Password Policy Markup Language

Password-based authentication is the most widely used authentication scheme for granting access to user accounts on the Internet. Despite this, there exists no standard implementation of passwords by services. They have different password requirements as well as interfaces and procedures for login, password change, and password reset. This situation is very challenging for users and often leads to the choice of weak passwords and prevents security-conscious behavior. Furthermore, it prevents the development of applications that provide a fully-fledged assistance for users in securely generating and managing passwords. In this paper, we present a solution that bridges the gap between the different password implementations on the service-side and applications assisting users with their passwords on the client-side. First, we introduce the Password Policy Markup Language (PPML). It enables a uniformly specified Password Policy Description (PPD) for a services. A PPD describes the password requirements as well as password interfaces and procedures of a service and can be processed by applications. It enables applications to automatically (1) generate passwords in accordance with the password requirements of a service, (2) perform logins, (3) change passwords, and (4) reset passwords. Second, we present a prototypical password manager which uses PPDs and is capable of generating and completely managing passwords on behalf of users.

[1]  Sudhir Aggarwal,et al.  Password Cracking Using Probabilistic Context-Free Grammars , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[2]  Elisa Bertino,et al.  Password policy simulation and analysis , 2007, DIM '07.

[3]  Frank Stajano,et al.  Password-Manager Friendly (PMF): Semantic Annotations to Improve the Effectiveness of Password Managers , 2014, PASSWORDS.

[4]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[5]  M. Angela Sasse,et al.  Making Passwords Secure and Usable , 1997, BCS HCI.

[6]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[7]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[8]  Peder Sparell,et al.  Linguistic Cracking of Passphrases Using Markov Chains , 2016, IACR Cryptol. ePrint Arch..

[9]  Cormac Herley,et al.  Where do security policies come from? , 2010, SOUPS.

[10]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[12]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[13]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[14]  Elisa Bertino,et al.  A comprehensive simulation tool for the analysis of password policies , 2009, International Journal of Information Security.

[15]  Johannes Braun,et al.  Password Requirements Markup Language , 2016, ACISP.

[16]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[17]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Steven Furnell,et al.  An assessment of website password practices , 2007, Comput. Secur..

[19]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  S. Furnell Assessing password guidance and enforcement on leading websites , 2011 .

[21]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[22]  Elizabeth Stobert,et al.  The Password Life Cycle: User Behaviour in Managing Passwords , 2014, SOUPS.

[23]  Ping Wang,et al.  The Emperor's New Password Creation Policies: An Evaluation of Leading Web Services and the Effect of Role in Resisting Against Online Guessing , 2015, ESORICS.

[24]  Marjan Hericko,et al.  Impact of security education on password change , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[25]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.

[26]  Yee-Yin Choong A Cognitive-Behavioral Framework of User Password Management Lifecycle , 2014, HCI.

[27]  Matt Bishop,et al.  Improving system security via proactive password checking , 1995, Comput. Secur..

[28]  Elisa Bertino,et al.  Auth-SL - A System for the Specification and Enforcement of Quality-Based Authentication Policies , 2007, ICICS.

[29]  Claude Castelluccia,et al.  When Privacy meets Security: Leveraging personal information for password cracking , 2013, ArXiv.

[30]  Audun Jøsang,et al.  Improving Usability of Password Management with Standardized Password Policies , 2012 .