Hacking resistance protocol for securing passwords using personal device

Users passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, key loggers and malware. In this paper, we design a hacking resistance protocol for system access (login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. This protocol was evolved from the S/KEY (S/KEY is a trademark of Bell core). The authentication system described in this document uses a secret pass-phrase to generate a sequence of one-time passwords. With this system, the user´s secret pass-phrase never needs to cross the network at any time such as during authentication or during pass-phrase changes. Thus, it is not vulnerable to replay attacks. Added security is provided by the property that no secret information need be stored on any system, including the server being protected. The security of the system is based on the non-invert ability of a secure hash function. Such a function must be tractable to compute in the forward direction, but computationally infeasible to invert. This protocol leverages a user´s cell phone and short message service to thwart password hacking.