Call for Paper - May 2021 Edition
IJCA solicits original research papers for the May 2021 Edition. Last date of manuscript submission is April 20, 2021. Read More

A Secure Password Manager

Print
PDF
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2019
Authors:
Chaitanya Rahalkar, Dhaval Gujar
10.5120/ijca2019919323

Chaitanya Rahalkar and Dhaval Gujar. A Secure Password Manager. International Journal of Computer Applications 178(44):5-9, August 2019. BibTeX

@article{10.5120/ijca2019919323,
	author = {Chaitanya Rahalkar and Dhaval Gujar},
	title = {A Secure Password Manager},
	journal = {International Journal of Computer Applications},
	issue_date = {August 2019},
	volume = {178},
	number = {44},
	month = {Aug},
	year = {2019},
	issn = {0975-8887},
	pages = {5-9},
	numpages = {5},
	url = {http://www.ijcaonline.org/archives/volume178/number44/30831-2019919323},
	doi = {10.5120/ijca2019919323},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}
}

Abstract

Internet has grown exponentially over the past decade, and as a consequence, the amount of data generated is increasing day by day. Online services are growing and to keep online services personalised and organised, online accounts are being created by users. Over the past few years, incidents of data breaches have surfaced over the Internet, and there are some which are not even public knowledge. [8] Account passwords and personal information leaked from these data breaches are then misused or sold on the Internet. Cracking hashed passwords is not too difficult if the passwords among commonly used ones. [14] A Google / Harris Poll conducted in February 2019 concluded that 52% people use the same password for multiple accounts. [6] Hence, even if one of them is compromised, all of their accounts are consequently compromised. To solve this problem, password managers were introduced. A password manager uses a master password that is the key to an encrypted vault. This vault contains critical data and passwords to various accounts. [10] It also generates secure passwords that ensure the security of one’s account. The advantage that these password managers hold is that the user is required to remember just a single master password, instead of multiple passwords for different accounts. A single password can decrypt the encrypted vault allowing the user to access the password required for a particular account. They typically operate in either an offline or an online manner. Both require the use of a master password to unlock the rest of the passwords. [11] Both the approaches suffer from their own set of problems. The offline version requires that the file containing the encrypted passwords be transported everywhere and syncing the same file across many devices requires additional effort from the user, and if the file is lost, so are the passwords. The online version solves the sync and loss of file problem but an active Internet connection requirement is added, alongside the possibility of a security breach. Also, confidential and private data is stored on remote locations, which may produce a feeling of mistrust, if the underlying architectural details of the algorithms used and security of servers is kept hidden from the users. Data breaches may even occur on these servers. Thus, we propose an offline password manager, that does not store passwords anywhere. These passwords are not even stored on the device of the user, but are generated on-the-fly using the algorithm, by providing the master password.

References

  1. #1 Password Manager & Vault App, Enterprise SSO & MFA j LastPass. https://www:lastpass:com/.
  2. keypass.info. https://keepass:info/.
  3. Master Password: Home. http:// www:masterpasswordapp:com/.
  4. OnlyKey Hardware Password Manager j One PIN to remember. https://onlykey:io/.
  5. Password Manager for Families, Businesses, Teams. http: //1password:com/.
  6. Password Practices Still Poor, Google Says j Security- Week.Com. https://www:securityweek:com/password- practices-still-poor-google-says.
  7. Portable password manager. https:// patents:google:com/patent/US20040193925A1/en, March 2004.
  8. Information is Beautiful. World’s Biggest Data Breaches & Hacks. https://informationisbeautiful:net/ visualizations/worlds-biggest-data-breaches- hacks/.
  9. Paolo Gasti and Kasper B. Rasmussen. On the Security of Password Manager Database Formats. In Sara Foresti, Moti Yung, and Fabio Martinelli, editors, Computer Security - ESORICS 2012, Lecture Notes in Computer Science, pages 770– 787. Springer Berlin Heidelberg, 2012.
  10. Alexa Huth, Michael Orlando, and Linda Pesante. Password security, protection, and management. 2012.
  11. Ambarish Karole, Nitesh Saxena, and Nicolas Christin. A Comparative Usability Evaluation of Traditional Password Managers. In Kyung-Hyune Rhee and DaeHun Nyang, editors, Information Security and Cryptology - ICISC 2010, Lecture Notes in Computer Science, pages 233–251. Springer Berlin Heidelberg, 2011.
  12. Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers. pages 465–479, 2014.
  13. Colin Percival and Simon Josefsson. The scrypt passwordbased key derivation function. 2016.
  14. Steve Ragan. Thousands of gamers’ passwords easily cracked in 3 minutes. https://www:csoonline:com/article/ 3025628/ignore-the-worlds-worst-passwords- look-at-how-theyre-created-instead:html, January 2016.
  15. David Silver, Suman Jana, Dan Boneh, Eric Chen, and Collin Jackson. Password Managers: Attacks and Defenses. pages 449–464, 2014.
  16. Sergey Tulyakov, Faisal Farooq, Praveer Mansukhani, and Venu Govindaraju. Symmetric hash functions for secure fingerprint biometric systems. Pattern Recognition Letters, 28(16):2427–2436, December 2007.

Keywords

Password Manager, Key Derviation Functions, Hash Functions, Security, Master Password