Delayed Password Protection

Passwords and security are a perennial problem we all face when using the Interwebs. There are various solutions, but none of them are perfect. Even the strongest encryption technologies available for common use could be broken given enough computer power or just simple luck on the part of a hacker. But, that doesn’t stop computer scientists from trying to come up with new ways to make us electronically safe.

Now, Markus Jakobsson of the Palo Alto Research Center, in California working with Steven Myers of the School of Informatics, at Indiana University, Bloomington, have come up with a new security protocol that goes by the snappy name of Delayed Password Disclosure, or DPD, for short. Oh, and by the way, the domain DPD.com is still available if some entrepreneurial reader wishes to cybersquat it before it’s snapped up.

Anyway, DPD is based on the traditional username and password paradigm, with all its pros and cons. However, according to Jakobsson and Myers DPD can reduce the effectiveness of phishing or spoofing attacks and so protect users from online identity fraud.

Jakobsson and Myers explain that the DPD protocol works by providing the user with dynamic feedback while they are entering their password into a login form. They point out that such an approach is normally frowned upon by the cryptographic community. However, the team argues that it results in much more effective security than current approaches that are considered cryptographically acceptable.

The delay does not prevent the first few characters of a password being revealed if one is inadvertently visiting a phishing site. But, before you finish password entry the system provides feedback that will alert you to an ongoing phishing attack before it is complete and so prevent you disclosing your entire password. The team describes further details in a recent issue of the International Journal of Applied Cryptography.

In an everyday login, you enter your username and password and these are sent either as plaintext or encrypted to the server. If it’s the genuine site and you entered your details properly you’ll be logged in. If there is no encryptions as is surprisingly common, then the password gets uploaded as plaintext, which an eavesdropper could easily read. But, even with encryption (”https://” instead of “http://” at the start of the address) there is no prior sharing of an encryption key so that has to be sent too, which defeats this security measure to some extent. Phishing sites are becoming increasingly sophisticated and may even offer genuine-seeming security certificates at some point in the login procedure giving them an air of authority they shouldn’t have that naïve users will not recognize.

The DPD approach is a mutual authentication technique that augments password entry with an image sequence specific to the user and service provider. Each user learns to recognize their sequence of images and knows not to enter their password if the images are incorrect. More details here.

It all sounds quite sensible, and a beta version is due for imminent release. However, I cannot help feeling that even partial disclosure of one’s password might leave anyone who uses a simple password open to further brute-force attack. Moreover, modern email programs, such as Thunderbird, some webmail applications, and many browsers including Internet Explorer and Firefox have built in systems that alert users to links that are likely to lead to a phishing site as soon as they’re clicked.

Couple that with the kind of antiphishing protection offered by OpenDNS, which maintains a burgeoning blacklist of phishing sites as well as checking links before you get hooked, and I am not sure how much benefit DPD will actually bring.

Educating people about the dangers of phishing is important too. Not every internet user is as savvy as you the tech-aware reader. It should be at least partially the responsibility of banks, organizations such as ebay and Paypal, and e-commerce sites to tell their customers of the threat. They should also ensure that they are made aware that they should never click a link in an email that claims to come from one of those organizations, especially if it uses poorly constructed grammar and talks about security breaches and accounts being compromised.

There is a very simple way to implement DPD without resort to a computer science degree, however, and I have explained it here before. When you visit a site and are ready to login, type in your real username but enter a nonsense password. A genuine site will bounce back an error message and alert you to the fact that the password you entered did not match your username. A phishing site, on the other hand, does not know what your username and password are and so will accept them whatever you enter.

This method is not foolproof, but if the site claims to have logged you in correctly when you know for sure that you entered a dummy password, then shut that browser tab and proceed no further. Be thankful you were the one that got away.