Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

Password-based Authentication: Attacks & Defenses (Sommersemester 2022)

Dozent: Prof. Dr. Anja Lehmann (Cyber Security - Identity Management) , Dennis Dayanikli (Cyber Security - Identity Management)

Allgemeine Information

  • Semesterwochenstunden: 2
  • ECTS: 3
  • Benotet: Ja
  • Einschreibefrist: 01.04.2022 - 30.04.2022
  • Prüfungszeitpunkt §9 (4) BAMA-O: 12.08.2022
  • Lehrform: Seminar
  • Belegungsart: Wahlpflichtmodul
  • Lehrsprache: Englisch
  • Maximale Teilnehmerzahl: 10

Studiengänge, Modulgruppen & Module

Cybersecurity MA
IT-Systems Engineering MA
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-T Techniken und Werkzeuge
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-K Konzepte und Methoden
  • ISAE: Internet, Security & Algorithm Engineering
    • HPI-ISAE-S Spezialisierung
Data Engineering MA
Digital Health MA


Password-based authentication is the process of gaining access to resources, which one is entitled to, with the help of a set of credentials containing username and password. The credentials are typically stored in a service provider’s database during registration and used to authenticate an end user when he tries to login. Despite prolonged claims that the concept of passwords is ''dead'', password-based authentication remains the most widely used user authentication mechanism due to its user experience and convenience.

Password-based authentication poses challenges both for end users and for service providers. On the one hand, end users struggle with the task of choosing “good” passwords for each service and securely managing all of their credentials. On the other hand, service providers struggle with the task of keeping their databases secret.


In this seminar, we will explore different attacks and defense mechanisms for password-based authentication methods, and investigate their progress in current cryptographic research. These topics include:

  • Password Cracking / Password Modeling (How to effectively guess user passwords.)
  • Password Managers (How password managers help end users to use better passwords and to manage them.)
  • Password Hashing (How a service provider can strengthen the security of his database by hashing the passwords using slow hash functions.)
  • Password Authenticated Key Exchange (How end users can authenticate to the service provider without leaking any information about their passwords.)
  • Honey Passwords (How to include imitated password files in a server’s database to detect data breaches.)
  • Password Protected Secret Sharing (How to share a high entropy secret on multiple servers protected by a password.)


Each participant will be assigned a research paper and present its topic in a talk. After the kick-off phase, participants will have time to study their assigned paper and prepare their presentation. We will then meet every two weeks. In each meeting, two participants will present their assigned paper. At the end of the semester, participants also hand in a brief written report about their findings.

The course is limited to max. 10 participants. Priority is given to Cybersecurity students.


Basic knowledge in cryptography.


The detailed list of research papers will be in the course Moodle: https://moodle.hpi.de/course/view.php?id=290

In coordination with the teaching staff, other password-related research papers can also be presented.


The grade will be based on the presentation (70%), the written report (20%) and active participation in the seminar (10%).


The seminar will be held Thursdays, 11.00-12.30 in G3.E.15/16

Preliminary Schedule:

  • Week 1: Kick-off lecture introducing the different problem statements and relevant literature
  • Week 2: Topic assignment
  • Bi-weekly from week 6: presentation of papers and discussion (each participant 45 min).
  • End of semester: Hand in Written Report