Addressing online dictionary attacks with login histories and humans-in-the-loop (extended abstract)

Pinkas and Sander's (2002) login protocol protects against online guessing attacks by employing human-in-the-loop techniques (also known as Reverse Turing Tests or RTTs). We first note that this, and other protocols involving RTTs, are susceptible to minor variations of well-known middle-person attacks, and suggest techniques to address such attacks. We then present complementary modifications in what we call a history-based protocol with RTT's. Preliminary analysis indicates that the new protocol offer opportunities for improved security, improved user-friendliness (fewer RTTs to legitimate users), and greater flexibility (e.g. in customizing protocol parameters to particular situations).