This work addresses the vulnerability of password-authenticated key exchange (PAKE) protocols to reverse online guessing attacks, wherein an adversary impersonates the server to verify guesses of user passwords—a threat exacerbated by the absence of server authentication in PKI-free settings. The paper presents the first systematic formalization of the feasibility and impact of such attacks, demonstrating that conventional defenses are ineffective against them. It argues that servers should, by default, employ authentication mechanisms stronger than user passwords. Through rigorous security protocol analysis, attack modeling, and evaluation in real-world contexts such as WPA3-SAE, the study shows that reverse online guessing attacks are highly effective against PAKE deployments relying solely on passwords. The authors recommend enabling pure password-based PAKE only as a fallback when all other authentication mechanisms fail, offering critical guidance for secure PAKE standardization.

Though not yet widely deployed, password-authenticated key exchange (PAKE) protocols have been the subject of several recent standardization efforts, partly because of their resistance against various guessing attacks, but also because they do not require a public-key infrastructure (PKI), making them naturally resistant against PKI failures. The goal of this paper is to reevaluate the PAKE model by noting that the absence of a PKI -- or, more generally, of a mechanism aside from the password for authenticating the server -- makes such protocols vulnerable to reverse online guessing attacks, in which an adversary attempts to validate password guesses by impersonating a server. While their logic is similar to traditional guessing, where the attacker impersonates a client, reverse guessing poses a unique risk because the burden of detection is shifted to the clients, rendering existing defenses against traditional guessing moot. Our results demonstrate that reverse guessing is particularly effective when an adversary attacks clients indiscriminately, such as in phishing or password-spraying attacks, or for applications with automated login processes or a universal password, such as WPA3-SAE. Our analysis suggests that stakeholders should, by default, authenticate the server using more stringent measures than just the user's password, and that a password-only mode of operation should be a last resort against catastrophic security failures when other authentication mechanisms are not available.