—People enjoy the convenience of on-line services, but online environments may bring many risks. In this paper, we discuss how to prevent users’ passwords from being stolen by adversaries. We propose a virtual password concept involving a small amount of human computing to secure users’ passwords in on-line environments. We adopt user-determined randomized linear generation functions to secure users’ passwords based on the fact that a server has more information than any adversary does. We analyze how the proposed scheme defends against phishing, key logger, and shoulder-surfing attacks. To the best of our knowledge, our virtual password mechanism is the first one which is able to defend against all three attacks together.
Ming Lei, Yang Xiao, Susan V. Vrbsky, Chung-Chih L