Although millions of users use passwords
everyday to protect important assets (e.g., online banking, trading, commerce,
email, social networks, and enterprise resources) we do not know how to create secure
and usable passwords. A typical computer user today has many password protected
online accounts: Amazon, eBay, PNC bank, Gmail, etc..
Informally, a password management scheme is any method for creating and
retrieving each password. A typical user has to select and remember a password
for over one-hundred different accounts. Many sites have vastly different
password requirements: minimum length, maximum length, special characters,
capitalization, etc. Intimidated by the prospect of remembering so many
different passwords many users adopt an insecure password management scheme:
writing down passwords, reusing passwords and picking weak (low entropy)
passwords. A large scale study of password habits revealed that in 2007 a
typical user had no more than 7 unique passwords and reused each password
around 4 times on average. While there are many articles (and even several
books) on how to generate good passwords, there is still a clear need to
develop password management schemes which are usable and secure.
I am interested in password management
schemes which can be implemented on “human hardware”. A good password
management scheme should be usable and secure. Informally, a password
management scheme is usable if a human can create and recall passwords without
too much effort. A secure password management scheme must provide concrete
security guarantees even against an adversary who has already learned one or
more of the user’s passwords. I have several goals:
1) I am developing a mathematical framework for analyzing the security of a password management scheme.
2) I am developing a mathematical framework for analyzing the usability of a password management scheme.
3) Evaluating the usability and security of existing password management schemes.
4) Developing new password management schemes.
Evaluating
Password Management Schemes:
Comparison of Usability and Security of
Password Creation Schemes (by Anne Wildenhain)
Comic (by Randal Munroe)