Human Computable Passwords - Design and Analysis.
MetadataVis full innførsel
Password management is a major issue in the Internet centric world. This project presents the human computable password management scheme by Blocki et al., which makes it possible for human users to calculate passwords from publicly available challenges. The scheme is evaluated in terms of usability, and parameters affecting it discussed. Two applications are designed and implemented, one as a Google Chrome browser extension, and one as a web application. The Chrome extension implements the scheme, utilizing the strengths of browser extensions with accompanying APIs. It handles challenge generation, management and storage, using the Google account of the user to keep the data persistently synced. Smart functionality provided by the Chrome extension framework makes it possible to monitor the site users visit, allowing the application to display the correct challenges without user interaction. The second application is a web application built as an experiment and demonstration site. It demonstrates the scheme and allows users to learn the scheme by trial and error, then asks them to calculate challenges while recording calculation times and failure rates. The gathered data is analyzed using an exploratory approach, trying to find interesting characteristics related to usability. The experiment gave indications that the scheme might suffer from high failure rates, limiting usability for some users. The failure rate was measured to be $0.0585$, approximately every one out of 17 calculations was wrong. A measure to limit the consequences of this observation is suggested by categorizing the accounts, having different length passwords for different accounts. Both applications were designed to investigate if the scheme could be implemented in a usable way, and if so, provide strong enough security to justify the efforts required of the users. The Chrome extension lowers the threshold for using the scheme, solving problems related to challenge management and presentation. The conclusion from the experiment was that failure rates are indeed an important usability factor which should be investigated more thoroughly, as it may limit the scheme severely.