IJMSC Vol. 10, No. 4, 8 Dec. 2024
Cover page and Table of Contents: PDF (size: 477KB)
Password, Password manager, Authentication, Automation
This research paper introduces SecretCentric, an innovative automated hardware-based password management system addressing the challenges of widely used password authentication methods, which have long been criticized for their poor performance. Password management plays a crucial role in protecting users' digital security and privacy, with key factors including password generation, storage, renewal, and reuse mitigation. Although numerous password managers and solutions have been introduced to tackle these challenges, password management automation has never been thoroughly explored. This study aims to revolutionize the field by eliminating the burden of manual password management from users by automating the entire process. Upon concluding a comprehensive survey, insights into user perceptions of password management and prevalent malpractices were identified. SecretCentric was designed to maximize the security and usability trade-off aligning with identified user expectations. Preliminary evaluations indicate that SecretCentric offers significant improvements over existing options, highlighting the necessity for an automated solution that balances security and usability in the era of increasing online services. The system's success demonstrates the importance of proper password management rather than replacement, contributing to research advancement in user authentication and credential management.
Prageeth Fernando, Navinda Dissanayake, Venusha Dushmantha, Chamara Liyanage, Chamila Karunatilake, "An Automated Solution for Secure Password Management", International Journal of Mathematical Sciences and Computing(IJMSC), Vol.10, No.4, pp. 21-33, 2024. DOI: 10.5815/ijmsc.2024.04.03
[1]V. Taneski, M. Heričko, and B. Brumen, ―Password security — No change in 35 years?,‖ IEEE Xplore, 2014. https://ieeexplore.ieee.org/document/6859779.
[2]N. Sebastian, “Top Password Strengths and Vulnerabilities: Threats, Preventive Measures, and Recoveries,” www.goodfirms.co, 2021. https://www.goodfirms.co/resources/top-password-strengths-and-vulnerabilities#:~:text=30%25%20of%20the%20Users%20Have
[3]X. Gao, Y. Yang, C. Liu, C. Mitropoulos, J. Lindqvist, and A. Oulasvirta, “Forgetting of Passwords: Ecological Theory and Data Forgetting of Passwords: Ecological Theory and Data,” 2018.
[4]S. Pearman, S. Zhang, L. Bauer, N. Christin, and L. Cranor, “Open access to the Proceedings of the Fifteenth Symposium on Usable Privacy and Security is sponsored by USENIX. Why people (don’t) use password managers effectively Why people (don’t) use password managers effectively,” 2019.
[5]S. Chaudhary, T. Schafeitel-Tähtinen, M. Helenius, and E. Berki, “Usability, security and trust in password managers: A quest for user-centric properties and features,” Comput. Sci. Rev., vol. 33, pp. 69–90, 2019, doi: 10.1016/j.cosrev.2019.03.002.
[6]A. Naing Oo, “E2PM: Enclosed Portable Password Manager,” 2022.
[7]R. Morris and K. Thompson, “Password security: a case history,” Commun. ACM, vol. 22, no. 11, pp. 594–597, 1979, doi: 10.1145/359168.359172.
[8]M. Yıldırım and I. Mackie, “Encouraging users to improve password security and memorability,” Int. J. Inf. Secur., vol. 18, no. 6, pp. 741–759, 2019, doi: 10.1007/s10207-019-00429-y.
[9]H. Habib et al., “User Behaviors and Attitudes Under Password Expiration Policies,” www.usenix.org, 2018. https://www.usenix.org/conference/soups2018/presentation/habib-password
[10]S. Lyastani, M. Schilling, S. Fahl, M. Backes, and S. Bugiel, “Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse,” 2018.
[11]D. Fredericks, “Users’ Perceptions Regarding Password Policies,” 2018.
[12]C. Rahalkar and D. Gujar, “A Secure Password Manager,” Int. J. Comput. Appl., vol. 178, no. 44, pp. 5–9, 2019, doi: 10.5120/ijca2019919323.
[13]C. Luevanos, J. Elizarraras, K. Hirschi, and J. Yeh, “Analysis on the Security and Use of Password Managers,” 2017 18th Int. Conf. Parallel Distrib. Comput. Appl. Technol. PDCAT, 2017, doi: 10.1109/pdcat.2017.00013.
[14]F. Z. Glory, A. Ul Aftab, O. Tremblay-Savard, and N. Mohammed, “Strong Password Generation Based On User Inputs,” 2019 IEEE 10th Annu. Inf. Technol. Electron. Mob. Commun. Conf. IEMCON, 2019, doi: 10.1109/iemcon.2019.8936178.
[15]N. Woods and M. Siponen, “Improving password memorability, while not inconveniencing the user,” Int. J. Hum.-Comput. Stud., vol. 128, no. 128, pp. 61–71, 2019, doi: 10.1016/j.ijhcs.2019.02.003.
[16]A. Singh and S. Raj, “Securing password using dynamic password policy generator algorithm,” J. King Saud Univ. - Comput. Inf. Sci., vol. 34, no. 4, pp. 1357–1361, 2022, doi: 10.1016/j.jksuci.2019.06.006.
[17]D. Biesner, K. Cvejoski, B. Georgiev, R. Sifa, and E. Krupicka, “Generative Deep Learning Techniques for Password Generation,” ArXiv201205685 Cs, 2020, Accessed: Jan. 01, 2022. [Online]. Available: http://arxiv.org/abs/2012.05685
[18]K. Smith, “Random Password Generation,” 2022. Accessed: Jan. 01, 2022. [Online]. Available: https://covacci.org/wp-content/uploads/2022/04/Kirk-Smith_Random-Password-Generation.pdf
[19]M. Grilo, J. F. Ferreira, and J. B. Almeida, “Towards Formal Verification of Password Generation Algorithms used in Password Managers,” ArXiv210603626 Cs, 2021, Accessed: Jan. 01, 2022. [Online]. Available: https://arxiv.org/abs/2106.03626
[20]E. Kuka and R. Bahiti, “Information Security Management: Password Security Issues,” Acad. J. Interdiscip. Stud., vol. 7, no. 2, pp. 43–47, 2018, doi: 10.2478/ajis-2018-0045.
[21]E. Stobert and R. Biddle, “The Password Life Cycle,” ACM Trans. Priv. Secur., vol. 21, no. 3, pp. 1–32, 2018, doi: 10.1145/3183341.
[22]E. I. Tatli and E. Seker, “Password Replacement Patterns,” 2018 5th Int. Conf. Control Decis. Inf. Technol. CoDIT, 2018, doi: 10.1109/codit.2018.8394966.
[23]M. Abuzaraida and A. Zeki, “Collection of Handwritten text View project Development of Malay Online Virtual Integrated Corpus (MOVIC) for Sentiment Analysis using Web-scraping View project AWARENESS AND SECURITY ISSUES IN PASSWORD MANAGEMENT AMONG LIBYAN UNIVERSITIES STAFF MEMBERS,” Artic. ID IJARET1112123 Int. J. Adv. Res. Eng. Technol., vol. 11, no. 12, pp. 1292–1303, 2020, doi: 10.34218/IJARET.11.12.2020.123.
[24]K. Siddique, Z. Akhtar, and Y. Kim, “Biometrics vs passwords: a modern version of the tortoise and the hare,” Comput. Fraud Secur., vol. 2017, no. 1, pp. 13–17, 2017, doi: 10.1016/s1361-3723(17)30007-6.
[25]V. Zimmermann and N. Gerber, “The password is dead, long live the password – A laboratory study on user perceptions of authentication schemes,” Int. J. Hum.-Comput. Stud., vol. 133, pp. 26–44, 2020, doi: 10.1016/j.ijhcs.2019.08.006.
[26]D. E. Kurniawan, M. Iqbal, J. Friadi, F. Hidayat, and R. D. Permatasari, “Login Security Using One Time Password (OTP) Application with Encryption Algorithm Performance,” J. Phys. Conf. Ser., vol. 1783, p. 012041, 2021, doi: 10.1088/1742-6596/1783/1/012041.
[27]S. Kankane, C. DiRusso, and C. Buckley, “Can We Nudge Users Toward Better Password Management?,” Ext. Abstr. 2018 CHI Conf. Hum. Factors Comput. Syst., 2018, doi: 10.1145/3170427.3188689.
[28]R. Macgregor, “USER COMPREHENSION OF PASSWORD REUSE RISKS AND MITIGATIONS IN PASSWORD MANAGERS,” 2020.
[29]P. Gupta, D. R. Marur, H. Kalisetty, and A. Khanna, “A novel secure and high-entropy hardware password manager,” Mater. Today Proc., 2020, doi: 10.1016/j.matpr.2020.09.524.
[30]Q. Guo et al., “PUFPass: A password management mechanism based on software/hardware codesign,” Integration, vol. 64, pp. 173–183, 2019, doi: 10.1016/j.vlsi.2018.10.003.
[31]P. Sabev and M. Petrov, “Android Password Managers and Vault Applications: An Investigation on Data Remanence in Main Memory,” Inf. Syst. Grid Technol., vol. 2933, pp. 314–328, 2021.
[32]S. Anand, N. Susila, and S. Balakrishnan, “Challenges and issues in ensuring safe cloud based password management to enhance security,” 2018.
[33]A. Gupta, A. Sahu, A. Tarodia, and S. Choudhari, “SeCrypt : A Password Manager Aniket Sahu 3 PUBLICATIONS 0 CITATIONS SEE PROFILE,” Artic. Int. J. Innov. Res. Sci. Eng. Technol., 2022, doi: 10.15680/IJIRSET.2022.1105125|.
[34]Y. Wang and K. M. Khan, “Matrix Barcode Based Secure Authentication without Trusting Third Party,” IT Prof., vol. 21, no. 3, pp. 41–48, 2019, doi: 10.1109/mitp.2018.2876986.
[35]S. Aebischer et al., “Pico in the Wild: Replacing Passwords, One Site at a Time,” Proc. 2nd Eur. Workshop Usable Secur., 2017, doi: 10.14722/eurousec.2017.23017.
[36]F. Stajano, “Pico: No More Passwords!,” Secur. Protoc. XIX, pp. 49–81, 2011, doi: 10.1007/978-3-642-25867-1_6.
[37]M. Mohammadinodoushan, B. Cambou, F. Afghah, C. R. Philabaum, and I. Burke, “Reliable, Secure, and Efficient Hardware Implementation of Password Manager System Using SRAM PUF,” IEEE Access, vol. 9, pp. 155711–155725, 2021, doi: 10.1109/access.2021.3129499.
[38]M. Mohammadinodoushan, B. Cambou, C. R. Philabaum, and N. Duan, “Resilient Password Manager Using Physical Unclonable Functions,” IEEE Access, vol. 9, pp. 17060–17070, 2021, doi: 10.1109/access.2021.3053307.