Password Generators: Old Ideas and New
Password generators that generate site-specific passwords on demand are an alternative to password managers. Over the last 15 years a range of such systems have been described. We propose the first general model for such systems, and critically examine op
- PDF / 139,753 Bytes
- 9 Pages / 439.37 x 666.142 pts Page_size
- 21 Downloads / 252 Views
Abstract. Password generators that generate site-specific passwords on demand are an alternative to password managers. Over the last 15 years a range of such systems have been described. We propose the first general model for such systems, and critically examine options for instantiating it. The model enables an objective assessment of the design of such systems; it has also been used to sketch a possible new scheme, AutoPass, intended to incorporate the best features of the prior art while addressing many of the shortcomings of existing systems.
1
Introduction
Passwords remain a very widely used method for user authentication, despite widely shared concerns about the level of security they provide. There are many potential replacement technologies, including combinations of biometrics and trusted personal devices (e.g. as supported by protocols such as FIDO UAF [3]), but it seems likely that it will be some time before passwords are relegated to history. Given their current and likely future wide use, finding ways of improving the use and management of passwords remains a vitally important issue. We focus here on an important practical matter, namely how to make passwordbased user authentication to a website both more secure and more convenient. An important class of schemes designed to ease password use are password managers (what McCarney [12] calls retrieval password managers). A password manager stores user passwords and produces them when required (e.g. by autofilling-in login pages). Passwords can be stored either locally or on a trusted server; most browsers provide a local-storage password manager. However, the shortcomings of password managers have also been widely documented (see, e.g., McCarney [12]). Passwords stored on a user platform restrict user mobility, since they are not available when a user switches platform, e.g. from a laptop to a tablet or phone. However, if passwords are stored ‘in the cloud’, then there is a danger of compromise through poorly configured and managed servers, [2,8,13]. An alternative approach, which we consider here, involves generating sitespecific passwords on demand from a combination of inputs, including those supplied by the user and those based on the site itself. A number of schemes have been proposed but, apart from a brief summary by McCarney [12], they have c IFIP International Federation for Information Processing 2016 Published by Springer International Publishing Switzerland 2016. All Rights Reserved S. Foresti and J. Lopez (Eds.): WISTP 2016, LNCS 9895, pp. 245–253, 2016. DOI: 10.1007/978-3-319-45931-8 16
246
F. Al Maqbali and C.J. Mitchell
not been studied in a more general setting. The main purposes of this paper are to (a) provide a general model for password generation schemes, and (b) use the model to propose a new system combining the best features of existing schemes. This is the first time these schemes have been considered in a unified way.
2
Password Generators — A General Model
Password generators simplify user password management by generati
Data Loading...