An Enhanced Password-Username Authentication System Using Cryptographic Hashing and Recognition Based Graphical Password

摘要

Password-username authentication is a critical component of today's web application technology that is commonly used to control access to restricted resources. However, poor design, coding flaws and weak user login credentials exposes this functionality to Sequel Query Language Injection (SQLI) and online password guessing attacks. Current techniques advanced by researchers to address authentication attacks only focus on either one of them, thus failing to envisage a scenario where the login form can be used to launch both SQLI and online password guessing attacks. To address this challenge, this paper presents an authentication solution that addresses the issue of SQLI and online password guessing attacks on login form as implemented in generic web applications. The solution combines the use of plain text credentials that are cryptographically hashed at runtime with recognition based graphical login credentials. The goal is to always guarantee access to a user account even when such account is under attack while at the same time ensuring convenient and secure login experience by legitimate users. This is achieved by blocking the Internet Protocol (IP) address from which there are unsuccessful login attempts. Security test shows that the solution is not vulnerable to SQLI and online password guessing attacks.