• Corpus ID: 235358914

Towards Formal Verification of Password Generation Algorithms used in Password Managers

@article{Grilo2021TowardsFV,
  title={Towards Formal Verification of Password Generation Algorithms used in Password Managers},
  author={Miguel Grilo and Jo{\~a}o Fernando Ferreira and Jos{\'e} Bacelar Almeida},
  journal={ArXiv},
  year={2021},
  volume={abs/2106.03626}
}
Password managers are important tools that enable us to use stronger passwords, freeing us from the cognitive burden of remembering them. Despite this, there are still many users who do not fully trust password managers. In this paper, we focus on a feature that most password managers offer that might impact the user’s trust, which is the process of generating a random password. We survey which algorithms are most commonly used and we propose a solution for a formally verified reference… 
View PDF on arXiv
5 Citations
Background Citations
1
Methods Citations
4

Figures and Tables from this paper

5 Citations

Exploring Usable Security to Improve the Impact of Formal Verification: A Research Agenda

A research agenda to fill the gap in human-centered studies focused on the impact of formal verification on the use and adoption of formally verified software products and the first collection of studies on people’s mental models on formal verification and associated security and privacy guarantees and threats is proposed.

Verified Password Generation from Password Composition Policies

A proof-of-concept prototype that extends Bitwarden to only generate compliant passwords, solving a frequent users’ frustration with PMs and demonstrates that the formally verified component can be integrated into an existing (and widely used) PM.

Studying Users' Willingness to Use a Formally Verified Password Manager

A large-scale study is designed and plan to deploy to confirm a preliminary user study which suggests that formal verification increases users’ willingness to use PMs and gather further insight on users' perceptions of formal verification in PMs.

On Usable Security and Verified Password Managers

This project proposes extending an existing PM by implementing relevant usability best practices and increasing transparency by educating users about how PMs work, and performs user studies that suggest that the solution improves the usability of the PM and that it was able to convey relevant information about its formally verified features.

Towards Improving the Usability of Password Managers

Usability challenges of PMs are reviewed and the use of known usability best practices and techniques are proposed to extend and improve Bitwarden, a widely-popular open-source PM.

References

SHOWING 1-10 OF 17 REFERENCES

Why do people adopt, or reject, smartphone password managers?

A study carried out to investigate factors that impeded or encouraged password manager adoption and found that a number of factors mediated during all three phases of adoption: searching, deciding and trialling.

Designing Password Policies for Strength and Usability

This work examines 15 password policies and identifies policies that are both more usable and more secure than commonly used policies that emphasize complexity rather than length requirements, contributing the first thorough examination of policies requiring longer passwords.

Evaluating the Accuracy of Password Strength Meters using Off-The-Shelf Guessing Attacks

The results show that a significant percentage of passwords classified as strong were cracked, thus suggesting that current password strength estimation methods can be improved.

Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection

This work proposes a novel methodology that draws on password probability distributions constructed from large sets of real-world password data which have been filtered according to various password composition policies, and shows that by fitting power-law equations to the passwords probability distributions generated, it can justify its choice of password composition policy without any direct access to user password data.

Why people (don't) use password managers effectively

A semi-structured interview study with 30 participants is described that allows for a more comprehensive picture of the mindsets underlying adoption and effective use of password managers and password-generation features and advocates tailored designs for these two mentalities.

Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps

This study designs a set of automated program analysis techniques including obfuscation-resilient cloud API identification and string value analysis, and implements them in a tool called LeakScope to identify the potential data leakage vulnerabilities from mobile apps based on how the cloud APIs are used.

Certified Password Quality - A Case Study Using Coq and Linux Pluggable Authentication Modules

It is shown how password quality policies can be expressed in Coq and how to use Coq’s code extraction features to automatically encode these policies as PAM modules that can readily be used by any Linux system.

So Much Promise, So Little Use: What is Stopping Home End-Users from Using Password Manager Applications?

It was found that issues related to the technology, individual issues such as perceived costs and benefits, and a lack of concern about the threat were the primary inhibitors of lack of use for those that had high intentions to use a password management application but failed to actually use the software.

Jasmin: High-Assurance and High-Speed Cryptography

Using the supercop framework, this work evaluates the Jasmin compiler on representative cryptographic routines and concludes that the code generated by the compiler is as efficient as fast, hand-crafted, implementations.

EasyCrypt: A Tutorial

Machine-checked frameworks that support the construction and automated verification of cryptographic systems are developed to reason directly in the computational model commonly used by cryptographers to deliver rigorous and detailed mathematical proofs.