ABSTRACT
The most commonly adopted password management technique is to store web account passwords on a password manager and lock them using a master password. However, current online password managers do not hide the account passwords or the master password from the password manager itself, which highlights their real-world vulnerability and lack of user confidence in the face of malicious insiders and outsiders that compromise the password management service especially given its online nature. We attempt to address this crucial vulnerability in the design of online password managers by proposing HIPPO, a cloud-based password manager that does not learn or store master passwords and account passwords. HIPPO is based on the cryptographic notion of device-enhanced password authenticated key exchange proven by Jarecki et al. to resist online guessing attacks and dictionary attacks. We introduce the HIPPO protocol design and report on a full implementation of the system.
- [n. d.]. 1Password: Simple, Convenient Security. ([n. d.]). https://1password.com/.Google Scholar
- [n. d.]. 9 Popular Password Manager Apps Found Leaking Your Secrets. https://bit.ly/3h46lXX. ([n. d.]).Google Scholar
- [n. d.]. Dashlane Password Manager. ([n. d.]). https://www.dashlane.com/.Google Scholar
- [n. d.]. LastPass CEO reveals details on security breach. https://cnet.co/2ANDkz5. ([n. d.]).Google Scholar
- [n. d.]. LastPass remembers all your passwords across every device for free! ([n. d.]). https://lastpass.com/.Google Scholar
- [n. d.]. Password manager OneLogin hacked, exposing sensitive customer data. https://zd.net/3dKKlPJ. ([n. d.]).Google Scholar
- Nora Alkaldi and Karen Renaud. 2016. Why Do People Adopt, or Reject, Smartphone Password Managers? (2016).Google Scholar
- Daniel J. Bernstein, Mike Hamburg, Anna Krasnova, and Tanja Lange. 2013. Elligator: elliptic-curve points indistinguishable from uniform random strings.Google Scholar
- Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE.Google ScholarDigital Library
- Emiliano De Cristofaro, Honglu Du, Julien Freudiger, and Greg Norcie. 2013. A comparative usability study of two-factor authentication. arXiv preprint arXiv:1309.5344 (2013).Google Scholar
- Nancie Gunson, Diarmid Marshall, Hazel Morton, and Mervyn Jack. 2011. User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking. Computers & Security 30, 4 (2011), 208--220.Google ScholarDigital Library
- J Alex Halderman, Brent Waters, and Edward W Felten. 2005. A convenient method for securely managing passwords. In Proceedings of the 14th international conference on World Wide Web. ACM.Google ScholarDigital Library
- Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, and Nitesh Saxena. 2016. Device-enhanced password protocols with optimal online-offline protection. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM.Google ScholarDigital Library
- Stanislaw Jarecki, Hugo Krawczyk, Maliheh Shirvanian, and Nitesh Saxena. 2018. Two-factor authentication with end-to-end password security. In the International Conference on Practice and Theory of Public Key Cryptography.Google ScholarCross Ref
- Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The emperor's new password manager: Security analysis of web-based password managers. In 23rd USENIX Security Symposium (USENIX Security 14). 465--479.Google ScholarDigital Library
- Arvind Narayanan and Vitaly Shmatikov. 2005. Fast dictionary attacks on passwords using time-space tradeoff. In Proceedings of the 12th ACM conference on Computer and communications security. ACM.Google ScholarDigital Library
- Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, and John C. Mitchell. 2005. Stronger password authentication using browser extensions. In USENIX Security Symposium.Google Scholar
- Maliheh Shirvanian, Stanislaw Jarecki, Hugo Krawczykz, and Nitesh Saxena. 2017. SPHINX: A password store that perfectly hides passwords from itself. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on. IEEE, 1094--1104.Google ScholarCross Ref
- Furkan Tari, Ant Ozok, and Stephen H Holden. 2006. A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In Proceedings of the second symposium on Usable privacy and security. ACM.Google ScholarDigital Library
- Luren Wang, Yue Li, and Kun Sun. 2016. Amnesia: a bilateral generative password manager. In Distributed Computing Systems (ICDCS), IEEE 36th International Conference on.Google Scholar
- Ka-Ping Yee and Kragen Sitaker. 2006. Passpet: convenient password management and phishing protection. In Proceedings of the second symposium on Usable privacy and security.Google ScholarDigital Library
- A hidden-password online password manager
Comments