Repository hosted by TU Delft Library

Home · Contact · About · Disclaimer ·

Client-server password recovery

Publication files not online:

Author: Chmielewski, Ł. · Hoepman, J.H. · Rossum, P. van
Institution: TNO Informatie- en Communicatietechnologie
Source:On the Move to Meaningful Internet Systems, OTM 2009, 861-878
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Identifier: 427544
doi: doi:10.1007/978-3-642-05151-7_8
Keywords: Informatics · Passwords · Human memory · Partial knowledge · Password-based authentication · Recovery procedure · Threshold encryption · Cryptography · Internet protocols · Recovery


Human memory is not perfect - people constantly memorize new facts and forget old ones. One example is forgetting a password, a common problem raised at IT help desks. We present several protocols that allow a user to automatically recover a password from a server using partial knowledge of the password. These protocols can be easily adapted to the personal entropy setting [7], where a user can recover a password only if he can answer a large enough subset of personal questions. We introduce client-server password recovery methods, in which the recovery data are stored at the server, and the recovery procedures are integrated into the login procedures. These methods apply to two of the most common types of password based authentication systems. The security of these solutions is significantly better than the security of presently proposed password recovery schemes. For our protocols we propose a variation of threshold encryption [5, 8, 16] that might be of independent interest. © Springer-Verlag 2009.