A Secure Password Manager

Abstract

Internet has grown exponentially over the past decade, and as a consequence, the amount of data generated is increasing day by day. Online services are growing and to keep online services personalised and organised, online accounts are being created by users. Over the past few years, incidents of data breaches have surfaced over the Internet, and there are some which are not even public knowledge. Account passwords and personal information leaked from these data breaches are then misused or sold on the Internet. Cracking hashed passwords is not too difficult if the passwords among commonly used ones. A Google / Harris Poll conducted in February 2019 concluded that 52% people use the same password for multiple accounts. Hence, even if one of them is compromised, all of their accounts are consequently compromised. To solve this problem, password managers were introduced. A password manager uses a master password that is the key to an encrypted vault. This vault contains critical data and passwords to various accounts. It also generates secure passwords that ensure the security of one’s account. The advantage that these password managers hold is that the user is required to remember just a single master password, instead of multiple passwords for different accounts. A single password can decrypt the encrypted vault allowing the user to access the password required for a particular account. They typically operate in either an offline or an online manner. Both require the use of a master password to unlock the rest of the passwords. Both the approaches suffer from their own set of problems. The offline version requires that the file containing the encrypted passwords be transported everywhere and syncing the same file across many devices requires additional effort from the user, and if the file is lost, so are the passwords. The online version solves the sync and loss of file problem but an active Internet connection requirement is added, alongside the possibility of a security breach. Also, confidential and private data is stored on remote locations, which may produce a feeling of mistrust, if the underlying architectural details of the algorithms used and security of servers is kept hidden from the users. Data breaches may even occur on these servers. Thus, we propose an offline password manager, that does not store passwords anywhere. These passwords are not even stored on the device of the user, but are generated on-the-fly using the algorithm, by providing the master password.

Publication
In International Journal of Computer Applications
Avatar
Chaitanya Rahalkar
Software Security Engineer

Software Security Engineer at Block Inc., specializing in cloud-native security and application security.

Related