Password meters and generators on the web: From large-scale empirical study to getting it right
Paper i proceeding, 2015

Copyright © 2015 ACM. Web services heavily rely on passwords for user authentication. To help users chose stronger passwords, password meter and password generator facilities are becoming increasingly popular. Password meters estimate the strength of passwords provided by users. Password generators help users with generating stronger passwords. This paper turns the spotlight on the state of the art of password meters and generators on the web. Orthogonal to the large body of work on password metrics, we focus on getting password meters and generators right in the web setting. We report on the state of affairs via a large-scale empirical study of web password meters and generators. Our findings reveal pervasive trust to third-party code to have access to the passwords. We uncover three cases when this trust is abused to leak the passwords to third parties. Furthermore, we discover that often the passwords are sent out to the network, invisibly to users, and sometimes in clear. To improve the state of the art, we propose SandPass, a general web framework that allows secure and modular porting of password meter and generation modules. We demonstrate the usefulness of the framework by a reference implementation and a case study with a password meter by the Swedish Post and Telecommunication Agency.

Web security

Sandboxing

Passwords

Författare

Steven Van Acker

KU Leuven

Daniel Hausknecht

Chalmers, Data- och informationsteknik, Programvaruteknik

W. Joosen

KU Leuven

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Programvaruteknik

CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

253-262
978-1-4503-3191-3 (ISBN)

Ämneskategorier

Programvaruteknik

DOI

10.1145/2699026.2699118

ISBN

978-1-4503-3191-3

Mer information

Senast uppdaterat

2018-05-29