• PDF / 139,753 Bytes
• 9 Pages / 439.37 x 666.142 pts Page_size
• 21 Downloads / 252 Views

DOWNLOAD

REPORT

Abstract. Password generators that generate site-specific passwords on demand are an alternative to password managers. Over the last 15 years a range of such systems have been described. We propose the first general model for such systems, and critically examine options for instantiating it. The model enables an objective assessment of the design of such systems; it has also been used to sketch a possible new scheme, AutoPass, intended to incorporate the best features of the prior art while addressing many of the shortcomings of existing systems.

1

Introduction

Passwords remain a very widely used method for user authentication, despite widely shared concerns about the level of security they provide. There are many potential replacement technologies, including combinations of biometrics and trusted personal devices (e.g. as supported by protocols such as FIDO UAF [3]), but it seems likely that it will be some time before passwords are relegated to history. Given their current and likely future wide use, finding ways of improving the use and management of passwords remains a vitally important issue. We focus here on an important practical matter, namely how to make passwordbased user authentication to a website both more secure and more convenient. An important class of schemes designed to ease password use are password managers (what McCarney [12] calls retrieval password managers). A password manager stores user passwords and produces them when required (e.g. by autofilling-in login pages). Passwords can be stored either locally or on a trusted server; most browsers provide a local-storage password manager. However, the shortcomings of password managers have also been widely documented (see, e.g., McCarney [12]). Passwords stored on a user platform restrict user mobility, since they are not available when a user switches platform, e.g. from a laptop to a tablet or phone. However, if passwords are stored ‘in the cloud’, then there is a danger of compromise through poorly configured and managed servers, [2,8,13]. An alternative approach, which we consider here, involves generating sitespecific passwords on demand from a combination of inputs, including those supplied by the user and those based on the site itself. A number of schemes have been proposed but, apart from a brief summary by McCarney [12], they have c IFIP International Federation for Information Processing 2016  Published by Springer International Publishing Switzerland 2016. All Rights Reserved S. Foresti and J. Lopez (Eds.): WISTP 2016, LNCS 9895, pp. 245–253, 2016. DOI: 10.1007/978-3-319-45931-8 16

246

F. Al Maqbali and C.J. Mitchell

not been studied in a more general setting. The main purposes of this paper are to (a) provide a general model for password generation schemes, and (b) use the model to propose a new system combining the best features of existing schemes. This is the first time these schemes have been considered in a unified way.

2

Password Generators — A General Model

Password generators simplify user password management by generati

Recommend Documents

Self-Force and Inertia Old Light on New Ideas

135 55 4MB

Ideas in Marketing: Finding the New and Polishing the Old Proceeding

148 86 30MB

The Old and the New

203 8 233KB

Optimal Transport Old and New

236 27 9MB

Reproductive Ethics II New Ideas and Innovations

169 70 2MB

New Ideas: Ordinary is Extraordinary

161 77 430KB

Rethinking the Market Economy New challenges, new ideas, new opportu

176 95 103KB

Culture and Communication: Old and New

202 95 148KB

Endogenous Growth and Trade, Old and New

167 89 8MB

Scattering Theory: Some Old and New Problems

114 38 12MB

New Europe - Old Values? Reform and Perseverance

180 26 3MB

Old and New World Spanish Majolica Technology

179 70 3MB