{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,6]],"date-time":"2025-11-06T00:50:49Z","timestamp":1762390249591},"reference-count":31,"publisher":"Association for Computing Machinery (ACM)","issue":"3","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2006,8]]},"abstract":"<jats:p>Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol by Pinkas and Sander (2002) to protect against online password-guessing attacks. We present modifications providing a new history-based login protocol with ATTs, which uses failed-login counts. Analysis indicates that the new protocol offers opportunities for improved security and user friendliness (fewer ATTs to legitimate users) and greater flexibility (e.g., allowing protocol parameter customization for particular situations and users). We also note that the Pinkas--Sander and other protocols involving ATTs are susceptible to minor variations of well-known middle-person attacks. We discuss complementary techniques to address such attacks, and to augment the security of the original protocol.<\/jats:p>","DOI":"10.1145\/1178618.1178619","type":"journal-article","created":{"date-parts":[[2007,1,16]],"date-time":"2007-01-16T19:38:29Z","timestamp":1168976309000},"page":"235-258","update-policy":"http:\/\/dx.doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["On countering online dictionary attacks with login histories and humans-in-the-loop"],"prefix":"10.1145","volume":"9","author":[{"given":"Paul C.","family":"Van Oorschot","sequence":"first","affiliation":[{"name":"Carleton University, Ottawa, Canada"}]},{"given":"Stuart","family":"Stubblebine","sequence":"additional","affiliation":[{"name":"Stubblebine Research Labs, New Jersey"}]}],"member":"320","published-online":{"date-parts":[[2006,8]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Proceedings of the 2003 Network and Distributed System Security Symposium. The Internet Society","author":"Abadi M.","unstructured":"Abadi , M. , Burrows , M. , Manasse , M. , and Wobber , T . 2003. Moderately hard, memory-bound functions . In Proceedings of the 2003 Network and Distributed System Security Symposium. The Internet Society , Reston, VA. 25--39.]] Abadi, M., Burrows, M., Manasse, M., and Wobber, T. 2003. Moderately hard, memory-bound functions. In Proceedings of the 2003 Network and Distributed System Security Symposium. The Internet Society, Reston, VA. 25--39.]]"},{"key":"e_1_2_1_2_1","volume-title":"Security Engineering: A guide to building dependable distributed systems","author":"Anderson R.","year":"2001","unstructured":"Anderson , R. 2001 . Security Engineering: A guide to building dependable distributed systems . Wiley , New York .]] Anderson, R. 2001. Security Engineering: A guide to building dependable distributed systems. Wiley, New York.]]"},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society","author":"Bellovin S.","unstructured":"Bellovin , S. and Merritt , M . 1992. Encrypted key exchange: password-based protocols secure against dictionary attack . In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society , Los Alamitos, CA. 72--84.]] Bellovin, S. and Merritt, M. 1992. Encrypted key exchange: password-based protocols secure against dictionary attack. In Proceedings of the 1992 IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA. 72--84.]]"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1013202.1013203"},{"key":"e_1_2_1_5_1","doi-asserted-by":"crossref","first-page":"644","DOI":"10.1109\/TIT.1976.1055638","article-title":"New directions in cryptography","volume":"22","author":"Diffie W.","year":"1976","unstructured":"Diffie , W. and Hellman , M. 1976 . New directions in cryptography . IEEE Transactions on Information Theory 22 , 644 -- 654 .]] Diffie, W. and Hellman, M. 1976. New directions in cryptography. IEEE Transactions on Information Theory 22, 644--654.]]","journal-title":"IEEE Transactions on Information Theory"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF00124891"},{"key":"e_1_2_1_7_1","volume-title":"Ed. Lecture Notes in Computer Science","volume":"740","author":"Dwork C.","unstructured":"Dwork , C. and Naor , M . 1992. Pricing via processing or combatting junk mail. In Advances in Cryptology---CRYPTO'92, E. Brickell , Ed. Lecture Notes in Computer Science , vol. 740 . Springer-Verlag, New York. 137--147.]] Dwork, C. and Naor, M. 1992. Pricing via processing or combatting junk mail. In Advances in Cryptology---CRYPTO'92, E. Brickell, Ed. Lecture Notes in Computer Science, vol. 740. Springer-Verlag, New York. 137--147.]]"},{"key":"e_1_2_1_8_1","unstructured":"FIPS PUB 112 1995. Password Usage. Federal Information Processing Standards Publication 112 U.S. Department of Commerce NIST.]]  FIPS PUB 112 1995. Password Usage. Federal Information Processing Standards Publication 112 U.S. Department of Commerce NIST.]]"},{"key":"e_1_2_1_9_1","unstructured":"FIPS PUB 181 1993. Automated Password Generator. Federal Information Processing Standards Publication 181 U.S. Department of Commerce NIST.]]  FIPS PUB 181 1993. Automated Password Generator. Federal Information Processing Standards Publication 181 U.S. Department of Commerce NIST.]]"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 9th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE","author":"Ford W.","year":"2000","unstructured":"Ford , W. and Kaliski , B . 2000. Server-assisted generation of a strong secret from a password . In Proceedings of the 9th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE 2000 ). IEEE Computer Society, Los Alamitos, CA. 176--180.]] Ford, W. and Kaliski, B. 2000. Server-assisted generation of a strong secret from a password. In Proceedings of the 9th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE 2000). IEEE Computer Society, Los Alamitos, CA. 176--180.]]"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 10th USENIX Security Symposium. USENIX Association","author":"Fu K.","unstructured":"Fu , K. , Sit , E. , Smith , K. , and Feamster , N . 2001. Do's and don'ts of client authentication on the web . In Proceedings of the 10th USENIX Security Symposium. USENIX Association , Berkeley, CA. 251--269.]] Fu, K., Sit, E., Smith, K., and Feamster, N. 2001. Do's and don'ts of client authentication on the web. In Proceedings of the 10th USENIX Security Symposium. USENIX Association, Berkeley, CA. 251--269.]]"},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of 6th ACM Conference on Electronic Commerce. ACM","author":"Gentry C.","unstructured":"Gentry , C. , Ramzan , Z. , and Stubblebine , S . 2005. Secure distributed human computation . In Proceedings of 6th ACM Conference on Electronic Commerce. ACM , New York. 155--164.]] 10.1145\/1064009.1064026 Gentry, C., Ramzan, Z., and Stubblebine, S. 2005. Secure distributed human computation. In Proceedings of 6th ACM Conference on Electronic Commerce. ACM, New York. 155--164.]] 10.1145\/1064009.1064026"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of INFOCOM'90","author":"Gong L.","year":"1990","unstructured":"Gong , L. 1990 . Verifiable-text attacks in cryptographic protocols . In Proceedings of INFOCOM'90 . IEEE Computer Society, Los Alamitos, CA. 686--693.]] Gong, L. 1990. Verifiable-text attacks in cryptographic protocols. In Proceedings of INFOCOM'90. IEEE Computer Society, Los Alamitos, CA. 686--693.]]"},{"key":"e_1_2_1_14_1","doi-asserted-by":"crossref","first-page":"648","DOI":"10.1109\/49.223865","article-title":"Protecting poorly chosen secrets from guessing attacks","volume":"11","author":"Gong L.","year":"1993","unstructured":"Gong , L. , Lomas , T. , Needham , R. , and Saltzer , J. 1993 . Protecting poorly chosen secrets from guessing attacks . IEEE Journal on Selected Areas in Communications 11 , 648 -- 656 .]] Gong, L., Lomas, T., Needham, R., and Saltzer, J. 1993. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Areas in Communications 11, 648--656.]]","journal-title":"IEEE Journal on Selected Areas in Communications"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/242896.242897"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 1999 Network and Distributed System Security Symposium, S. Kent, Ed. The Internet Society","author":"Juels A.","unstructured":"Juels , A. and Brainard , J . 1999. Client puzzles: a cryptographic defense against connection depletion attacks . In Proceedings of the 1999 Network and Distributed System Security Symposium, S. Kent, Ed. The Internet Society , Reston, VA. 151--165.]] Juels, A. and Brainard, J. 1999. Client puzzles: a cryptographic defense against connection depletion attacks. In Proceedings of the 1999 Network and Distributed System Security Symposium, S. Kent, Ed. The Internet Society, Reston, VA. 151--165.]]"},{"key":"e_1_2_1_17_1","volume-title":"Network Security: Private Communication in a Public World","author":"Kaufman C.","year":"2002","unstructured":"Kaufman , C. , Perlman , R. , and Speciner , M . 2002 . Network Security: Private Communication in a Public World , 2 nd ed. Prentice Hall PTR , Englewood Cliffs , New Jersey.]] Kaufman, C., Perlman, R., and Speciner, M. 2002. Network Security: Private Communication in a Public World, 2nd ed. Prentice Hall PTR, Englewood Cliffs, New Jersey.]]","edition":"2"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/74851.74853"},{"key":"e_1_2_1_19_1","unstructured":"Menezes A. van Oorschot P. and Vanstone S. 1997. Handbook of applied cryptography. CRC Press Boca Raton FL.]]   Menezes A. van Oorschot P. and Vanstone S. 1997. Handbook of applied cryptography. CRC Press Boca Raton FL.]]"},{"key":"e_1_2_1_20_1","unstructured":"Naor M. 1997. Verification of a human in the loop or identification via the Turing test. Unpublished manuscript.]]  Naor M. 1997. Verification of a human in the loop or identification via the Turing test. Unpublished manuscript.]]"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the 9th ACM Conference on Computer and Communications Security, V. Atluri, Ed. ACM","author":"Pinkas B.","unstructured":"Pinkas , B. and Sander , T . 2002. Securing passwords against dictionary attacks . In Proceedings of the 9th ACM Conference on Computer and Communications Security, V. Atluri, Ed. ACM , New York. 161--170.]] 10.1145\/586110.586133 Pinkas, B. and Sander, T. 2002. Securing passwords against dictionary attacks. In Proceedings of the 9th ACM Conference on Computer and Communications Security, V. Atluri, Ed. ACM, New York. 161--170.]] 10.1145\/586110.586133"},{"key":"e_1_2_1_22_1","series-title":"Lecture Notes in Computer Science","volume-title":"Proceedings of Financial Cryptography, 8th International Conference","author":"Stubblebine S.","unstructured":"Stubblebine , S. and van Oorschot , P. 2004. Addressing online dictionary attacks with login histories and humans-in-the-loop (extended abstract) . In Proceedings of Financial Cryptography, 8th International Conference . Lecture Notes in Computer Science , vol. 3110 . Springer-Verlag , New York . 39--53.]] Stubblebine, S. and van Oorschot, P. 2004. Addressing online dictionary attacks with login histories and humans-in-the-loop (extended abstract). In Proceedings of Financial Cryptography, 8th International Conference. Lecture Notes in Computer Science, vol. 3110. Springer-Verlag, New York. 39--53.]]"},{"key":"e_1_2_1_23_1","doi-asserted-by":"crossref","unstructured":"Turing A. 1950. Computing machinery and intelligence. Mind 59 236 433--460.]]  Turing A. 1950. Computing machinery and intelligence. Mind 59 236 433--460.]]","DOI":"10.1093\/mind\/LIX.236.433"},{"key":"e_1_2_1_24_1","unstructured":"von Ahn L. 2003. Eurocrypt'03 presentation of von Ahn et al. {2003}.]]  von Ahn L. 2003. Eurocrypt'03 presentation of von Ahn et al. {2003}.]]"},{"key":"e_1_2_1_25_1","volume-title":"CAPTCHA: Using hard AI problems for security. In Advances in Cryptology---Eurocrypt","author":"von Ahn L.","year":"2003","unstructured":"von Ahn , L. , Blum , M. , Hopper , N. , and Langford , J . 2003 . CAPTCHA: Using hard AI problems for security. In Advances in Cryptology---Eurocrypt 2003, E. Biham, Ed . Lecture Notes in Computer Science, vol. 2656 . Springer-Verlag , New York. 294--311.]] von Ahn, L., Blum, M., Hopper, N., and Langford, J. 2003. CAPTCHA: Using hard AI problems for security. In Advances in Cryptology---Eurocrypt 2003, E. Biham, Ed. Lecture Notes in Computer Science, vol. 2656. Springer-Verlag, New York. 294--311.]]"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/966389.966390"},{"key":"e_1_2_1_27_1","volume-title":"Hackers find new way to bilk eBay users. CNET news.com","author":"Wolverton T.","year":"2002","unstructured":"Wolverton , T. 2002. Hackers find new way to bilk eBay users. CNET news.com . March 25 2002 .]] Wolverton, T. 2002. Hackers find new way to bilk eBay users. CNET news.com. March 25 2002.]]"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 1998 Network and Distributed System Security Symposium. The Internet Society","author":"Wu T.","year":"1998","unstructured":"Wu , T. 1998 . The secure remote password protocol . In Proceedings of the 1998 Network and Distributed System Security Symposium. The Internet Society , Reston, VA. 97--111.]] Wu, T. 1998. The secure remote password protocol. In Proceedings of the 1998 Network and Distributed System Security Symposium. The Internet Society, Reston, VA. 97--111.]]"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 2001 New Security Paradigms Workshop. ACM","author":"Yan J.","year":"2001","unstructured":"Yan , J. 2001 . A note on proactive password checking . In Proceedings of the 2001 New Security Paradigms Workshop. ACM , New York. 127--135.]] 10.1145\/508171.508194 Yan, J. 2001. A note on proactive password checking. In Proceedings of the 2001 New Security Paradigms Workshop. ACM, New York. 127--135.]] 10.1145\/508171.508194"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.81"},{"key":"e_1_2_1_31_1","volume-title":"The Official PGP User's Guide","author":"Zimmermann P.","unstructured":"Zimmermann , P. 1995. The Official PGP User's Guide . MIT Press , Cambridge, MA .]] Zimmermann, P. 1995. The Official PGP User's Guide. MIT Press, Cambridge, MA.]]"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1178618.1178619","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,28]],"date-time":"2022-12-28T17:57:17Z","timestamp":1672250237000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1178618.1178619"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,8]]},"references-count":31,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2006,8]]}},"alternative-id":["10.1145\/1178618.1178619"],"URL":"https:\/\/doi.org\/10.1145\/1178618.1178619","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2006,8]]},"assertion":[{"value":"2006-08-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}