Virtual Password System for Protecting UsersFrom Password Theft
In this paper, we discuss how to prevent users’ passwordsfrom being stolen by adversaries in online environmentsand automated teller machines. We propose differentiated virtualpassword mechanisms in which a user has the freedom to choosea virtual password scheme ranging from weak security to strongsecurity, where a virtual password requires a small amount ofhuman computing to secure users’ passwords. The tradeoff isthat the stronger the scheme, the more complex the schememay be. Among the schemes, we have a default method (i.e.,traditional password scheme), system recommended functions,user-specified functions, user-specified programs, and so on. Afunction/program is used to implement the virtual passwordconcept with a tradeoff of security for complexity requiring asmall amount of human computing. We further propose severalfunctions to serve as system recommended functions and providea security analysis. For user-specified functions, we adopt secretlittle functions in which security is enhanced by hiding secretfunctions/algorithms.
PROJECT OUTPUT VIDEO:
The secure protocol SSL/TLSfor transmitting privatedata over the web is well-known in academic research, butmost current commercial websites still rely on the relativelyweak protection mechanism of user authentications via aplaintext password and user ID. Meanwhile, even thougha password can be transferred via a secure channel, thisauthentication approach is still vulnerable to the attacks.
Phishing Attacks:Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication.
Password Stealing Trojan:This is a program that contains or installs malicious code. There are many such Trojan codes that have been found online today, so here we just briefly introduce two types of them. Key loggers capture keystrokes and store them somewhere in the machine, or send them back to the adversary. Once a key logger program is activated, it provides the adversary with any strings of texts that a person might enter online, consequently placing personal data and online account information at risk.
Shoulder Surfing: Shoulder surfing is a well-known method of stealing other’s passwords and other sensitive personal information by looking over victims’ shoulders while they are sitting in front of terminals.
DISADVANTAGES OF EXISTING SYSTEM:
As a consequence of increasing concerns oversuch risks, protecting users’ passwords on the web has becomeincreasingly critical.
In this paper, we present a password protection schemethat involves a small amount of human computing in anInternet-based environment or a ATM machine, which willbe resistant to phishing scams, Trojan horses, and shouldersurfingattacks. We propose a virtual password concept involvinga small amount of human computing to secure users’passwords in online environments. We propose differentiatedsecurity mechanisms in which a user has the freedom tochoose a virtual password scheme ranging from weak securityto strong security. The tradeoff is that stronger schemes aremore complex. Among the schemes, we have a default method(i.e., traditional password scheme), a system recommendedfunction, a user-specified function, a user-specified program,and so on. A function/program is used to implement the virtualpassword concept by trading security for complexity by requiringa small amount of human computing.
We further proposeseveral functions to serve as system recommended functionsand provide a security analysis. We analyze how the proposedschemes defend against phishing, key logger, shoulder-surfing,and multiple attacks. In user-specified functions, we adoptsecret little functions in which security is enhanced by hidingsecret functions/algorithms. To the best of our knowledge, ourvirtual password mechanism is the first one which is able todefend against all three attacks
ADVANTAGES OF PROPOSED SYSTEM:
- We propose differentiated security mechanisms in which a user has the freedom to choose a virtual password scheme ranging from weak security to strong security.
- We proposed a virtual password concept involving a small amount of human computing to secure users’ passwords in online environments. We proposed differentiated security mechanisms in which a user has the freedom to choose a virtual password scheme ranging from weak security to strong security.
- Virtual Password
- Differentiated Security via a VPF
- User-Specified Functions/Programs
- VPF With a Helper-Application
To authenticate a user, a system (S) needs to verify a user(U) using the user’s password (X) and ID (also denoted as U)which the user provides.Itis reasonable that a password should beconstant so that it can be easily remembered. However, theprice of being easily remembered is that the password can bestolen by others and then used to access the victim’s account.At the same time, we cannot put X in a randomly variantform because it would be impossible for a user to rememberthe password. To confront such a challenge, we propose ascheme using the new concept of virtual password.A virtual password is a dynamic password that is generateddifferently each time from a virtual password scheme and thensubmitted to the server for authentication.
Differentiated Security via a VPF
We have introduced the concept of the virtual password;next, we detail how to apply it in an Internet-based environment.We propose a differentiated security mechanism forsystem registration in which the system allows users to choosea registration scheme ranging from the simplest one (default)to a relatively complex one, where a registration schemeincludes a way to choose a virtual password function. Themore complex the registration, the more secure the system is,and the more user involvement is required.
The strongest security approaches let the user define a userspecifiedfunction or program. Since the chosen function isonly known by the server and the user and the key space offunctions are infinite with high-order, these approaches arevery secure for even simple functions.The reason for using secret encryption algorithms (i.e.,user-specified VPFs) is that secrets are very personal to aparticular user and should not be known by others exceptthe server.
VPF With a Helper-Application
If a helper-application is available for the user, the userneeds to type the random salt into the helper-application;subsequently, the virtual password is generated by the helperapplication.The user then types the generated virtual passwordin the login screen. In this way, the extra time required is verysmall and the precision will be 100% correct as long as the usertypes the correct random salt displayed on the login screen.This works when the user has a mobile device, such asa cellular phone, PDA, smart phone, or iphone. However,such mobile devices are not able themselves to communicatewith the server to which the user wants to login. No matterhow complex the VPF is, the helper-application can alwaysgenerate the correct virtual password for the user. This case isthe most sophisticated one, and it is also the most convenientapproach for the user.
- System : Pentium IV 2.4 GHz.
- Hard Disk : 40 GB.
- Floppy Drive : 44 Mb.
- Monitor : 15 VGA Colour.
- Mouse : Logitech
- Ram : 512 Mb.
- Operating system : Windows XP/7.
- Coding Language : C#.NET
- IDE : VISUAL STUDIO 2008
- Database : SQL SERVER