Notice of Violation of IEEE Publication PrinciplesSingle password, multiple accounts

Notice of Violation of IEEE Publication Principles

"Single Password, Multiple Accounts"
by E. Saravanakumar M. E. and Anupriya Mohan
in the Proceedings of the IEEE International Conference on Computer Communications and Networks (ICCCN), August 2008

After careful and considered review of the content and authorship of this paper by a duly constituted expert committee, this paper has been found to be in violation of IEEE\´s Publication Principles.

This paper is a near verbatim copy of the paper cited below. The original text was copied with insufficient attribution (including appropriate references to the original author(s) and/or paper title) and without permission.

Due to the nature of this violation, reasonable effort should be made to remove all past references to this paper, and future references should be made to the following article:

"SPP: An Anti-phishing Single Password Protocol"
by Mohamed G. Gouda, Alex X. Liu, Lok M. Leung, and Mohamed A. Alam
in the Journal of Computer Networks (COMNET) (Elsevier), Vol. 51, No. 13, September 2007, pp. 1389-1286

Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of different and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can effectively steal users\´ passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). Furthermore, the HTTP basic authentication protocol is vulnerable to phishing attacks because a client needs to reveal his password to the server that the client wants to login. Proposed scheme allows a client to securely use a single password across mul- iple servers, attacks. Our protocol achieves client authentication without the client revealing his password to the server at any point. Therefore, a compromised server cannot steal a client\´s password and replay it to another server. Our protocol is secure, efficient and user-friendly.