About: Password management is a research topic. Over the lifetime, 643 publications have been published within this topic receiving 6533 citations.
Papers published on a yearly basis
20 May 2012
TL;DR: It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints.
Abstract: We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
••12 Jul 2006
TL;DR: This study quantifies how many passwords undergraduates had and how often they reused them, and discusses how current systems support poor password practices and potential changes in website authentication systems and password managers.
Abstract: Given the widespread use of password authentication in online correspondence, subscription services, and shopping, there is growing concern about identity theft. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Our study of 49 undergraduates quantifies how many passwords they had and how often they reused these passwords. The majority of users had three or fewer passwords and passwords were reused twice. Furthermore, over time, password reuse rates increased because people accumulated more accounts but did not create more passwords. Users justified their habits. While they wanted to protect financial data and personal communication, reusing passwords made passwords easier to manage. Users visualized threats from human attackers, particularly viewing those close to them as the most motivated and able attackers; however, participants did not separate the human attackers from their potentially automated tools. They sometimes failed to realize that personalized passwords such as phone numbers can be cracked given a large enough dictionary and enough tries. We discuss how current systems support poor password practices. We also present potential changes in website authentication systems and password managers.
13 Mar 1996
TL;DR: In this article, a client system maintains a database of encrypted passwords and user IDs for remote servers to which the user is registered, and each remote server is accessed using a different password.
Abstract: A user operating a client system may access a plurality of remote servers requiring passwords for access by employing a master password. The master password is used to decrypt a stored password for a particular remote server to which the client desires access. The client system maintains a database of encrypted passwords and user IDs for remote servers to which the user is registered. Although each remote server is accessed using a different password, the user need only remember one master password. Since only the master password need be remembered, the passwords particular to specific remote sites may be made more random and thus more secure. Implementation of the password management system need not require modification of any remote servers.
••12 Jul 2006
TL;DR: Passpet is described, a tool that improves both the convenience and security of website logins through a combination of techniques, including password hashing, user-assigned site labels, and password-strengthening measures that defend against dictionary attacks.
Abstract: We describe Passpet, a tool that improves both the convenience and security of website logins through a combination of techniques. Password hashing helps users manage multiple accounts by turning a single memorized password into a different password for each account. User-assigned site labels (petnames) help users securely identify sites in the face of determined attempts at impersonation (phishing). Password-strengthening measures defend against dictionary attacks. Customizing the user interface defends against user-interface spoofing attacks. We propose new improvements to these techniques, discuss how they are integrated into a single tool, and compare Passpet to other solutions for managing passwords and preventing phishing.
22 Aug 2007
TL;DR: In this paper, a method and apparatus for password management and single signon (SSO) access based on trusted computing (TC) technology is presented. But the method is not suitable for single sign-on access.
Abstract: A method and apparatus for password management and single sign-on (SSO) access based on trusted computing (TC) technology. The methods implement the Trusted Computing Group (TCG)'s trusted platform module (TPM), which interacts with both proxy SSO unit and web-accessing applications to provide a secure, trusted mechanism to generate, store, and retrieve passwords and SSO credentials. The various embodiments of the present invention allow a user to hop securely and transparently from one site to another that belong to a pre-identified group of sites, after signing on just once to a secured proxy residing at the user's device.
Trending Questions (7)