1 J. Alex Halderman

A Convenient Method for Securely Managing

PasswordsJ. Alex

HaldermanPrinceton

Brent WatersStanford

Edward W. Felten

Princeton

2 J. Alex Halderman

• Web site password overloadGenerating, keeping secret, and recalling

passwords for scores of sites

• Leads to insecure coping techniques– Writing passwords down– Reusing same passwords

• Difficult to enforce better behaviorWe need to make password security

easy

****ing Passwords!

3 J. Alex Halderman

In This Talk

1. Approaches to password management

2. Our construction and its security

3. Comparison with other techniques

4. Demonstration of our implementation

5. Future work and conclusions

4 J. Alex Halderman

Approaches to Password Mgmt

• Local encrypted storagee.g., Password Safe (1998)– Cumbersome to access from multiple locations

• Centralized remote authenticatione.g., Microsoft Passport (1999)– Needs server-side changes, trusted third party

• Cryptographic password generatione.g., LPWA (1997), PwdHash (2004),

our scheme (2004)

5 J. Alex Halderman

Password Generators

Master Password“amazon.com”

Hash()

“wrbPzdqS”Use as your Amazon password

A simple idea, but hard to get right!

• E.g.: LPWA, PwdHash• Client software derives

individual site passwords using deterministic one-way function

• Users sets all site passwords to function output

• Only need to remember master password to recreate all site passwords—highly transportable!

6 J. Alex Halderman

==

Stealing the Master Password

Adversary learnspassword from low-security site

Password Guess

“yahoo.com”

Hash()

“RWwsYlTi”

“LZIniBNd” “LZIniBNd”

=?

Dictionary attack to learn master

password

Can access all otherpassword-managed

sites

“rover”“lassie”“spot”

“fido”

“LZIniBNd”“H2VeusSq”“CJPZfAKx” amazon.com wrbPzdqSgmail.com obIDmoglcitibank.com sX4rLlO1

“spot”

Easy to execute because scheme use fast hashes

7 J. Alex Halderman

Thwarting Brute Force Attacks

attack cost = ½ × dictionary size × cost per guess

• Hard to increase dictionary sizeUser habits hard to change, limits on human memory

• Increase cost per guess by using slower hash– Used elsewhere to protect password verification

routines (UNIX crypt)– Our approach: iterated hash

• Security vs. usability tradeoff User has to wait too! — Cache intermediate results

8 J. Alex Halderman

Our ConstructionMaster password

“MyD06ReX”User identity

“jhalderm@princeton.edu”

Hk1()

“wrb8zdqS”User’s site passwordfor “amazon.com”

Hk2() Target site“amazon.com”

LocalCache

(k1 >> k2)Init

ializ

ati

on

Ph

ase

Gen

era

tion

Ph

ase

Mapping

Master password(again)

9 J. Alex Halderman

Security Analysis

Four attack scenarios:1. No information2. Stolen site password3. Stolen cache data4. Stolen cache + site

password

Primary concern is offline attacks.

?

?

?

Increasingexternaldifficulty

10 J. Alex Halderman

Security of Our Scheme

Attack scenarioHashes/guess

Time/guess

1. No information N/A N/A

2. Stolen site password k1+k2100.1s

3. Stolen cache data k1 100s

4. Stolen cache + site password

k2 0.1s

11 J. Alex Halderman

Relative Attack Resistance

Estimated time to test 100,000 guesses

SchemeStolen password

Stolendata

Stolen pwand data

Password Safe

N/A 74.6 secs 74.6 secs

LPWA 0.5 secs N/A N/A

PwdHash 0.1 secs N/A N/A

Our Scheme 116 days 116 days 2.8 hours

12 J. Alex Halderman

Equivalent Password Length

Our Scheme

LPWA

PwdHash

****

********

*********

13 J. Alex Halderman

Password Multiplier• Extension for Mozilla Firefox

Windows, Mac OS X, and Linux

• Tightly integrated with browserDouble-click any password field to fill in

• Balanced security and convenience– Initialization — 108 iterations, ~100 seconds

(Only once per installation)– Password generation — 105 iterations, ~0.1

secs(Before every password operation)

14 J. Alex Halderman

Password Multiplier — Demo

15 J. Alex Halderman

Future Improvements• Flexible password formatting

Cope with sites that require numbers, punctuation, special patterns

• Easier password changesManually and at regular intervals

• Improved anti-spoofingAdopt techniques from PwdHash

• Port to Internet Explorer, others

Require additional “state”

16 J. Alex Halderman

Summary — Our scheme:• Provides password access from anywhere our

software can be executed

• Asks user to remember only one short password

• Requires no server-side changes

• Does not require trusting a third-party service

• Nearly as secure as independent random pwds

• Likely much more secure than what you do now

• Is practical, available today, and freehttp://www.cs.princeton.edu/~jhalderm/projects/password/

17 J. Alex Halderman

A Convenient Method for Securely Managing

PasswordsJ. Alex

HaldermanPrinceton

Brent WatersStanford

Edward W. Felten

Princeton