Single Password, Multiple Accounts

Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of different and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can effectively steal users’ passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). To solve this problem, we propose a new password protocol that is simple, secure, efficient and user-friendly. In terms of simplicity, the protocol only involves three messages, and the protocol is easy to understand and implement. In terms of security, the protocol is secure against the attacks that have been discovered so far including the ones that are difficult to defend, such as the malicious server attacks described above and the recent phishing attacks. In terms of efficiency, each run of our protocol only involves a total of four computations of a one-way hash function. In terms of usability, the protocol requires a user to remember only one password consisting of eight (or more) random characters, and this password can be used for all of his accounts.