The use of passwords and the need to protect passwords are not going away. The majority of websites that require authentication continue to support password authentication. Even high-security applications such as Internet Banking portals, which deploy 2-factor authentication, rely on password authentication as one of the authentication factors. However phishing attacks continue to plague password-based authentication despite aggressive efforts in detection and takedown as well as comprehensive user awareness and training programs. There is currently no foolproof mechanism even for security-conscious websites to prevent users from being directed to fraudulent websites and having their passwords phished. In this paper, we apply a threat analysis on the web password login process, and uncover a design vulnerability in the HTML field. This vulnerability can be exploited for phishing attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four properties that encapsulate the requirements to stop web-based password phishing, and propose a secure protocol to be used with a new credential field that complies with the four properties. We further analyze the proposed protocol through an abuse-case evaluation, discuss various deployment issues, and also perform a test implementation to understand its data and execution overheads

中文翻译：

---

保护基于 Web 的应用程序的密码身份验证

密码的使用和保护密码的需要不会消失。大多数需要身份验证的网站继续支持密码身份验证。即使是部署 2 因素身份验证的高安全性应用程序，例如网上银行门户，也依赖密码身份验证作为身份验证因素之一。然而，尽管在检测和删除以及全面的用户意识和培训计划方面做出了积极的努力，但网络钓鱼攻击仍然困扰着基于密码的身份验证。目前，即使是具有安全意识的网站，也没有万无一失的机制来防止用户被定向到欺诈性网站并防止其密码被钓鱼。在本文中，我们对 Web 密码登录过程进行了威胁分析，并发现了 HTML 中的一个设计漏洞场地。此漏洞可用于网络钓鱼攻击，因为 Web 身份验证过程不是从每个输入密码字段到 Web 服务器的端到端安全。我们确定了四个属性，这些属性封装了阻止基于 Web 的密码网络钓鱼的要求，并提出了一种安全协议，该协议与符合这四个属性的新凭证字段一起使用。我们通过滥用案例评估进一步分析提议的协议，讨论各种部署问题，并执行测试实现以了解其数据和执行开销