research-article

A Password Manager that Doesn't Remember Passwords

Authors:
Elizabeth Stobert

Carleton University, Ottawa, ON, Canada

Carleton University, Ottawa, ON, Canada
View Profile

,
Robert Biddle

Carleton University, Ottawa, ON, Canada

Carleton University, Ottawa, ON, Canada
View Profile

NSPW '14: Proceedings of the 2014 New Security Paradigms WorkshopSeptember 2014Pages 39–52https://doi.org/10.1145/2683467.2683471

Published:15 September 2014Publication History

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

Pages 39–52

ABSTRACT

The problems with passwords are well-known: secure passwords are difficult to remember, users have too many passwords, and users have difficulty matching their passwords to accounts. Password managers and cued graphical passwords are two password solutions that address the issues of memorability and keeping track of of passwords. We have developed Versipass, a password manager that incorporates key elements of password managers and cued graphical passwords to avoid existing problems of password memorability and associating passwords with accounts. Instead of remembering passwords, Versipass remembers image cues for graphical passwords. These cues help users to better remember their passwords and to more easily link passwords with accounts. Versipass also facilitates safe password reuse by allowing users to use the same image cue for multiple accounts.

References

R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical Passwords: Learning from the First Twelve Years. ACM Computing Surveys, 44(4), 2012. Google ScholarDigital Library
J. Bonneau, M. Just, and G. Matthews. What's in a Name? In Financial Cryptography and Data Security, pages 98--113. Springer, 2010. Google ScholarDigital Library
W. Cheswick. Rethinking Passwords. Queue, 10(12), Dec. 2012. Google ScholarDigital Library
S. Chiasson, C. Deschamps, E. Stobert, M. Hlywa, B. Freitas Machado, A. Forget, N. Wright, G. Chan, and R. Biddle. The MVP Web-based Authentication Framework. In Financial Cryptography and Data Security, pages 1--8, Bonaire, Feb. 2012.Google ScholarCross Ref
S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle. Multiple password interference in text passwords and click-based graphical passwords. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, USA, Nov. 2009. ACM. Google ScholarDigital Library
S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE Transactions on Dependable and Secure Computing, 9(2):222--235, Oct. 2011. Google ScholarDigital Library
S. Chiasson, P. van Oorschot, and R. Biddle. A Usability Study and Critique of Two Password Managers. In 15th USENIX Security Symposium, pages 1--16, Vancouver, Canada, 2006. Google ScholarDigital Library
A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. F. Wang. The Tangled Web of Password Reuse. In NDSS'14: The Network and Distributed System Symposium, San Diego, USA, 2014.Google Scholar
A. De Angeli, L. Coventry, G. Johnson, and K. Renaud. Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems. International Journal of Human-Computer Studies, 63(1--2):128--152, July 2005. Google ScholarDigital Library
D. Florêncio and C. Herley. A Large-Scale Study of Web Password Habits. In International World Wide Web Conference Committee (IW3C2), pages 1--9, Banff, Canada, May 2007. Google ScholarDigital Library
D. Florêncio, C. Herley, and P. C. van Oorschot. An Administrator's Guide to Internet Password Research. In USENIX LISA, 2014. Google ScholarDigital Library
D. Florêncio, C. Herley, and P. C. van Oorschot. Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. In 23rd USENIX Security Symposium, San Diego, USA, Aug. 2014. Google ScholarDigital Library
S. Gaw and E. W. Felten. Password Management Strategies for Online Accounts. In SOUPS'06: Proceedings of the 2nd Symposium on Usable Privacy and Security, Pittsburgh, USA, July 2006. ACM. Google ScholarDigital Library
Hacker News. I'm the Chrome browser security tech lead, so it might help if I explain our rea... | Hacker News, 2013. https://news.ycombinator.com/item?id=6166731.Google Scholar
E. Hayashi and J. Hong. A diary study of password usage in daily life. In CHI'11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Vancouver, Canada, May 2011. ACM. Google ScholarDigital Library
M. Just. Designing and evaluating challenge-question systems. IEEE Security & Privacy, 2(5):32--39, 2004. Google ScholarDigital Library
D. A. Norman. When security gets in the way. ACM SIGCSE Bulletin, 16(6):60, Nov. 2009.Google Scholar
A. Paivio. Imagery and Verbal Processes. Holt, Rinehart, and Winston, 1971.Google Scholar
A. Paivio, T. B. Rogers, and P. C. Smythe. Why are pictures easier to recall than words? Psychonomic Science, 11(4):137--138, 1968.Google ScholarCross Ref
A. Pashalidis and C. J. Mitchell. A Taxonomy of Single Sign-On Systems. In Information Security and Privacy, pages 249--264, Berlin, Heidelberg, June 2003. Springer. Google ScholarDigital Library
K. Renaud and M. Just. Pictures or questions?: examining user responses to association-based authentication. In BCS'10: Proceedings of the 24th BCS Interaction Specialist Group Conference, pages 98--107, Dundee, UK, 2010. BCS. Google ScholarDigital Library
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger Password Authentication Using Browser Extensions. In 14th USENIX Security Symposium, Baltimore, USA, Aug. 2005. Google ScholarDigital Library
S. Schechter, A. J. B. Brush, and S. Egelman. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. IEEE Symposium on Security and Privacy, pages 375--390, 2009. Google ScholarDigital Library
B. Schneier. Write Down Your Password, June 2005. http://www.schneier.com/blog/archives/2005/06/write_down_your.html.Google Scholar
E. Stobert and R. Biddle. Memory retrieval and graphical passwords. In SOUPS'13: Proceedings of the 9th Symposium on Usable Privacy and Security, Newcastle, UK, 2013. ACM. Google ScholarDigital Library
S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks. In NSPW'10: The New Security Paradigms Workshop, pages 61--72, USA, 2010. ACM. Google ScholarDigital Library
S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov. What Makes Users Refuse Web Single Sign-On?: An Empirical Investigation of OpenID. In SOUPS'11: Proceedings of the 7th Symposium on Usable Privacy and Security, Washington DC, USA, 2011. ACM. Google ScholarDigital Library
E. Tulving and D. Thomson. Encoding Specificity and Retrieval Processes in Episodic Memory. Psychological Review, 80(5):352--373, Dec. 1973.Google Scholar
P. C. van Oorschot and J. Thorpe. Exploiting Predictability in Click-based Graphical Passwords. Journal of Computer Security, 19(4):669--702, 2011. Google ScholarDigital Library
C. Wharton, J. Rieman, C. Lewis, and P. Polson. The cognitive walkthrough method: A practitioner's guide. In J. Nielsen and R. L. Mack, editors, Usability Inspection Methods, pages 105--140. John Wiley & Sons, Inc., New York, NY, USA, 1994. Google ScholarDigital Library
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and longitudinal evaluation of a graphical password system. International Journal of Human-Computer Studies, 63(1--2):102--127, July 2005. Google ScholarDigital Library

Index Terms

A Password Manager that Doesn't Remember Passwords
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Multiple password interference in text passwords and click-based graphical passwords
CCS '09: Proceedings of the 16th ACM conference on Computer and communications security

The underlying issues relating to the usability and security of multiple passwords are largely unexplored. However, we know that people generally have difficulty remembering multiple passwords. This reduces security since users reuse the same password ...
Read More
Security implications of password discretization for click-based graphical passwords
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Discretization is a standard technique used in click-based graphical passwords for tolerating input variance so that approximately correct passwords are accepted by the system. In this paper, we show for the first time that two representative ...
Read More
A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords
SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Previous research has found graphical passwords to be more memorable than non-dictionary or "strong" alphanumeric passwords. Participants in a prior study expressed concerns that this increase in memorability could also lead to an increased ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop
September 2014
148 pages
ISBN:9781450330626
DOI:10.1145/2683467
General Chairs:
Konstantin Beznosov
University of British Columbia, Canada
,
Anil Somayaji
Carleton University, Canada
,
Program Chairs:
Tom Longstaff
Johns Hopkins University, USA
,
Paul Van Oorschot
Carleton University, Canada
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 September 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authentication
graphical passwords
password managers
Qualifiers
- research-article
Conference

Acceptance Rates
NSPW '14 Paper Acceptance Rate11of32submissions,34%Overall Acceptance Rate62of170submissions,36%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 1,146
  Total Downloads
- Downloads (Last 12 months)101
- Downloads (Last 6 weeks)16
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A Password Manager that Doesn't Remember Passwords

NSPW '14: Proceedings of the 2014 New Security Paradigms Workshop

ABSTRACT

References

Cited By

Index Terms

Recommendations

Multiple password interference in text passwords and click-based graphical passwords

Security implications of password discretization for click-based graphical passwords

A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords