Skip to main content
Springer Nature Link
Log in

Verified Password Generation from Password Composition Policies

  • Conference paper
  • First Online:
Integrated Formal Methods (IFM 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13274))

Included in the following conference series:

  • 787 Accesses

Abstract

Password managers (PMs) are important tools that enable the use of stronger passwords, freeing users from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust PMs. In this paper, we focus on a feature that most PMs offer that might impact the user’s trust, which is the process of generating a random password. We present three of the most commonly used algorithms and we propose a solution for a formally verified reference implementation of a password generation algorithm. We use EasyCrypt to specify and verify our reference implementation. In addition, we present a proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs. This demonstrates that our formally verified component can be integrated into an existing (and widely used) PM.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/passcert-project/pw_generator_server.

  2. 2.

    https://source.chromium.org/chromium/chromium/src/+/master:components.

  3. 3.

    https://github.com/bitwarden.

  4. 4.

    https://github.com/dlech/KeePass2.x.

  5. 5.

    https://github.com/passcert-project/random-password-generator/blob/main/EC/PasswordGenerationTh.eca.

  6. 6.

    https://github.com/passcert-project/random-password-generator/blob/main/EC/passCertRPG_ref.ec.

  7. 7.

    https://github.com/passcert-project/random-password-generator/blob/main/EC/passCertRPG_ref.ec.

  8. 8.

    https://github.com/passcert-project/random-password-generator/blob/main/EC/RPGTh.eca.

  9. 9.

    https://github.com/apple/password-manager-resources/blob/main/tools/PasswordRulesParser.js.

  10. 10.

    https://github.com/apple/password-manager-resources/blob/main/quirks/password-rules.json.

  11. 11.

    https://github.com/bitwarden/browser/pull/2047#issuecomment-978846599.

  12. 12.

    A search on Google Scholar shows one relevant paper [17], which is the abstract of an informal talk delivered by our team.

  13. 13.

    PassCert project: https://passcert-project.github.io.

References

  1. Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers? In: 1st European Workshop on Usable Security-EuroUSEC 2016 (2016)

    Google Scholar 

  2. Almeida, J.B., et al.: Jasmin: high-assurance and high-speed cryptography. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1807–1823 (2017)

    Google Scholar 

  3. Almeida, J.B., et al.: The last mile: high-assurance and high-speed cryptographic implementations. In: 2020 IEEE Symposium on Security and Privacy (SP) (2020)

    Google Scholar 

  4. Almeida, J.B., et al.: Machine-checked proofs for cryptographic standards: indifferentiability of sponge and secure high-assurance implementations of SHA-3. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)

    Google Scholar 

  5. Apple. Customizing Password AutoFill Rules (2021). https://developer.apple.com/documentation/security/password_autofill/customizing_password_autofill_rules. Accessed 31 July 2021

  6. Apple. Web sites won’t accept Safari generated strong passwords due to dashes or other criteria (2021). https://discussions.apple.com/thread/251341081. Accessed 26 Oct 2021

  7. Barthe, G., Dupressoir, F., Grégoire, B., Kunz, C., Schmidt, B., Strub, P.-Y.: EasyCrypt: a tutorial. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD 2012-2013. LNCS, vol. 8604, pp. 146–166. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10082-1_6

    Chapter  Google Scholar 

  8. Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. IACR Cryptology ePrint Archive 2004/331 (2004)

    Google Scholar 

  9. Bond, B., et al.: Vale: verifying high-performance cryptographic assembly code. In: 26th USENIX Security Symposium, pp. 917–934 (2017)

    Google Scholar 

  10. Carreira, C., Ferreira, J.F., Mendes, A.: Towards improving the usability of password managers. In: INFORUM (2021)

    Google Scholar 

  11. Carreira, C., Ferreira, J.F., Mendes, A., Christin, N.: Exploring usable security to improve the impact of formal verification: a research agenda. In: First Workshop on Applicable Formal Methods (Co-Located with Formal Methods 2021) (2021)

    Google Scholar 

  12. Chiasson, S., van Oorschot, P.C., Biddle, R.: A usability study and critique of two password managers. In: USENIX Security Symposium, vol. 15, pp. 1–16 (2006)

    Google Scholar 

  13. EA. Password Does Not Meet Requirements (2021). https://web.archive.org/web/20210817105229/answers.ea.com/t5/EA-General-Questions/quot-Password-Does-Not-Meet-Requirements-quot/td-p/5744758. Accessed 26 Oct 2021

  14. Erbsen, A., Philipoom, J., Gross, J., Sloan, R., Chlipala, A.: Simple high-level code for cryptographic arithmetic - with proofs, without compromises. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, pp. 1202–1219. IEEE (2019)

    Google Scholar 

  15. Ferreira, J.F., Johnson, S.A., Mendes, A., Brooke, P.J.: Certified password quality. In: Polikarpova, N., Schneider, S. (eds.) IFM 2017. LNCS, vol. 10510, pp. 407–421. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66845-1_27

    Chapter  Google Scholar 

  16. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666 (2007)

    Google Scholar 

  17. Grilo, M., Ferreira, J.F., Almeida, J.B.: Towards formal verification of password generation algorithms used in password managers. arXiv preprint arXiv:2106.03626 (2021)

  18. Horsch, M., Schlipf, M., Braun, J., Buchmann, J.: Password requirements markup language. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9722, pp. 426–439. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40253-6_26

    Chapter  Google Scholar 

  19. Johnson, S., Ferreira, J.F., Mendes, A., Cordry, J.: Skeptic: automatic, justified and privacy-preserving password composition policy selection. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 101–115 (2020)

    Google Scholar 

  20. Oesch, S., Ruoti, S.: That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In: USENIX Security Symposium (2020)

    Google Scholar 

  21. Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pp. 319–338. USENIX Association, Santa Clara (2019)

    Google Scholar 

  22. Pereira, D., Ferreira, J.F., Mendes, A.: Evaluating the accuracy of password strength meters using off-the-shelf guessing attacks. In: 2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pp. 237–242. IEEE (2020)

    Google Scholar 

  23. Shay, R., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(4), 1–34 (2016)

    Article  Google Scholar 

  24. Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004/332 (2004)

    Google Scholar 

  25. Stajano, F., Spencer, M., Jenkinson, G., Stafford-Fraser, Q.: Password-manager friendly (PMF): semantic annotations to improve the effectiveness of password managers. In: Mjølsnes, S.F. (ed.) PASSWORDS 2014. LNCS, vol. 9393, pp. 61–73. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24192-0_4

    Chapter  Google Scholar 

  26. TechNet. Can’t create local user “Password does not meet password policy requirements” - but it does (2021). https://web.archive.org/web/20211026082725/. https://social.technet.microsoft.com/Forums/en-US/12b06881-ea1a-403d-aafb-99bbe7d4d1b0/cant-create-local-user-quotpassword-does-not-meet-password-policy-requirementsquot-but-it?forum=win10itprosecurity. Accessed 26 Oct 2021

  27. Zinzindohoué, J.-K., Bhargavan, K., Protzenko, J., Beurdouche, B.: HACL*: a verified modern cryptographic library. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1789–1806. Association for Computing Machinery, New York (2017). ISBN: 9781450349468

    Google Scholar 

  28. Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In: 2019 IEEE Symposium on Security and Privacy (SP). IEEE (2019)

    Google Scholar 

Download references

Acknowledgments

This work was partially funded by the PassCert project, a CMU Portugal Exploratory Project funded by Fundação para a Ciência e Tecnologia (FCT), with reference CMU/TIC/0006/2019 and supported by national funds through FCT under project UIDB/50021/2020.

Author information

Authors and Affiliations

  1. INESC TEC and IST, University of Lisbon, Lisbon, Portugal

    Miguel Grilo

  2. INESC-ID and IST, University of Lisbon, Lisbon, Portugal

    João Campos & João F. Ferreira

  3. HASLab, INESC TEC and University of Minho, Braga, Portugal

    José Bacelar Almeida

  4. HASLab, INESC TEC and Faculty of Engineering, University of Porto, Porto, Portugal

    Alexandra Mendes

Authors
  1. Miguel Grilo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. João Campos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. João F. Ferreira
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. José Bacelar Almeida
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alexandra Mendes
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to João F. Ferreira .

Editor information

Editors and Affiliations

  1. ISTI-CNR, Pisa, Italy

    Maurice H. ter Beek

  2. Maynooth University, Maynooth, Ireland

    Rosemary Monahan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Grilo, M., Campos, J., Ferreira, J.F., Almeida, J.B., Mendes, A. (2022). Verified Password Generation from Password Composition Policies. In: ter Beek, M.H., Monahan, R. (eds) Integrated Formal Methods. IFM 2022. Lecture Notes in Computer Science, vol 13274. Springer, Cham. https://doi.org/10.1007/978-3-031-07727-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07727-2_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07726-5

  • Online ISBN: 978-3-031-07727-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics