Kamouflage: Loss-Resistant Password Management

We introduce Kamouflage: a new architecture for building theft-resistant password managers. An attacker who steals a laptop or cell phone with a Kamouflage-based password manager is forced to carry out a considerable amount of online work before obtaining any user credentials. We implemented our proposal as a replacement for the built-in Firefox password manager, and provide performance measurements and the results from experiments with large real-world password sets to evaluate the feasibility and effectiveness of our approach. Kamouflage is well suited to become a standard architecture for password managers on mobile devices.

[1]  David C. Feldmeier,et al.  UNIX Password Security - Ten Years Later , 1989, CRYPTO.

[2]  Michael K. Reiter,et al.  The Design and Analysis of Graphical Passwords , 1999, USENIX Security Symposium.

[3]  Burton S. Kaliski,et al.  Server-assisted generation of a strong secret from a password , 2000, Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000).

[4]  Vibha Sazawal,et al.  Doodling our way to better authentication , 2002, CHI Extended Abstracts.

[5]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[6]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[7]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[8]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[9]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[10]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[11]  R.V. Yampolskiy Analyzing User Password Selection Behavior for Reduction of Password Space , 2006, Proceedings 40th Annual 2006 International Carnahan Conference on Security Technology.

[12]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[13]  Herbert Bos,et al.  SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots , 2007, Comput. Networks.

[14]  Xavier Boyen,et al.  Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys , 2007, USENIX Security Symposium.

[15]  Xavier Boyen,et al.  Hidden credential retrieval from a reusable password , 2009, ASIACCS '09.

[16]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[17]  Vinu V. Das,et al.  Honeypot Scheme for Distributed Denial-of-Service , 2009, 2009 International Conference on Advanced Computer Control.

[18]  Ramesh Chandra Joshi,et al.  An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks , 2009, Comput. Commun..