A Novel Verification Scheme to Resist Online Password Guessing Attacks

User name and password are the most commonly used user authentication scheme in information systems. Strong passwords are secure but difficult to remember, so many users prefer easy-to-remember passwords. These weak passwords are also easily guessed by attackers, leading to online password guessing attacks, posing a serious security threat to information systems. Providing a reliable user authentication scheme to allow legitimate users to login while preventing online password guessing attacks is a challenge. We define a formal statistical model for the behavior of users and attackers, and differentiate users and attackers according to this model. The proposed solution computes the entropy of the passwords entered by the user and considers the user legitimate only if the entropy does not exceed a threshold. We show that entropy is an effective feature to distinguish legitimate users from attackers. We also show that the proposed user authentication scheme is effective in identifying password guessing attacks, even if the user chooses a common password. The new scheme adds an extra layer of protection to passwords, which is especially important for weak passwords. The scheme is a slight modification of the existing scheme, so it can be easily integrated into existing systems.