Sean Oesch,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.1908.03296

2019-08-09

Cryptography and Security

Abstract:Password managers have the potential to help users more effectively manage their passwords and address many of the concerns surrounding password-based authentication, however prior research has identified significant vulnerabilities in existing password managers. Since that time, five years has passed, leaving it unclear whether password managers remain vulnerable or whether they are now ready for broad adoption. To answer this question, we evaluate thirteen popular password managers and consider all three stages of the password manager lifecycle--password generation, storage, and autofill. Our evaluation is the first analysis of password generation in password managers, finding several non-random character distributions and identifying instances where generated passwords were vulnerable to online and offline guessing attacks. For password storage and autofill, we replicate past evaluations, demonstrating that while password managers have improved in the half-decade since those prior evaluations, there are still significant issues, particularly with browser-based password managers; these problems include unencrypted metadata, unsafe defaults, and vulnerabilities to clickjacking attacks. Based on our results, we identify password managers to avoid, provide recommendations on how to improve existing password managers, and identify areas of future research.

Andrés Fábrega,Armin Namavari,Rachit Agarwal,Ben Nassi,Thomas Ristenpart

2024-08-14

Abstract:This work explores injection attacks against password managers. In this setting, the adversary (only) controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them. The injections are interleaved with adversarial observations of some form of protected state (such as encrypted vault exports or the network traffic received by the application servers), from which the adversary backs out confidential information. We uncover a series of general design patterns in popular password managers that lead to vulnerabilities allowing an adversary to efficiently recover passwords, URLs, usernames, and attachments. We develop general attack templates to exploit these design patterns and experimentally showcase their practical efficacy via analysis of ten distinct password manager applications. We disclosed our findings to these vendors, many of which deployed mitigations.

Cryptography and Security

Sanam Ghorbani Lyastani,Michael Schilling,Sascha Fahl,Sven Bugiel,Michael Backes

DOI: https://doi.org/10.48550/arXiv.1712.08940

2017-12-24

Abstract:Despite their well-known security problems, passwords are still the incumbent authentication method for virtually all online services. To remedy the situation, end-users are very often referred to password managers as a solution to the password reuse and password weakness problems. However, to date the actual impact of password managers on password security and reuse has not been studied systematically. In this paper, we provide the first large-scale study of the password managers' influence on users' real-life passwords. From 476 participants of an online survey on users' password creation and management strategies, we recruit 170 participants that allowed us to monitor their passwords in-situ through a browser plugin. In contrast to prior work, we collect the passwords' entry methods (e.g., human or password manager) in addition to the passwords and their metrics. Based on our collected data and our survey, we gain a more complete picture of the factors that influence our participants' passwords' strength and reuse. We quantify for the first time that password managers indeed benefit the password strength and uniqueness, however, also our results also suggest that those benefits depend on the users' strategies and that managers without password generators rather aggravate the existing problems.

Cryptography and Security

Hirak Ray,Flynn Wolf,Ravi Kuber,Adam J. Aviv

DOI: https://doi.org/10.48550/arXiv.2010.01973

2020-10-05

Cryptography and Security

Abstract:Password managers (PMs) are considered highly effective tools for increasing security, and a recent study by Pearman et al. (SOUPS'19) highlighted the motivations and barriers to adopting PMs. We expand these findings by replicating Pearman et al.'s protocol and interview instrument applied to a sample of strictly older adults (>60 years of age), as the prior work focused on a predominantly younger cohort. We conducted n=26 semi-structured interviews with PM users, built-in browser/operating system PM users, and non-PM users. The average participant age was 70.4 years. Using the same codebook from Pearman et al., we showcase differences and similarities in PM adoption between the samples, including fears of a single point of failure and the importance of having control over one's private information. Meanwhile, older adults were found to have higher mistrust of cloud storage of passwords and cross-device synchronization. We also highlight PM adoption motivators for older adults, including the power of recommendations from family members and the importance of education and outreach to improve familiarity.

Yu-Tao Liu,Dong Du,Yu-Bin Xia,Hai-Bo Chen,Bin-Yu Zang,Zhenkai Liang

DOI: https://doi.org/10.1007/s11390-018-1810-y

IF: 1.871

2018-01-01

Journal of Computer Science and Technology

Abstract:Using a password manager is known to be more convenient and secure than not using one, on the assumption that the password manager itself is safe. However recent studies show that most popular password managers have security vulnerabilities that may be fooled to leak passwords without users' awareness. In this paper, we propose a new password manager, SplitPass, which vertically separates both the storage and access of passwords into two mutually distrusting parties. During login, all the parties will collaborate to send their password shares to the web server, but none of these parties will ever have the complete password, which significantly raises the bar of a successful attack to compromise all of the parties. To retain transparency to existing applications and web servers, SplitPass seamlessly splits the secure sockets layer (SSL) and transport layer security (TCP) sessions to process on all parties, and makes the joining of two password shares transparent to the web servers. We have implemented SplitPass using an Android phone and a cloud assistant and evaluated it using 100 apps from top free apps in the Android official market. The evaluation shows that SplitPass securely protects users' passwords, while incurring little performance overhead and power consumption.

Raul Gonzalez,Eric Y. Chen,Collin Jackson

DOI: https://doi.org/10.48550/arXiv.1309.1416

2013-09-06

Abstract:To encourage users to use stronger and more secure passwords, modern web browsers offer users password management services, allowing users to save previously entered passwords locally onto their hard drives. We present Lupin, a tool that automatically extracts these saved passwords without the user's knowledge. Lupin allows a network adversary to obtain passwords as long as the login form appears on a non-HTTPS page. Unlike existing password sniffing tools, Lupin can obtain passwords for websites users are not visiting. Furthermore, Lupin can extract passwords embedded in login forms with a destination address served in HTTPS. To determine the number of websites vulnerable to our attack, we crawled the top 45,000 most popular websites from Alexa's top website list and discovered that at least 28% of these sites are vulnerable. To further demonstrate the feasibility of our attack, we tested Lupin under controlled conditions using one of the authors' computers. Lupin was able to extract passwords from 1,000 websites in less than 35 seconds. We suggest techniques for web developers to protect their web applications from attack, and we propose alternative designs for a secure password manager.

Cryptography and Security

Anuj Gautam,Tarun Kumar Yadav,Kent Seamons,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.2402.06159

2024-02-09

Abstract:Password-based authentication faces various security and usability issues. Password managers help alleviate some of these issues by enabling users to manage their passwords effectively. However, malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. In this paper, we explore what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior. To this end, we identify a threat model for password exfiltration and then use this threat model to explore the design space for secure password entry implemented using a password manager. We identify five potential designs that address this issue, each with varying security and deployability tradeoffs. Our analysis shows the design that best balances security and usability is for the manager to autofill a fake password and then rely on the browser to replace the fake password with the actual password immediately before the web request is handed over to the operating system to be transmitted over the network. This removes the ability for malicious client-side scripts or browser extensions to access and exfiltrate the real password. We implement our design in the Firefox browser and conduct experiments, which show that it successfully thwarts malicious scripts and extensions on 97\% of the Alexa top 1000 websites, while also maintaining the capability to revert to default behavior on the remaining websites, avoiding functionality regressions. Most importantly, this design is transparent to users, requiring no change to user behavior.

Cryptography and Security

Vivek Nair,Dawn Song

DOI: https://doi.org/10.48550/arXiv.2306.14746

2023-06-26

Cryptography and Security

Abstract:While password managers are a vital tool for internet security, they can also create a massive central point of failure, as evidenced by several major recent data breaches. For over 20 years, deterministic password generators (DPGs) have been proposed, and largely rejected, as a viable alternative to password management tools. In this paper, we survey 45 existing DPGs to asses the main security, privacy, and usability issues hindering their adoption. We then present a new multi-factor deterministic password generator (MFDPG) design that aims to address these shortcomings. The result not only achieves strong, practical password management with zero credential storage, but also effectively serves as a progressive client-side upgrade of weak password-only websites to strong multi-factor authentication.

Hua Wang,Yao Guo,Xia Zhao,Xiangqun Chen

DOI: https://doi.org/10.1109/AINA.2008.109

2008-01-01

Abstract:TPM is able to provide strong secure storage for sensitive data such as passwords. Although several commercial password managers have used TPM to cache passwords, they are not capable of protecting passwords during verification. This paper proposes a new TPM-based password caching and verification method called PwdCaVe. In addition to using TPM in password caching, PwdCaVe also uses TPM during password verification. In PwdCaVe, all password-related computations are performed in the TPM. PwdCaVe guarantees that once a password is cached in the TPM, it will be protected by the TPM through the rest of its lifetime, thus eliminating the possibility that passwords might be attacked in memory. A prototype of PwdCaVe is implemented on Linux to demonstrate its feasibility.

Moritz Horsch,Johannes Braun,Dominique Metz,Johannes Buchmann

DOI: https://doi.org/10.48550/arXiv.1704.02883

2017-04-26

Abstract:It is practically impossible for users to memorize a large portfolio of strong and individual passwords for their online accounts. A solution is to generate passwords randomly and store them. Yet, storing passwords instead of memorizing them bears the risk of loss, e.g., in situations where the device on which the passwords are stored is damaged, lost, or stolen. This makes the creation of backups of the passwords indispensable. However, placing such backups at secure locations to protect them as well from loss and unauthorized access and keeping them up-to-date at the same time is an unsolved problem in practice. We present PASCO, a backup solution for passwords that solves this challenge. PASCO backups need not to be updated, even when the user's password portfolio is changed. PASCO backups can be revoked without having physical access to them. This prevents password leakage, even when a user loses control over a backup. Additionally, we show how to extend PASCO to enable a fully controllable emergency access. It allows a user to give someone else access to his passwords in urgent situations. We also present a security evaluation and an implementation of PASCO.

Cryptography and Security

Qingli Guo,Jing Ye,Bing Li,Yu Hu,Xiaowei Li,Yazhu Lan,Guohe Zhang

DOI: https://doi.org/10.1016/j.vlsi.2018.10.003

IF: 1.345

2019-01-01

Integration

Abstract:Secure passwords need high entropy, but are difficult for users to remember. Password managers minimize the memory burden by storing site passwords locally or generating secure site passwords from a master password through hashing or key stretching. Unfortunately, they are threatened by the single point of failure introduced by the master password which is vulnerable to various attacks such as offline attack and shoulder surfing attack. To handle these issues, this paper proposes the PUFPass, a secure password management mechanism based on software/hardware codesign. By introducing the hardware primitive, Physical Unclonable Function (PUF), into PUFPass, the random physical disorder is exploited to strengthen site passwords. An illustration of PUFPass in the Android operating system is given. PUFPass is evaluated from aspects of both security and preliminary usability. The security of the passwords is evaluated using a compound heuristic algorithm based PUF attack software and an open source password cracking software, respectively. Finally, PUFPass is compared with other password management mechanisms using the Usability-Deployability-Security (UDS) framework. The results show that PUFPass has great advantages in security while maintaining most benefits in usability.

Simone Raponi,Roberto Di Pietro

DOI: https://doi.org/10.48550/arXiv.1804.07016

2018-04-25

Abstract:The widespread usage of password authentication in online websites leads to an ever-increasing concern, especially when considering the possibility for an attacker to recover the user password by leveraging the loopholes in the password recovery mechanisms. Indeed, if a website adopts a poor password management system, this choice makes useless even the most robust password chosen by its users. In this paper, we first provide a survey of currently adopted password recovery mechanisms. Later, we model an attacker with different capabilities and we show how current password recovery mechanisms can be exploited in our attacker model. Then, we provide a thorough analysis of the password management of some of the Alexa's top 200 websites in different countries, including England, France, Germany, Spain and Italy. Of these 1,000 websites, 722 do not require authentication -- and hence are excluded by our study -- while out of the remaining 278 we focused on 174, since 104 demanded a complex registration procedure. Of these 174, almost 25% of the them have critical vulnerabilities, while 44% have some form of vulnerability. Finally, we propose some effective countermeasures and we point out that, by considering the entry into force of the General Data Protection Regulation (GDPR) in May, 2018, most of websites are not compliant with the legislation and may incur in heavy fines. This study, other than being important on its own since it highlights some severe current vulnerabilities and proposes corresponding remedies, has the potential to also have a relevant impact on the EU industrial ecosystem.

Cryptography and Security

Michael Farcasin,Akhileshwar Guli,Eric Chan-Tin

DOI: https://doi.org/10.48550/arXiv.1708.09333

2017-08-30

Abstract:Password leaks have been frequently reported in recent years, with big companies like Sony, Amazon, LinkedIn, and Walmart falling victim to breaches involving the release of customer information. Even though passwords are usually stored in a salted hash, attackers still guess passwords because of insecure password choices and password reuse. However, the adverse effects of a password breach can be mitigated by changing users' passwords. We introduce a simple yet powerful algorithm to reset user account passwords automatically, while still allowing users to authenticate without any additional effort on their part. We implemented our algorithm as a Firefox add-on that automatically resets a user's password when they log in to their account, and stores the new password in the built-in Firefox password manager.

Cryptography and Security

Naomi Woods,Mikko Siponen

DOI: https://doi.org/10.1016/j.cose.2023.103589

IF: 5.105

2024-02-01

Computers & Security

Abstract:Password reuse and modification are insecure password behaviors that are becoming increasingly prevalent as users are obliged to remember more passwords to access various digital services. Many users adopt these risky behaviors as a memory strategy in the belief that they have too many passwords for their memories to cope with. One important avenue in password research is metamemory, which encompasses the knowledge and understanding of memory capabilities and strategies. Previous research on password metamemory has examined the role that metamemory plays in memory performance (i.e., how well memory performs) and password recall. However, no previous research to date has investigated whether password reuse and modification are adopted as memory strategies due to an increase in knowledge and understanding of metamemory. To address this gap, two survey studies (Study1: N = 50, Study 2: N = 303) were implemented to examine the role that password metamemory plays in reusing and modifying passwords. Our findings suggest that of all metamemory constructs, users’ anxiety regarding their perceived ability to remember passwords can influence them to reuse and modify their passwords. These findings have potentially important implications because with an enhanced understanding of how users’ anxiety towards remembering passwords influences their security behavior, this could identify means of reducing password reuse and modification, thereby increasing password security and ultimately reduce some of the consequences of insecure password behaviors.

computer science, information systems

Huiping Sun,Ke Wang,Xu Li,Nan Qin,Zhong Chen

DOI: https://doi.org/10.1145/2785830.2785880

2015-01-01

Abstract:Existing graphical passwords require users to proactively memorize their secrets and meanwhile these schemes are vulnerable to shoulder surfing attacks. We propose a novel graphical password scheme, PassApp, which utilizes users' everyday memory about installed apps on mobile devices as shared secrets. As the registration stage is no longer needed, PassApp exempts users from additional memory burden and greatly enhances user experience. Additionally, PassApp owns a large password set and only a small part of passwords may be exposed during a login. Therefore, PassApp has a natural advance on effectively resisting guessing attacks and shoulder surfing attacks. Our user studies demonstrate that PassApp performs well with a reasonable login time (7.27s) and a high success rate (95.48%). Our security analysis shows PassApp can effectively withstand one-time shoulder surfing attacks and on average 30 times of shoulder surfing are necessary to expose all passwords.

Gilbert Notoatmodjo,Clark D. Thomborson

2009-01-01

Abstract:The security of many computer systems hinges on the secrecy of a single word - if an adversary obtains knowledge of a password, they will gain access to the resources controlled by this password. Human users are the 'weakest link' in password control, due to our propensity to reuse passwords and to create weak ones. Policies which forbid such unsafe password practices are often violated, even if these policies are well-advertised. We have studied how users perceive their accounts and their passwords. Our participants mentally classified their accounts and passwords into a few groups, based on a small number of perceived similarities. Our participants used stronger passwords, and reused passwords less, in account groups which they considered more important. Our participants thus demonstrated awareness of the basic tenets of password safety, but they did not behave safely in all respects. Almost half of our participants reused at least one of the passwords in their high-importance accounts. Our findings add to the body of evidence that a typical computer user suffers from 'password overload'. Our concepts of password and account grouping point the way toward more intuitive user interfaces for password-and account-management systems.

Yiming Zhao,Wenting Li,Zijian Zhang,Ping Wang

DOI: https://doi.org/10.1109/BigDataService.2019.00029

2019-01-01

Abstract:Based on the ecological user memory, this paper establishes a security strategy model (SSM) to quantify the memory cost of passwords and the value of accounts to users in assword expiration strategy. This paper introduces the theory of human ecological memory to explain the memory cost of account password to users. We experiment on 304 users to prove that when users modify a single account, the security benefits of modifying a high-value account are greater for users. In the case of modifying multiple accounts, modifying accounts with password reuse will gain greater security for users. Experimental results show that when users modify password accounts, adding personal information can increase password strength to some extent while minimizing memory costs. In this paper, we for the first time use user ecological memory as one of the criteria to evaluate user security benefits, which might be the trend of future research on user behavior creating and password modification policy.

Sam Parker,Haiyue Yuan,Shujun Li

DOI: https://doi.org/10.1109/VizSec60606.2023.00011

2024-02-18

Abstract:Passwords remain the most widely used form of user authentication, despite advancements in other methods. However, their limitations, such as susceptibility to attacks, especially weak passwords defined by human users, are well-documented. The existence of weak human-defined passwords has led to repeated password leaks from websites, many of which are of large scale. While such password leaks are unfortunate security incidents, they provide security researchers and practitioners with good opportunities to learn valuable insights from such leaked passwords, in order to identify ways to improve password policies and other security controls on passwords. Researchers have proposed different data visualisation techniques to help analyse leaked passwords. However, many approaches rely solely on frequency analysis, with limited exploration of distance-based graphs. This paper reports PassViz, a novel method that combines the edit distance with the t-SNE (t-distributed stochastic neighbour embedding) dimensionality reduction algorithm for visualising and analysing leaked passwords in a 2-D space. We implemented PassViz as an easy-to-use command-line tool for visualising large-scale password databases, and also as a graphical user interface (GUI) to support interactive visual analytics of small password databases. Using the "000webhost" leaked database as an example, we show how PassViz can be used to visually analyse different aspects of leaked passwords and to facilitate the discovery of previously unknown password patterns. Overall, our approach empowers researchers and practitioners to gain valuable insights and improve password security through effective data visualisation and analysis.

Cryptography and Security

Sean Oesch,Anuj Gautam,Scott Ruoti

DOI: https://doi.org/10.48550/arXiv.2104.10017

2021-04-20

Cryptography and Security

Abstract:Password managers help users more effectively manage their passwords, encouraging them to adopt stronger passwords across their many accounts. In contrast to desktop systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks designed to integrate with password managers to provide secure and usable autofill for browsers and other apps installed on mobile devices. In this paper, we evaluate mobile autofill frameworks on iOS and Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic single point of failure. Our results find that while the frameworks address several common issues, they also enforce insecure behavior and fail to provide password managers sufficient information to override the frameworks' insecure behavior, resulting in mobile managers being less secure than their desktop counterparts overall. We also demonstrate how these frameworks act as a confused deputy in manager-assisted credential phishing attacks. Our results demonstrate the need for significant improvements to mobile autofill frameworks. We conclude the paper with recommendations for the design and implementation of secure autofill frameworks.

Hengwei Zhang,Jingxin Hong,Jun Hu

DOI: https://doi.org/10.1109/ICASID.2016.7873914

2016-01-01

Abstract:In the Internet era, there are a lot of places that require a password, such as login forum, e-mile, MSN, etc. How to effectively remember the password? It has become a required course to people. KeePass Password Safe is designed to solve the problem that human can't remember so many passwords, which contains a strong password generation engine and encryption storage function, and provides a secure password storage space, As a result, people may manage all the password safely only need to remember an initial password, and the security of the document mainly through the software's own encryption functions to ensure. But with the new method of crack and the speed of the computer running speed, its security has been on a risk. In this paper, we analyzed the latest version of KeePass encryption/decryption mechanism, and then designed a comparison experiment with earlier version, the experiment used brute-force means to recover the password on CPU-based platform and GPU-based platform respectively. We analyzed the security of KeePass through the experiment result at last.