Toward a secure and usable cloud-based password manager for web browsers

Computers and Security

Volumn 46, Issue , 2014, Pages 32-47

  Zhao, Rui ^a   Yue, Chuan ^a  

^a University of Colorado at Colorado Springs   (United States)

Author keywords

Cloud; Password manager; Security; Storage; User authentication; Web browser

Indexed keywords

AUTHENTICATION; CLOUDS; ENERGY STORAGE; MANAGERS; USER EXPERIENCE; WEBSITES;

BUILT-IN FEATURE; CLOUD-BASED; EVALUATION RESULTS; PASSWORD MANAGERS; RATIONAL DESIGN; SECURITY; STRONG PASSWORD; USER AUTHENTICATION;

WEB BROWSERS;

EID: 84905241561     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2014.07.003     Document Type: Article

References (74)

1. 1Password., https://agilebits.com/onepassword.
2. A. Adams, and M.A. Sasse Users are not the enemy Commun ACM 42 12 1999 40 46
3. Advanced encryption standard (AES) 2001 NIST FIPS 197 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
4. Anti-Phishing Working Group, http://www.antiphishing.org.
5. A. Bessani, M. Correia, B. Quaresma, F. André, and P. Sousa Depsky: dependable and secure storage in a cloud-of-clouds Proceedings of The European Conference on Computer Systems (EuroSys) 2011
6. M. Bishop, and D.V. Klein Improving system security via proactive password checking Comput Secur 14 3 1995 233 249
7. J. Bonneau, C. Herley, P.C. van Oorschot, and F. Stajano The quest to replace passwords: a framework for comparative evaluation of web authentication schemes Proceedings of the IEEE Symposium on Security and Privacy 2012 553 567
8. P. Bowen, J. Hash, and M. Wilson Information security handbook: a guide for managers Special Publication 800-100 2007 NIST http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
9. K.D. Bowers, A. Juels, and A. Oprea Hail: a high-availability and integrity layer for cloud storage Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2009 187 198
10. X. Boyen Halting password puzzles: hard-to-break encryption from human-memorable keys Proceedings of the USENIX Security Symposium 2007 119 134
11. C. Bravo-Lillo, L. Cranor, J. Downs, S. Komanduri, S. Schechter, and M. Sleeper Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on os password-entry dialogs Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2012 365 377
12. W.E. Burr, D.F. Dodson, E.M. Newton, R.A. Perlner, W.T. Polk, and S. Gupta et al. Electronic authentication guideline Special Publication 800-63-1 2011 NIST http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
13. R. Canetti, S. Halevi, and M. Steiner Mitigating dictionary attacks on password-protected local storage Proceedings of the Annual International Cryptology Conference (CRYPTO) 2006 160 179 (Pubitemid 44532115)
14. S. Chiasson, P.C. van Oorschot, and R. Biddle A usability study and critique of two password managers Proceedings of the USENIX Security Symposium 2006 1 16
15. L.S. Clair, L. Johansen, W. Enck, M. Pirretti, P. Traynor, and P. McDaniel et al. Password exhaustion: predicting the end of password usefulness Proceedings of the International Conference on information systems security 2006 37 55
16. M. Cova, C. Kruegel, and G. Vigna Detection and analysis of drive-by-download attacks and malicious javascript code Proceedings of the International Conference on World Wide Web (WWW) 2010 281 290
17. D. Davis, F. Monrose, and M.K. Reiter On user choice in graphical password schemes Proceedings of the USENIX Security Symposium 2004 151 164
18. Rachna Dhamija, J.D. Tygar, and Marti Hearst Why phishing works Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI) 2006 581 590 (Pubitemid 44032146)
19. M. Dworkin Recommendation for block cipher modes of operation: the CCM mode for authentication and confidentiality Special Publication 800-38C 2004 NIST http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
20. D.C. Feldmeier, and P.R. Karn Unix password security - ten years later Proceedings of the Annual International Cryptology Conference (CRYPTO) 1989 44 63
21. Firefox Sync Service, https://wiki.mozilla.org/Services/Sync.
22. D. Florêncio, and C. Herley A large-scale study of web password habits Proceedings of the International Conference on World Wide Web (WWW) 2007 657 666 (Pubitemid 47582295)
23. E. Grosse, and M. Upadhyay Authentication at scale IEEE Secur Priv 11 2013 15 22
24. J.A. Halderman, B. Waters, and E.W. Felten A convenient method for securely managing passwords Proceedings of the International Conference on World Wide Web (WWW) 2005 471 479
25. J.A. Halderman, S.D. Schoen, N. Heninger, W. Clarkson, W. Paul, and J.A. Calandrino et al. Lest we remember: cold boot attacks on encryption keys Proceedings of USENIX Security Symposium 2008
26. C. Herley, and S. Schechter Breaking our password hash habit - why the sharing of users' password choices for defensive analysis is an underprovisioned social good, and what we can do to encourage it Proceedings of the Workshop on the Economics of Information Security (WEIS) 2013
27. C. Herley, and P.C. van Oorschot A research agenda acknowledging the persistence of passwords IEEE Secur Priv 10 1 2012 28 36
28. C. Herley, P.C. van Oorschot, and A.S. Patrick Passwords: if we're so smart, why are we still using them? Proceedings of the Financial Cryptography 2009 230 237
29. F. Hsu, H. Chen, T. Ristenpart, J. Li, and Z. Su Back to the future: a framework for automatic malware removal and system repair Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2006 257 268
30. M. Jakobsson, and S. Myers Phishing and countermeasures: understanding the increasing problem of electronic identity theft 2006 Wiley-Interscience 0-471-78245-9
31. B. Kaliski RFC 2898, PKCS5: password-based cryptography specification version 2.0 1999 http://www.ietf.org/rfc/rfc2898.txt
32. P.G. Kelley, S. Komanduri, M.L. Mazurek, R. Shay, T. Vidas, and L. Bauer et al. Guess again (and again and again): measuring password strength by simulating password-cracking algorithms Proceedings of the IEEE Symposium on Security and Privacy 2012 523 537
33. S. Komanduri, R. Shay, P.G. Kelley, M.L. Mazurek, L. Bauer, and N. Christin et al. Of passwords and people: measuring the effect of password-composition policies Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI) 2011 2595 2604
34. D.P. Kormann, and A.D. Rubin Risks of the passport single signon protocol Comput Netw 33 1-6 2000 51 58
35. LastPass Password Manager, https://lastpass.com/.
36. B. Laurie, Nigori: storing secrets in the cloud, http://www.links.org/files/nigori-overview.pdf.
37. Likert scale, http://en.wikipedia.org/wiki/Likert-scale.
38. M.T. Louw, J.S. Lim, and V.N. Venkatakrishnan Enhancing web browser security against malware extensions J Comput Virology 4 3 2008 179 195
39. L. Lu, V. Yegneswaran, P. Porras, and W. Lee Blade: an attack-agnostic approach for preventing drive-by malware infections Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2010
40. P. Mahajan, S. Setty, S. Lee, A. Clement, L. Alvisi, M. Dahlin, and M. Walfish Depot: cloud storage with minimal trust ACM Trans Comput Syst 29 4 2011
41. R. Morris, and K. Thompson Password security: a case history Commun ACM 22 11 1979 594 597
42. A. Moshchuk, T. Bragin, S.D. Gribble, and H.M. Levy A crawler-based study of spyware in the web Proceedings of the Annual Network & Distributed System Security Symposium (NDSS) 2006
43. NIST: Secure hashing, http://csrc.nist.gov/groups/ST/toolkit/secure-hashing.html.
44. OpenID Authentication 2.0-Final, http://openid.net/specs/openid-authentication-2-0.html.
45. R.A. Popa, J. Lorch, D. Molnar, H.J. Wang, and L. Zhuang Enabling security in cloud storage slas with cloudproof Proceedings of the USENIX Annual Technical Conference 2011
46. N. Provos, P. Mavrommatis, M.A. Rajab, and F. Monrose All your iframes point to us Proceedings of the USENIX Security Symposium 2008
47. RoboForm Password Manager, http://www.roboform.com/.
48. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J.C. Mitchell Stronger password authentication using browser extensions Proceedings of the USENIX Security Symposium 2005 17 32
49. A. Shamir How to share a secret Commun ACM 22 11 1979 612 613
50. SQLite Home Page, http://www.sqlite.org.
51. W. Stallings Cryptography and network security: principles and practice 6th ed. 2013 Prentice Hall Press
52. E. Stark, M. Hamburg, and D. Boneh Symmetric cryptography in javascript Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2009 373 381
53. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, and R.A. Kemmerer et al. Your botnet is my botnet: analysis of a botnet takeover Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2009 635 647
54. S.-T. Sun, and K. Beznosov The devil is in the (implementation) details: an empirical analysis of oauth sso systems Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2012
55. S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov A billion keys, but few locks: the crisis of web single sign-on Proceedings of the New security Paradigms Workshop (NSPW) 2010 61 72
56. The OAuth 2.0 Authorization Framework, http://tools.ietf.org/html/rfc6749.
57. J. Thorpe, and P.C. van Oorschot Towards secure design choices for implementing graphical passwords Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2004 50 60 (Pubitemid 40931063)
58. J. Thorpe, and P. van Oorschot Human-seeded attacks and exploiting hot-spots in graphical passwords Proceedings of the USENIX Security Symposium 2007 103 118
59. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, and S. Chen et al. Automated web patrol with strider honeymonkeys: finding web sites that exploit browser vulnerabilities Proceedings of the Annual Network & Distributed System Security Symposium (NDSS) 2006
60. C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou Toward secure and dependable storage services in cloud computing IEEE Trans Serv Comput. 5 2 2012 220 232
61. R. Wang, S. Chen, and X. Wang Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services Proceedings of the IEEE Symposium on Security and Privacy 2012
62. A. Whitten, and J.D. Tygar Why Johnny can't encrypt: a usability evaluation of PGP 5.0 Proceedings of the USENIX Security Symposium 1999
63. Windows Azure Storage Team Windows azure storage: a highly available cloud storage service with strong consistency Proceedings of the ACM Symposium on Operating Systems Principles (SOSP) 2011
64. Windows CryptProtectData function, http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx.
65. Windows CryptUnprotectData function, http://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx.
66. T. Wu The secure remote password protocol Proceedings of the Annual Network & Distributed System Security Symposium (NDSS) 1998
67. M. Wu, R.C. Miller, and G. Little Web wallet: preventing phishing attacks by revealing user intentions Proceedings of the Symposium on Usable Privacy and Security (SOUPS) 2006 102 113 (Pubitemid 46966973)
68. XPCOM: Cross platform component object model, https://developer.mozilla.org/en/XPCOM.
69. J.J. Yan A note on proactive password checking Proceedings of the New security Paradigms Workshop (NSPW) 2001 127 135
70. J. Yan, A. Blackwell, R. Anderson, and A. Grant Password memorability and security: empirical results IEEE Secur Priv 2 5 2004 25 31 (Pubitemid 40168623)
71. K.-P. Yee, and K. Sitaker Passpet: convenient password management and phishing protection Proceedings of the Symposium on Usable Privacy and Security (SOUPS) 2006 32 43 (Pubitemid 46966967)
72. C. Yue The devil is phishing: rethinking web single sign-on systems security Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) 2013
73. R. Zhao, and C. Yue All your browser-saved passwords could belong to us: a security analysis and a cloud-based new design Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY) 2013
74. R. Zhao, C. Yue, and K. Sun Vulnerability and risk analysis of two commercial browser and cloud based password managers ASE Sci J 1 4 2013 1 15