Abstract
Since passwords are an unavoidable mechanism for authenticating to online services, experts often recommend using a password manager for better password security. However, adoption of password managers is low due to poor usability, the difficulty of migrating accounts to a manager, and users’ sense that a manager will not add value. In this paper, we present ByPass, a novel password manager that is placed between the user and the website for secure and direct communication between the manager and websites. This direct communication allows ByPass to minimize the users’ actions needed to complete various password management tasks, including account registration, logins, and password changes. ByPass is designed to minimize errors and improve usability. We conducted a usability evaluation of ByPass and found that this approach shows promising usability, and can help users to better manage their accounts in a secure manner.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CloudFlare - The Web Performance & Security Company. https://www.cloudflare.com/en-ca/
NIST Special Publication 800–63b: Digital Identity Guidelines. SP-800-63b Section 5.1.1.2
Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers. EuroUSEC’16 (2016)
Alkaldi, N., Renaud, K., Mackenzie, L.: Encouraging password manager adoption by meeting adopter self-determination needs. In: Hawaii International Conference on System Sciences, pp. 4824–4833 (2019)
Aurigemma, S., Mattson, T., Leonard, L.: So much promise, so little use: what is stopping home end-users from using password manager applications. 50th Hawaii International Conference on System Sciences (2017)
Ausloos, J.: The ‘right to be forgotten’ - worth remembering. Comput. Law Secur. Rev. 28(2), 143–152 (2012)
Barbosa, N.M., Hayes, J., Wang, Y.: UniPass: design and evaluation of a smart device-based password manager for visually impaired users. In: ACM UbiComp (2016)
Bevan, N., Carter, J., Harker, S.: ISO 9241-11 Revised: what have we learnt about usability since 1998? In: Kurosu, M. (ed.) HCI 2015. LNCS, vol. 9169, pp. 143–151. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20901-2_13
Blanchou, M., Youn, P.: Password managers: exposing passwords everywhere. White Paper, iSEC Partners, pp. 1–6 (2013)
Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)
Carr, M., Shahandashti, S.F.: Revisiting security vulnerabilities in commercial password managers. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds.) SEC 2020. IAICT, vol. 580, pp. 265–279. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58201-2_18
Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: IEEE Symposium on Security and Privacy. San Jose, CA, USA, May 2015
Cheng, H., Zheng, Z., Li, W., Wang, P., Chu, C.H.: Probability model transforming encoders against encoding attacks. In: USENIX Security (2019)
Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security, vol. 15 (2006)
Doglio, F.: Pro REST API Development with Node. js. Apress, New York (2015)
Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: ACM CCS. ACM, Vienna Austria (2016)
Habib, H., et al.: It’s a scavenger hunt”: usability of websites. In: ACM SIGCHI, Opt-Out and Data Deletion Choices (2020)
Haekal, M., et al.: Token-based authentication using JSON web token on SIKASIR RESTful web service. In: 2016 International Conference on Informatics and Computing (ICIC), pp. 175–179. IEEE (2016)
Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2011)
Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: CHI’10, pp. 383–392 (2010)
Karole, A., Saxena, N., Christin, N.: A comparative usability evaluation of traditional password managers. In: Rhee, K.H., Nyang, D. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 233–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24209-0_16
Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: USENIX Security (2014)
Liu, Z., Nersessian, N., Stasko, J.: Distributed cognition as a theoretical framework for information visualization. IEEE Trans. Visual. Comput. Graph. 14(6), 1173–1180 (2008)
Lyastani, S.G., Schilling, M., Fahl, S., Backes, M., Bugiel, S.: Better managed than memorized. In: USENIX Security, Studying the Impact of Managers on Password Strength and Reuse (2018)
Maclean, R., Ophoff, J.: Determining key factors that lead to the adoption of password managers. In: 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE (2018)
McCarney, D., Barrera, D., Clark, J., Chiasson, S., Van Oorschot, P.C.: Tapas: design, implementation, and usability evaluation of a password manager. In: ACSAC’12, pp. 89–98 (2012)
Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: SOUPS’19. USENIX (2019)
Rhee, H.S., Kim, C., Ryu, Y.U.: Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput. Secur. 28(8), 816–826 (2009)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security, p. 15 (2005)
Ruoti, S., Seamons, K.: End-to-end passwords. In: NSPW. ACM (2017)
Seiler-Hwang, S., et al.: “ I don’t see why I would ever want to use it” analyzing the usability of popular smartphone password managers. In: ACM CCS’19 (2019)
Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: SPHINX: a password store that perfectly hides passwords from itself. In: International Conference on Distributed Computing Systems (ICDCS’17). Atlanta, GA, USA, Jun 2017
Silver, D., Jana, S., Boneh, D., Chen, E., Jackson, C.: Password managers: attacks and defenses. In: USENIX Security (2014)
Smith, T., Ruoti, S., Seamons, K.: Augmenting centralized password management with application-specific passwords. In: SOUPS’17. USENIX (2017)
Stebila, D., Sullivan, N.: An analysis of TLS handshake proxying. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 279–286. IEEE (2015)
Stobert, E., Biddle, R.: A password manager that doesn’t remember passwords. In: NSPW. ACM (2014)
Stobert, E., Biddle, R.: The password life cycle. ACM Trans. Priv. Secur. (TOPS) 21(3), 1–32 (2018)
Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: ACM CCS. Vienna Austria (2016)
Wharton, C., Bradford, J., Jeffries, R., Franzke, M.: Applying cognitive walkthroughs to more complex user interfaces: experiences, issues, and recommendations. In: ACM SIGCHI (1992)
Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: USENIX Security (2016)
Whitten, A., Tygar, J.D.: Why johnny can’t encrypt: a usability evaluation of PGP 5.0. In: USENIX Security (1999)
Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_17
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Stobert, E., Safaie, T., Molyneaux, H., Mannan, M., Youssef, A. (2020). ByPass: Reconsidering the Usability of Password Managers. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)