Design and Analysis of a Password Management System

Abstract

Managing passwords is a significant problem for most people in the modern world. In this thesis, a password management system has been designed and implemented as an iOS application called PassCue. PassCue is based on the Shared Cues password management model, proposed by J. Blocki, M. Blum and A. Datta in Naturally Rehearsing Passwords . The design and implementation choices, as well as parameter evaluation, were important in order to create a usable and secure system. PassCue uses cues to share secrets across multiple accounts in order to achieve the competing usability and security goals.PassCue provides higher security than many of the popular password management schemes without significant reduction in usability. The probability that an attacker will compromise an account in an online attack is 1.47656 × 10^(-16) for PassCue (9,4,3) and (43,4,1), and 3.69140 × 10^(-21) for PassCue (60,5,1). In an offline attack with no previous plaintext leaks, cracking the PassCue (9,4,3) and (43,4,1) password will take over 38 years and cost over $700, 000. Cracking the PassCue (60,5,1) password would take over 1.5 million days and cost $2.84442×10^(10) using technology known today. PassCue (9,4,3) does not require the user to invest additional time in order to maintain the passwords in memory, but in PassCue (43,4,1) and PassCue (60,5,1) the user must perform 11 and 20 extra rehearsals respectively.The PassCue design and implementation can easily be customized to support different usability and security needs. The PassCue application utilizes a low percentage of the CPU and memory of an iPhone 5, and uses less then 1% of the CPU and 5.9MB of memory in idle state.