phishing sites and weak passwords have led to
Internet identity theft. We want to provide
increased security against these attacks with
minimal change for both the user and the server.

• Theft of hashed password will not yield a
  password that can be used to log in to another
  site.
• Theft of users computer will not yield any
  passwords.
• Unobtrusive user interface provides security
  against password field spoofing and other
  Javascript attacks.

We describe a web browser extension, called
PwdHash, that applies a cryptographic hash
function to the users password (using data
associated with the web site and an optional
global password as salt). The original password
is discarded and the hashed password is sent to
the website instead. A web-based interface
provides an alternate mechanism for generating
passwords if the browser extension is not
available.
Secure Authentication User Interface

• Secure password entry into a web browser enables
  further innovation in authentication protocols.
• Web browsers can be designed to prevent user
  interface spoofing in Javascript and Flash

Remote Authentication User Interface