Password-based Authentication Protocol


Anderson(2008) explained that Password attacks are common in computer systems and such attacks can be done through snooping the password via false terminal, malicious software or by network eavesdropping. Password are also used in an authentication protocol between two machines where encrypted key exchange within the protocol between two machines is used as a shared password and as such; the man-in-the-middle will have a hard time guessing such password.

Other attacks on the password are targeting the password storage where password is used for the website users or systems users to access such systems. With such attacks occur on the password storage (e.g. log files, or database); such storage must be protected against such attacks. For example, keeping the passwords of system users stored in a plain text is very dangerous, and it is easy for attackers to access such file; if the file encryption is not implemented (Anderson, 2008).

Other attacks on the password are used via eavesdropping software by the attackers over the WiFi connection to harvest the passwords where encryption is not implemented for such purpose. Password cracking software is used by the attackers to get hold of the real value of the encrypted password. Attackers usually use software that can try guessing the password to gain access to the system. To prevent such attacks on the website, a technology called CAPTCHA (stands for Completely Automated Public Turing Test to Tell Computers and Human A part) is implemented through the websites where password entry is required to prevent hackers from using a machine for password guessing (Anderson, 2008).

Why Password protocol?

Wu (1997) explained that password authentication protocol is used over un-trusted network to authenticate users and exchange keys. Such protocols should resists different attacks, and allow even weak passphrases to be used safely over such network. Also, protocols should be protected from dictionary attacks mounted by either active or passive network attackers.

Password protocols are implemented in many flavours however, they are all intend to solve the same problem where one party has to prove to another party that knows the password which usually was set in advance within the one of these parties (Wu, 1997) .

Melber (2004) explained that many protocols were implemented in the past through different operating systems, and some of these protocols are:


  • Lan Manager  (LM Protocol) – One of the oldest protocols that were used for authentication where hash was used with case-insensitive and a limited to 142 characters. The hash in such protocol was broken into 2-7 character chunks. Also, the hash was one-way function. 


  • NT Lan Manager (NTLM Protocol) – With implementing a new network directory service introduced in Windows NT 3.1; a new protocol was required. It was required for such protocol to store the password hashed within a domain user accounts. And the features of the NTLM were identical to the LM protocol which indicates the weakness of such protocol.


  • NTLMv2- Such protocol was released via Windows NT SP4, where password can be up to 128 characters long, mutual authentication between the server and the client is required, and stronger password hash was implemented in such protocol.


  • Kerberos – Such protocol enforces the mutual authentication process via ticketing system, the authentication is process on the client where the load on the server is reduced, no password was required to be transmitted over the network, and timestamp was implemented in such protocol to eliminate the replay packets attack on the host.

With the authentication system implemented within any network to authenticate user’s access to the network system, passwords should be protected through an encryption system and hash password. Also, making the password longer and more sophisticated by implemented and enforcing the rules within any organization, it makes difficult for crack tools to beat the system. Also, eliminating weak protocols such as LM and NTLM created more secure network, and also implementing passphrases instead of passwords to authenticate users which gives a hard time to the crack tool to get hold of the systems passwords (Melber, 2004).  

Suggested Password Protocol

Wu (1997) suggested a simple protocol that can be used to authenticate client to access the host. Such protocol works as follows:


  1. The client sends the host (the server) his/her username and plaintext password.
  2. The host can verify the password by directly comparing the host version with the password sent by the client or by applying a hash function first on the client end, and then checking the hash password against the stored hashed password in the database.

Wu (1997) explained that with the above protocol the client password can be exposed to eavesdropping attack and to avoid such attack, the following correction to such protocol are made to prevent such attack where both the client and the host can employ a challenge-response:


  1. The client sends his/her identity to the host along with random message.
  2. The host sends back to the client a random message called a challenge.
  3. The client will perform some computation based on the challenge, the first random message, and his/her password, and sends this response to the host, where it performs the same computations, and verifies the correction of the client response.

Wu (1997) explained that with the above protocol, since the challenge-response from the host is different each time the authentication of the client is requested; the capture of such response from the attackers to launch a reply attack will be useless and will never happen. However, challenge-response protocol can be exposed to a different attack where the attacker can capture the random message, challenge and the client password from a successful authentication attempt, and starts guessing password and generates similar response that matches the captured one (Dictionary attack). Also, since the challenge-protocol use a plaintext-password it is easy to be figured out by the intruder, and can be used to gain access to the host.

Wu (1997) explained that to solve the above problems, the following steps should be implemented:


  1. Use encryption when the client is attempting to authenticate through the host.
  2. Use a hash password function on the client-side to hash the password before it is send to the host.

Rules for Strong Password

Finally, Scheeres (2009) explained that implementing strong password rules within an organization can ensure the safety of any organization confidential data and prevent an authorized user to gain access to any organization’s system and data. Many attacker use cracker password software that can bombard machines with 15 millions of words variations per second (a Dictionary attack) in attempt to breach security and access such systems. It’s important for any organization to educate their employees to follow certain rules that can create a password that’s hard to be predicated, and some of these rules are:


  • Users should take a full advantage of the keyboard characters in creating a strong password. Also, such password should be a mix of lower-case and upper-case letters, numbers, and other keyboard characters.


  • Implement a minimum number of password characters required for a password to be created by any user within an organization.


  • Users has to be trained to pick the type of the password that is easy for them to remember and difficult for others to guess.


  • Organization system administrators should implement rules to enforce the password to be expired periodically.


  • Rules should be enforced within any system that doesn’t accept the same password in different account for the same users.


  • Organizations have to implement a training session for users to learn about information systems security, and to raise awareness of how important the systems password within any organization, that user never gives away his/her password to anyone. Also, users should learn that writing down the password is bad practice, and even storing such password in a file on the hard drive is dangerous, and it’s very easy to be found.


Chakrabarti and Singhal (2007) explained that one of the computer security challenges is to allow users to access server and website application remotely by authenticating them via password protocol. Password-based authentication protocol is subjected to attacks when insecure communication channels are used (i.e. Internet connection via WiFi). Several protocols were engineered over the past years in trying to prevent the attacks, where the designe of acceptable password protocols are geared to prevent the dictionary attacks.

Chakrabarti and Singhal (2007) also explained that passwords have become the most common technique of authenticating users whom are trying to access confidential data over the web, however, such implementation is vulnerable to several attacks that can be used later to gain access to computer systems. It’s imperative to implement a password rules that can be hard to guess and also enforce such password with several techniques that can hide such password within the authentication protocol (e.g. encryption, and hash mechanism).

Finally, the secure password protocols against passive attacks (eavesdropping attacks), challenge-response protocols were developed to implement the security required to safe guard the password.


Anderson, R. (2008) Security Engineering. 2nd ed. IN: Wiley Publishing, Inc.

Chakrabarti, S. & Singhal, M. (2007) Password-Based Authentication: Preventing Dictionary Attacks [Online]. Available from: (Accessed: 13 November 2010).

Melber, D. (2004) Protect against weak Authentication Protocols and Password [Online]. Available from: (Accessed: 13 November 2010).

Scheeres, J. (2009) Password Protocols [Online]. Available from: (Accessed: 13 November 2010).

Wu, T. (1997) The Secure Remote Password Protocol [Online]. Available from: (Accessed: 13 November 2010).








Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: