# On The Limitation of Some Fully Observable Multiple Session Resilient   Shoulder Surfing Defense Mechanisms

**Authors:** Nilesh Chakraborty, Samrat Mondal

arXiv: 1705.10771 · 2017-05-31

## TL;DR

This paper examines the limitations of certain password protection methods against shoulder surfing attacks and proposes new principles to enhance security by masking passwords, demonstrating practical applicability with existing methods.

## Contribution

It identifies the inability of many existing shoulder surfing defense methods to store honeywords and proposes generic principles to improve password masking within these methods.

## Key findings

- Many $	ext{M}^{	ext{FODS}}_{	ext{SOA}}$ methods cannot store honeywords.
- Proposed principles enable password masking in these methods.
- Practical implementation demonstrated with S3PAS, CHC, PAS, and COP.

## Abstract

Using password based authentication technique, a system maintains the login credentials (username, password) of the users in a password file. Once the password file is compromised, an adversary obtains both the login credentials. With the advancement of technology, even if a password is maintained in hashed format, then also the adversary can invert the hashed password to get the original one. To mitigate this threat, most of the systems nowadays store some system generated fake passwords (also known as honeywords) along with the original password of a user. This type of setup confuses an adversary while selecting the original password. If the adversary chooses any of these honeywords and submits that as a login credential, then system detects the attack. A large number of significant work have been done on designing methodologies (identified as $\text{M}^{\text{DS}}_{\text{OA}}$) that can protect password against observation or, shoulder surfing attack. Under this attack scenario, an adversary observes (or records) the login information entered by a user and later uses those credentials to impersonate the genuine user. In this paper, we have shown that because of their design principle, a large subset of $\text{M}^{\text{DS}}_{\text{OA}}$ (identified as $\text{M}^{\text{FODS}}_{\text{SOA}}$) cannot afford to store honeywords in password file. Thus these methods, belonging to $\text{M}^{\text{FODS}}_{\text{SOA}}$, are unable to provide any kind of security once password file gets compromised. Through our contribution in this paper, by still using the concept of honeywords, we have proposed few generic principles to mask the original password of $\text{M}^{\text{FODS}}_{\text{SOA}}$ category methods. We also consider few well-established methods like S3PAS, CHC, PAS and COP belonging to $\text{M}^{\text{FODS}}_{\text{SOA}}$, to show that proposed idea is implementable in practice.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1705.10771/full.md

## Figures

15 figures with captions in the complete paper: https://tomesphere.com/paper/1705.10771/full.md

## References

36 references — full list in the complete paper: https://tomesphere.com/paper/1705.10771/full.md

---
Source: https://tomesphere.com/paper/1705.10771