Revisiting Defenses against Large-Scale Online Password Guessing Attacks

Brute force and dictionary attacks on password-only remote login services are now widespread and ever increasing rapidly in Day to day life. Enabling users convenient login for legitimate users while preventing such attacks is a difficult problem and not Much convenient Automated Turing Tests (ATTs) are effective and easy to implement but cause reasonable amount of inconvenience to the user. We discuss the existing and proposed login protocols designed to prevent large scale online dictionary attacks. We propose Password Guessing Resistant Protocol (PGRP), which is derived upon revisiting prior proposals designed to restrict such attacks. PGRP reduces the total number of login attempts from unknown remote host while trusted or legitimate users can make several failed login attempts before being challenged by ATT