Øpass: Zero-storage Password Management Based on Password Reminders
Authors: 
Giannis Tzagarakis, Panagiotis Papadopoulos, Antonios A. Chariton, Elias Athanasopoulos, Evangelos P. MarkatosAuthors Info & Claims
Giannis Tzagarakis, Panagiotis Papadopoulos, Antonios A. Chariton, Elias Athanasopoulos, Evangelos P. MarkatosAuthors Info & ClaimsArticle No.: 2, Pages 1 - 6
Abstract
A plethora of Internet services and applications require user authentication. Although many alternatives have been proposed, and despite the significant advancement in attackers' capabilities to perform password cracking, the most attractive authentication technology today, is still text-based passwords.
The last years, there is a rapid increase in the number of web services a user accesses in their everyday life. Most of these services (e.g., online shops, OSNs, chat clients, etc.) require their very own password, thus increasing the burden of password management on the user side. In this paper, we propose Øpass, a novel system that combines ideas from existing authentication methods, to offer a user-friendly mechanism to securely maintain accounts. Øpass works as a password manager, but it requires zero storage for the passwords: no password will ever get stored either in the user's device, or in a third-party database.
We implement Øpass as an extension for the popular Google Chrome browser, and we evaluate it by using the popular business-oriented social networking service LinkedIn. Early results from our performance tests show that Øpass, using a proactive strategy, can achieve more than 2 orders of magnitude better performance than the current state-of-the-art authentication mechanism.
References
[1]
Gmail inbox feed. https://mail.google.com/mail/feed/atom.
[2]
Twilio pricing page. https://www.twilio.com/sms/pricing/us, 2018.
[3]
F. Benevenuto, T. Rodrigues, M. Cha, and V. Almeida. Characterizing user behavior in online social networks. In Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference, 2009.
[4]
H. Bojinov, E. Bursztein, D. Boneh, and X. Boyen. Kamouflage: Loss-resistant password management. In Proceedings of the 15th European Symposium On Research In Computer Security, September 2010.
[5]
J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 553--567, Washington, DC, USA, 2012. IEEE Computer Society.
[6]
S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In 15th USENIX Security Symposium, USENIX Security, 2006.
[7]
S. D'Alfonso. Phishing attacks collect 70 percent of credentials within the first hour. https://securityintelligence.com/phishing-attacks-collect-70-percent-of-credentials-within-the-first-hour/, 2017.
[8]
R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, SIGCHI, 2006.
[9]
N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan. The password reset mitm attack. In 2017 IEEE Symposium on Security and Privacy (SP), pages 251--267, May 2017.
[10]
Google Developers. Google Accounts Authentication and Authorization. https://developers.google.com/accounts/docs/GettingStarted, 2018.
[11]
J. A. Halderman, B. Waters, and E. W. Felten. A convenient method for securely managing passwords. In Proceedings of the 14th international conference on World Wide Web, WWW, 2005.
[12]
J. Huang and R. W. White. Parallel browsing behavior on the web. In Proceedings of the 21st ACM conference on Hypertext and Hypermedia, 2010.
[13]
G. Kontaxis, E. Athanasopoulos, G. Portokalidis, and A. D. Keromytis. Sauth: Protecting user accounts from password database leaks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS '13, pages 187--198, New York, NY, USA, 2013. ACM.
[14]
M. Miculan and C. Urban. Formal analysis of facebook connect single sign-on authentication protocol. In Proceedings of the 37th International Conference on Current Trends in Theory and Practice of Computer Science. Springer, 2011.
[15]
C. Mills. Mozilla persona project. https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Persona, 2017.
[16]
P. Moore. Does two factor authentication actually weaken security? 2015.
[17]
D. Morin. Announcing facebook connect. https://developers.facebook.com/blog/post/2008/05/09/announcing-facebook-connect/.
[18]
D. Moth. Uk shoppers abandoned over Âč1bn of online transactions in 2011. https://econsultancy.com/blog/9434-uk-shoppers-abandoned-over-1bn-of-online-transactions-in-2011, 2012.
[19]
D. Olenick. Massive google docs phishing attack targeted credentials, permissions. https://www.scmagazine.com/massive-google-docs-phishing-attack-targeted-credentials-permissions/article/654938/, 2017.
[20]
Openwave Mobility. https://owmobility.com/press-releases/research-shows-wasting-16-billion-hours-year-hunting-passwords/, 2017.
[21]
T. Petsas, G. Tsirantonakis, E. Athanasopoulos, and S. Ioannidis. Two-factor authentication: is the world ready?: quantifying 2fa adoption. In Proceedings of the eighth european workshop on system security, page 4. ACM, 2015.
[22]
D. Recordon and D. Reed. Openid 2.0: a platform for user-centric identity management. In Proceedings of the ACM workshop on Digital Identity Management, 2006.
[23]
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th USENIX Security Symposium, USENIX Security, 2005.
[24]
D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson. Password managers: Attacks and defenses. In 23rd USENIX Security Symposium (USENIX Security 14), pages 449--464, San Diego, CA, Aug. 2014. USENIX Association.
[25]
S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov. A billion keys, but few locks: the crisis of web single sign-on. In Proceedings of the New Security Paradigms Workshop. ACM, 2010.
[26]
W3Schools. Ajax - the xmlhttprequest object. https://www.w3schools.com/js/js_ajax_http.asp, 2018.
[27]
R. Wang, S. Chen, and X. Wang. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.
Index Terms
- Øpass: Zero-storage Password Management Based on Password Reminders
Recommendations
MonoPass: A Password Manager without Master Password Authentication
IUI '21 Companion: Companion Proceedings of the 26th International Conference on Intelligent User InterfacesPasswords are the most common user authentication methods. Password policies regulate passwords to a certain degree of complexity, which also makes it difficult for users to create and remember passwords. Password managers improve both security and ...
Password management using doodles
ICMI '07: Proceedings of the 9th international conference on Multimodal interfacesThe average computer user needs to remember a large number of text username and password combinations for different applications, which places a large cognitive load on the user. Consequently users tend to write down passwords, use easy to remember (and ...
Using and managing multiple passwords: A week to a view
Security policies are required that protect information from unauthorised access, and also respect challenges users face in creating, and particularly managing, increasing numbers of passwords. This paper investigates real password use in the context of ...
Comments
Information & Contributors
Information
Published In
April 2018
53 pages
ISBN:9781450356527
DOI:10.1145/3193111
Copyright © 2018 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 April 2018
Check for updates
Author Tags
Qualifiers
- Demonstration
- Research
- Refereed limited
Funding Sources
- Marie SkBodowska-Curie Actions - European Commission
Conference
EuroSys '18
Sponsor:
Acceptance Rates
EuroSec'18 Paper Acceptance Rate 8 of 19 submissions, 42%;
Overall Acceptance Rate 47 of 113 submissions, 42%
Upcoming Conference
EuroSys '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 207Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)2
Reflects downloads up to 01 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in