Usable and Secure Password Management

Although millions of users use passwords everyday to protect important assets (e.g., online banking, trading, commerce, email, social networks, and enterprise resources) we do not know how to create secure and usable passwords. A typical computer user today has many password protected online accounts: Amazon, eBay, PNC bank, Gmail, etc.. Informally, a password management scheme is any method for creating and retrieving each password. A typical user has to select and remember a password for over one-hundred different accounts. Many sites have vastly different password requirements: minimum length, maximum length, special characters, capitalization, etc. Intimidated by the prospect of remembering so many different passwords many users adopt an insecure password management scheme: writing down passwords, reusing passwords and picking weak (low entropy) passwords. A large scale study of password habits revealed that in 2007 a typical user had no more than 7 unique passwords and reused each password around 4 times on average. While there are many articles (and even several books) on how to generate good passwords, there is still a clear need to develop password management schemes which are usable and secure.

 

I am interested in password management schemes which can be implemented on “human hardware”. A good password management scheme should be usable and secure. Informally, a password management scheme is usable if a human can create and recall passwords without too much effort. A secure password management scheme must provide concrete security guarantees even against an adversary who has already learned one or more of the user’s passwords. I have several goals:

1)  I am developing a mathematical framework for analyzing the security of a password management scheme.

2)  I am developing a mathematical framework for analyzing the usability of a password management scheme.

3)  Evaluating the usability and security of existing password management schemes.

4)  Developing new password management schemes.

 

Strong Password Generator

 

Evaluating Password Management Schemes:

 

Comparison of Usability and Security of Password Creation Schemes (by Anne Wildenhain)

 

Comic (by Randal Munroe)

My Password Management Schemes:

Pictures as Cues

Person Action Object Stories

Shared Cues

Measuring Security:

          Understanding Adversary Attacks

          Economics of Password Cracking

          Problems with Previous Security Measures

          Human Randomness

          Our Security Model

Usability:

          High Level Suggestions

          Feats of Memory Anyone Can Do (Excellent Ted Talk by Joshua Foer)

          Our Memory Model