Needed: Stronger Password Protection Systems

The theft of passwords and other user credentials from online services has become an epidemic, with breaches regularly impacting large user populations. This has left both consumers and businesses vulnerable to attack. Recent research breakthroughs point toward methods that could greatly improve the security of password systems. An urgent need and a clear opportunity to transform industry practice in password management exist.

Ari Juels and Thomas Ristenpart, Computer Science, Cornell Tech, are building an easy-to-deploy password-protection system called PASS. PASS incorporates recent research on state-of-the-art methods to protect passwords and user credentials into new innovations. PASS aims to make available to even the smallest organizations a complete, principled, server-side password protection system that offers far stronger security by default than any known existing system.

PASS develops novel extensions to several of Juels’ and Ristenpart’s recent innovations, including a service for password hardening called Pythia. Password hardening is technique that renders passwords hard to crack. PASS will also utilize honey objects, a well-established method for mitigating the damage caused by a breach by incorporating fake or decoy data or services into a system. And finally, researchers will also aim to enhance usability for clients by designing PASS to support the optional acceptance of passwords with common typographical errors, an emerging industry practice called typo-tolerance. By offering these tools in a mature, modular development ecosystem for engineers and researchers, PASS serves not only as a platform to democratize advances in password-protection technologies but also as a stimulus and proving-ground for new, practice-oriented research in the security community.

Cornell Researchers

Funding Received

$1.2 Million spanning 3 years