Tapas: design, implementation, and usability evaluation of a password manager

Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, we evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes to websites, no master password, and protects all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen. To evaluate the viability of Tapas as an alternative to traditional password managers, we perform a 30 participant user study comparing Tapas to two configurations of Firefox's built-in password manager. We found users significantly preferred Tapas. We then improve Tapas by incorporating feedback from this study, and reevaluate it with an additional 10 participants.

[1]  Brent Waters,et al.  A convenient method for securely managing passwords , 2005, WWW '05.

[2]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[3]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[4]  Ka-Ping Yee,et al.  Passpet: convenient password management and phishing protection , 2006, SOUPS '06.

[5]  Robert Biddle,et al.  A Usability Study and Critique of Two Password Managers , 2006, USENIX Security Symposium.

[6]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[7]  Xavier Boyen,et al.  Halting Password Puzzles: Hard-to-break Encryption from Human-memorable Keys , 2007, USENIX Security Symposium.

[8]  Paul C. van Oorschot,et al.  Digital Objects as Passwords , 2008, HotSec.

[9]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[10]  Nitesh Saxena,et al.  Authentication technologies for the blind or visually impaired , 2009 .

[11]  Dan Boneh,et al.  Kamouflage: Loss-Resistant Password Management , 2010, ESORICS.

[12]  Nitesh Saxena,et al.  On pairing constrained wireless devices based on secrecy of auxiliary channels: the case of acoustic eavesdropping , 2010, CCS '10.

[13]  Nicolas Christin,et al.  A Comparative Usability Evaluation of Traditional Password Managers , 2010, ICISC.

[14]  Frank Stajano Pico: No More Passwords! , 2011, Security Protocols Workshop.

[15]  Kemal Bicakci,et al.  Johnny in internet café: user study and exploration of password autocomplete in web browsers , 2011, DIM '11.

[16]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[17]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[19]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.