论文信息 - ShadowPWD: practical browser-based password manager with a security token

ShadowPWD: practical browser-based password manager with a security token

Password leak will lead a huge risk to users, especially when the same password is used for different Web sites. The ideal solution is setting the unique password for each Web site, but how to manage these passwords brings the huge trouble for users. Although some password managers have been produced, none of them are adequate enough. Considering the security and usability, we propose the ShadowPWD, a Web browser-based password manager with the following contributions: 1) it provides an isolated password input environment which can prevent password from being stolen by malicious application code; 2) it provides different passwords for different Web sites; 3) it chooses U-disk as a security token to further enhance the security, which is inexpensive and convenient for user to carry. We evaluate the efficiency of ShadowPWD and show that it is practical for the low overhead.

[1] Dawn Xiaodong Song,et al. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[2] Blase Ur,et al. Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[3] Elaine Shi,et al. ShadowCrypt: Encrypted Web Applications for Everyone , 2014, CCS.

[4] Ping Wang,et al. Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[5] Blase Ur,et al. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks , 2016, USENIX Annual Technical Conference.

[6] Daniel Lowe Wheeler. zxcvbn: Low-Budget Password Strength Estimation , 2016, USENIX Security Symposium.

[7] M. Bellare,et al. The FFX Mode of Operation for Format-Preserving Encryption Draft 1 . 1 , 2010 .

[8] Daniel Zappala,et al. MessageGuard: Retrofitting the Web with User-to-user Encryption , 2015 .

[9] Phillip Rogaway,et al. How to Encipher Messages on a Small Domain , 2009, CRYPTO.