Getting web authentication right a best-case protocol for the remaining life of passwords

Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution


We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

Original languageEnglish (US)
Title of host publicationSecurity Protocols XIX - 19th International Workshop, Revised Selected Papers
Number of pages7
StatePublished - 2011
Event19th International Security Protocols Workshop - Cambridge, United Kingdom
Duration: Mar 28 2011Mar 30 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7114 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other19th International Security Protocols Workshop
Country/TerritoryUnited Kingdom

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Getting web authentication right a best-case protocol for the remaining life of passwords'. Together they form a unique fingerprint.

Cite this