Skip to main content
SpringerLink
Log in

ByPass: Reconsidering the Usability of Password Managers

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2020)

  • 1141 Accesses

Abstract

Since passwords are an unavoidable mechanism for authenticating to online services, experts often recommend using a password manager for better password security. However, adoption of password managers is low due to poor usability, the difficulty of migrating accounts to a manager, and users’ sense that a manager will not add value. In this paper, we present ByPass, a novel password manager that is placed between the user and the website for secure and direct communication between the manager and websites. This direct communication allows ByPass to minimize the users’ actions needed to complete various password management tasks, including account registration, logins, and password changes. ByPass is designed to minimize errors and improve usability. We conducted a usability evaluation of ByPass and found that this approach shows promising usability, and can help users to better manage their accounts in a secure manner.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.1password.com/.

  2. 2.

    https://www.lastpass.com/.

References

  1. CloudFlare - The Web Performance & Security Company. https://www.cloudflare.com/en-ca/

  2. NIST Special Publication 800–63b: Digital Identity Guidelines. SP-800-63b Section 5.1.1.2

    Google Scholar 

  3. Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers. EuroUSEC’16 (2016)

    Google Scholar 

  4. Alkaldi, N., Renaud, K., Mackenzie, L.: Encouraging password manager adoption by meeting adopter self-determination needs. In: Hawaii International Conference on System Sciences, pp. 4824–4833 (2019)

    Google Scholar 

  5. Aurigemma, S., Mattson, T., Leonard, L.: So much promise, so little use: what is stopping home end-users from using password manager applications. 50th Hawaii International Conference on System Sciences (2017)

    Google Scholar 

  6. Ausloos, J.: The ‘right to be forgotten’ - worth remembering. Comput. Law Secur. Rev. 28(2), 143–152 (2012)

    Article  Google Scholar 

  7. Barbosa, N.M., Hayes, J., Wang, Y.: UniPass: design and evaluation of a smart device-based password manager for visually impaired users. In: ACM UbiComp (2016)

    Google Scholar 

  8. Bevan, N., Carter, J., Harker, S.: ISO 9241-11 Revised: what have we learnt about usability since 1998? In: Kurosu, M. (ed.) HCI 2015. LNCS, vol. 9169, pp. 143–151. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20901-2_13

    Chapter  Google Scholar 

  9. Blanchou, M., Youn, P.: Password managers: exposing passwords everywhere. White Paper, iSEC Partners, pp. 1–6 (2013)

    Google Scholar 

  10. Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy, pp. 553–567. IEEE (2012)

    Google Scholar 

  11. Carr, M., Shahandashti, S.F.: Revisiting security vulnerabilities in commercial password managers. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds.) SEC 2020. IAICT, vol. 580, pp. 265–279. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58201-2_18

    Chapter  Google Scholar 

  12. Chatterjee, R., Bonneau, J., Juels, A., Ristenpart, T.: Cracking-resistant password vaults using natural language encoders. In: IEEE Symposium on Security and Privacy. San Jose, CA, USA, May 2015

    Google Scholar 

  13. Cheng, H., Zheng, Z., Li, W., Wang, P., Chu, C.H.: Probability model transforming encoders against encoding attacks. In: USENIX Security (2019)

    Google Scholar 

  14. Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security, vol. 15 (2006)

    Google Scholar 

  15. Doglio, F.: Pro REST API Development with Node. js. Apress, New York (2015)

    Book  Google Scholar 

  16. Golla, M., Beuscher, B., Dürmuth, M.: On the security of cracking-resistant password vaults. In: ACM CCS. ACM, Vienna Austria (2016)

    Google Scholar 

  17. Habib, H., et al.: It’s a scavenger hunt”: usability of websites. In: ACM SIGCHI, Opt-Out and Data Deletion Choices (2020)

    Google Scholar 

  18. Haekal, M., et al.: Token-based authentication using JSON web token on SIKASIR RESTful web service. In: 2016 International Conference on Informatics and Computing (ICIC), pp. 175–179. IEEE (2016)

    Google Scholar 

  19. Herley, C., Van Oorschot, P.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2011)

    Article  Google Scholar 

  20. Inglesant, P.G., Sasse, M.A.: The true cost of unusable password policies: password use in the wild. In: CHI’10, pp. 383–392 (2010)

    Google Scholar 

  21. Karole, A., Saxena, N., Christin, N.: A comparative usability evaluation of traditional password managers. In: Rhee, K.H., Nyang, D. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 233–251. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24209-0_16

    Chapter  Google Scholar 

  22. Li, Z., He, W., Akhawe, D., Song, D.: The emperor’s new password manager: security analysis of web-based password managers. In: USENIX Security (2014)

    Google Scholar 

  23. Liu, Z., Nersessian, N., Stasko, J.: Distributed cognition as a theoretical framework for information visualization. IEEE Trans. Visual. Comput. Graph. 14(6), 1173–1180 (2008)

    Article  Google Scholar 

  24. Lyastani, S.G., Schilling, M., Fahl, S., Backes, M., Bugiel, S.: Better managed than memorized. In: USENIX Security, Studying the Impact of Managers on Password Strength and Reuse (2018)

    Google Scholar 

  25. Maclean, R., Ophoff, J.: Determining key factors that lead to the adoption of password managers. In: 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC). IEEE (2018)

    Google Scholar 

  26. McCarney, D., Barrera, D., Clark, J., Chiasson, S., Van Oorschot, P.C.: Tapas: design, implementation, and usability evaluation of a password manager. In: ACSAC’12, pp. 89–98 (2012)

    Google Scholar 

  27. Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: SOUPS’19. USENIX (2019)

    Google Scholar 

  28. Rhee, H.S., Kim, C., Ryu, Y.U.: Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput. Secur. 28(8), 816–826 (2009)

    Article  Google Scholar 

  29. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: USENIX Security, p. 15 (2005)

    Google Scholar 

  30. Ruoti, S., Seamons, K.: End-to-end passwords. In: NSPW. ACM (2017)

    Google Scholar 

  31. Seiler-Hwang, S., et al.: “ I don’t see why I would ever want to use it” analyzing the usability of popular smartphone password managers. In: ACM CCS’19 (2019)

    Google Scholar 

  32. Shirvanian, M., Jareckiy, S., Krawczykz, H., Saxena, N.: SPHINX: a password store that perfectly hides passwords from itself. In: International Conference on Distributed Computing Systems (ICDCS’17). Atlanta, GA, USA, Jun 2017

    Google Scholar 

  33. Silver, D., Jana, S., Boneh, D., Chen, E., Jackson, C.: Password managers: attacks and defenses. In: USENIX Security (2014)

    Google Scholar 

  34. Smith, T., Ruoti, S., Seamons, K.: Augmenting centralized password management with application-specific passwords. In: SOUPS’17. USENIX (2017)

    Google Scholar 

  35. Stebila, D., Sullivan, N.: An analysis of TLS handshake proxying. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 279–286. IEEE (2015)

    Google Scholar 

  36. Stobert, E., Biddle, R.: A password manager that doesn’t remember passwords. In: NSPW. ACM (2014)

    Google Scholar 

  37. Stobert, E., Biddle, R.: The password life cycle. ACM Trans. Priv. Secur. (TOPS) 21(3), 1–32 (2018)

    Article  Google Scholar 

  38. Wang, D., Zhang, Z., Wang, P., Yan, J., Huang, X.: Targeted online password guessing: an underestimated threat. In: ACM CCS. Vienna Austria (2016)

    Google Scholar 

  39. Wharton, C., Bradford, J., Jeffries, R., Franzke, M.: Applying cognitive walkthroughs to more complex user interfaces: experiences, issues, and recommendations. In: ACM SIGCHI (1992)

    Google Scholar 

  40. Wheeler, D.L.: zxcvbn: low-budget password strength estimation. In: USENIX Security (2016)

    Google Scholar 

  41. Whitten, A., Tygar, J.D.: Why johnny can’t encrypt: a usability evaluation of PGP 5.0. In: USENIX Security (1999)

    Google Scholar 

  42. Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_17

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carleton University, Ottawa, ON, Canada

    Elizabeth Stobert

  2. Concordia University, Montreal, QC, Canada

    Tina Safaie, Mohammad Mannan & Amr Youssef

  3. National Research Council of Canada, Fredericton, NB, Canada

    Heather Molyneaux

Authors
  1. Elizabeth Stobert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tina Safaie
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Heather Molyneaux
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Mannan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Amr Youssef
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tina Safaie .

Editor information

Editors and Affiliations

  1. Yonsei University, Seoul, Korea (Republic of)

    Noseong Park

  2. George Mason University, Fairfax, VA, USA

    Kun Sun

  3. Dipartimento di Informatica, Universita degli Studi, Milan, Milano, Italy

    Sara Foresti

  4. University of Florida, Gainesville, FL, USA

    Kevin Butler

  5. Division of Nephrology, University of Alabama, Birmingham, AL, USA

    Nitesh Saxena

Rights and permissions

Reprints and permissions

Copyright information

© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Stobert, E., Safaie, T., Molyneaux, H., Mannan, M., Youssef, A. (2020). ByPass: Reconsidering the Usability of Password Managers. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63086-7_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63085-0

  • Online ISBN: 978-3-030-63086-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation