Cryptography Reference
In-Depth Information
phone manager. Also, technical people were more inclined towards the USB manager
in comparison to the online manager. These findings can generally be credited to the fact
that the users were not comfortable giving control of their passwords to an online entity
and preferred to manage their passwords themselves on their own portable devices.
We note that the only prior work that directly relates to our study, to the best of our
knowledge, is by Chiasson et. al [12]. The study [12] evaluates two desktop managers
- PwdHash [9] and Password Multiplier [2], and points out underlying usability prob-
lems with these two managers. Our study, on the other hand, aims at evaluating and
comparing three different types of traditional password management approaches, with
a particular focus on mobile users.
2
Background and Research Questions
In this section, we discuss the three password managers in more details and compare
them based on their usability and security characteristics. This background information
will serve as a foundation to frame the research questions that we aim at answering
via our study, and to come up with the usability and security measures across which
the password managers will be compared. We provide a side-by-side comparison of an
online manager, a phone manager and a USB manager in Figure 1.
Strong
authentication
Trusted
terminal
Third-
party
trust
Server-side
modifications
Client-side
modifications
Observation
resistance
Automated
or
manual?
Master
password
Portability
Fall-
back
Online
Manager
Optionally (if
random)
Yes
Yes
No
Yes
No
Automated
Yes
Yes
If master
password
is lost
Phone
Manager
Optionally (if
random)
Yes
No
No
Optionally
(for backup)
No
Manual
Yes
Yes
If phone
is lost
USB
Manager
Optionally (if
random)
Yes
No
No
Optionally
(for backup)
No
Automated
Yes
Yes
If USB
drive is
lost
Fig. 1.
Comparison of Password Management Methods
As discussed in Section 1, online password managers incorporate remote third-party
servers for password storage. Portable managers, on the other hand, consists of a cre-
dential listing on users' personal portable devices, e.g., a mobile phone and USB drive.
One example of software that falls into the category of online manager is LastPass
[7]. LastPass is a proprietary extension for the Mozilla Firefox web browser which
locally encrypts user credentials using 256 bit AES prior to transmitting them to Last-
Pass's data centers via SSL. Though their key generation algorithm is not described,
LastPass's encryption and decryption is protected using a master password which is not
transmitted beyond the local terminal. A similar online password management exten-
sion for Firefox is Mozilla Weave Sync [8]. Weave is an open source solution which
operates by encrypting browser data with asymmetric cryptography; this allows users
to share selected browser data with others if desired. Though each user's private key is
stored locally as well as on remote Weave servers, in both cases this key is encrypted
with a user specified passphrase. As is the case with LastPass's master password, this
passphrase is used locally and not transmitted to or stored on the remote server.
Search WWH ::
Custom Search