Improvement of remote user authentication schemes using passwords

Password authentication scheme is a promising and practical solution to remote user authentication. The security of an authentication scheme using strong graphical passwords basing on hash function was analyzed. The scheme can not resist to stolen-verifier attack. The adversary can pretend to be a server to cheat a legal user to send him authentication message, and then it masquerades as a legal user by creating a valid login message, passes the authentication phase and gains the authority of a legitimate user without knowing user password. An enhanced scheme was proposed in which smart card is used for storing server authentication message. The server and user can authenticate each other. The adversary can personate neither server nor user and can not get useful login message from eavesdropped communication. The enhanced scheme can withstand replay attack, denial-of-service attack, password-guessing attack, forgery attack, password-file compromise attack and inside attack as the former scheme. It can also withstand stolen-verifier attack and smart card loss attack.